Mobile game forensics

Posted 2020-09-14 Pieces0310

My friend Carrie\'d like to know "Garena 传说对决" violates any mobile risks such as insecure data storage or sensitive data disclosure . Let\'s take a look at this very popular mobile game "Garena 传说对决" . It would be very interesting~

 

Carrie\'s confused about "Certificate Pinning". Let me show you how to verify  "Certificate Pinning". Use a proxy server to intecept any sensitive data when user log in.

 

Nothing found and only an error occurs. Good job~

 

Let me show you the SSL handshake.

 

Second we take a look at its encryption method and key. It\'s AES 128bit encryption, but what happen to the key??? Poor lazy developers, she/he must be a funny guy~

 

 

Furthermore we extract its folder and take a look inside it.

 

Look! Account name in plaintext found in cache.db-wal. Fortunely password is encrypted. Nice job~

 

Anything else? E-mail address in plaintext!

 

No way gps location found! Why Garena needs to know where user live? That\'s too much. It\'s my privacy!!!

 

Garena does well on "Certificate Pinning" but it should take user\'s privacy into account. Don\'t leave those sensitive personal data in plaintext on any plist or database files. At least Garena should encrypt those data. And most important of all, don\'t collect my gps location. No need to know where users live. It\'s none of your business. Concentrate on improving your game to make it more attractive and secure. That\'s what Garena should do.