Uncovering security practices by reverse engineering apps and games

One of the things you have to think about when developing your mobile app or game is security. If your app relies on a server, the api is an obvious source of potential security vulnerabilities and should be a concern to any concientious developer. There’s a lot of articles with solutions to the typical issues of dealing with passwords and logins, but I’ve been finding it hard to find ones on how to deal with things like preventing cheating, restricting api access to only the official client, and preventing users from faking game scores and premium features. There’s no obvious standard way of implementing these measures. Perhaps people with experience are not willing to blog about it and thereby expose their security measures.

I’ve found that one source of useful information are articles by people who have reverse engineered mobile apps and games. It’s interesting and educational to see how published apps implement their security and also how they fare against efforts to reverse engineer them. Obviously, these articles will only describe successful attempts at bypassing security measures, so you might not be learning the best practices. Nevertheless, they are a useful source of ideas.

Here are some interesting articles that I’ve found useful:

Instagram’s public api forbids media uploads. This guy figured out how the instagram app signed api requests in order to gain access to instagram’s private api. He also decompiled the instagram android app to uncover the secret key.

This guy took advantage of the lack of server side checks to give himself infinite lives by modifying the json of an http request made to the server. He also uncovered a checksum field in the request body that is used for server side verification when a level score is submitted. It is basically the first six characters of the MD5 of the following parameter string: “episodeId:levelId:score:timeLeftPercent:userId:seed:secretkey”

This guy discovered that the Letterpress’ dictionary and word check is stored and performed locally on your phone. There doesn’t seem to be any server side validation, so any made up word can be added to the dictionary to make winning a piece of cake.

This guy spied on the requests the trivia crack facebook game was making to reverse engineer their api. He found that trivia crack sends the answer to each question in clear text in the http response.