Mobile game forensics

Posted Pieces0310

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Mobile game forensics相关的知识,希望对你有一定的参考价值。

My friend Carrie\'d like to know "Garena 传说对决" violates any mobile risks such as insecure data storage or sensitive data disclosure . Let\'s take a look at this very popular mobile game "Garena 传说对决" . It would be very interesting~

 

Carrie\'s confused about "Certificate Pinning". Let me show you how to verify  "Certificate Pinning". Use a proxy server to intecept any sensitive data when user log in.

 

Nothing found and only an error occurs. Good job~

 

Let me show you the SSL handshake.

 

Second we take a look at its encryption method and key. It\'s AES 128bit encryption, but what happen to the key??? Poor lazy developers, she/he must be a funny guy~

 

 

Furthermore we extract its folder and take a look inside it.

 

Look! Account name in plaintext found in cache.db-wal. Fortunely password is encrypted. Nice job~

 

Anything else? E-mail address in plaintext!

 

No way gps location found! Why Garena needs to know where user live? That\'s too much. It\'s my privacy!!!

 

Garena does well on "Certificate Pinning" but it should take user\'s privacy into account. Don\'t leave those sensitive personal data in plaintext on any plist or database files. At least Garena should encrypt those data. And most important of all, don\'t collect my gps location. No need to know where users live. It\'s none of your business. Concentrate on improving your game to make it more attractive and secure. That\'s what Garena should do.

 

以上是关于Mobile game forensics的主要内容,如果未能解决你的问题,请参考以下文章

第二次作业

JavaScript小游戏--2048(PC端)

Azure DocumentDB 正式发布

iPhone配对游戏[关闭]

URL 未在 webview 上加载

SKLabelNode 添加到类时抛出试图添加 nil 节点错误