Protecting games in a mobile world

Chia sẻ: Ledung Ledung | Ngày: | Loại File: PDF | Số trang:5

Thêm vào BST

Báo xấu

82
lượt xem 3
download

Protecting games in a mobile world

Mô tả tài liệu

Download Vui lòng tải xuống để xem tài liệu đầy đủ

This will in many cases provide the possibility to prevent users to copy games between each other, prevent solution and media stealing, prevent reverse engineering of critical algorithms, prevent code tampering in for example multiplayer games.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Protecting games in a mobile world

Jens Olsson DVD011 06-04-06 1(5) Protecting games in a mobile world By Jens Olsson jeod02@student.bth.se report a real-world connection and make it Abstract interesting to read. I have decided to investigate the different Examples of protections that will be discussed problems with releasing games on mobile are: lock a game so that it can run on one device handsets. The report will be focused on the only, encrypt the game so that resources and release of games, but many methods are the source code cannot be examined, reverse same and can be applied for mobile applications engineered or extracted by malicious users. as well. This will in many cases provide the possibility While I am not studying at the university I am to prevent users to copy games between each working at Imotus Mobile Games, which gave other, prevent solution and media stealing, me the motivation to investigate this. I will base prevent reverse engineering of critical the report on the problems and challenges we algorithms, prevent code tampering in for have encountered trying to protect the games example multiplayer games. we have developed. I hope this will give the
Jens Olsson DVD011 06-04-06 2(5) Introduction to mobile Brew3 technology Brew (Binary Runtime Environment for Wireless) is a game and application platform First I would like to start with an introduction made by QUALCOMM. Supported by 2.5 of some different mobile phone software million handsets worldwide as of 20064 platforms to give an overview of the possibilities that exist on the mobile software “The brilliant idea behind BREW: Connect the and gaming market. I will not cover all mobile marketplace value chain, which includes languages and platforms here but at least some application developers, publishers, content of them in general. providers, device manufacturers, operators and customers with a full offering of products and Java services dedicated to a global marketplace for wireless data - built from the ground up for Java is probably the first thing that people think wireless.” – About Brew about when mobile games are mentioned. Supported by 2.5 million handsets worldwide as Symbian of 20061 it is certainly the largest platform by far. But it is one of many solutions and it has Symbian is a special operating system for the disadvantage of being slow. Sun has mobile phones seen on many advanced phones. developed a special version of java for devices Symbian phones support development in both with less processor power and memory (like C++, J2ME, PersonalJava and Visual Basic. It mobile phones) called J2ME. Java 2 Micro does not include any specific protections of the Edition. In J2ME there are 2 main APIs. The software.5 APIs are CLDC (Connection Limited Device Configuration) and MIDP (Mobile Information Device Profile) working together. Mophun Mophun is a gaming platform for mobile phones made by a Swedish company, Synergenix. Mophun uses C/C++/Assembly as programming language. Code is compiled to a special byte code that runs on a special virtual machine that is adapted to all the handset models that are supported.2 For a game to run it has to have a valid certificate from Synergenix. It also has to be signed by a distributor. Mophun uses an advanced DRM system for protection. 3 About Brew Website 1 Gamesutra 4 Gamesutra 2 Mophun Developer page 5 Symbian Website
Jens Olsson DVD011 06-04-06 3(5) OMA DRM6 Challenges OMA DRM made by The Open Mobile I will describe 4 different challenges that I have Alliance is not a platform like the other encountered when developing for Imotus platforms above. It is a system to protect any Mobile Games. I will then show how some of content delivered to a mobile phone, not only these issues can be solved. software but also images etc. OMA DRM adds functions like: Challenge 1: Copy Encrypted deliveries Protection Content can be encrypted before delivered to A great challenge with computer software and the handset. This makes de-compilation much games is how to prevent users to get the harder. software/game without paying for it from a friend or from the Internet. This problem exists on mobile handsets as well. On some handsets Forward-lock this is prevented by not allowing access to the software’s/game’s files. This however only Prevents users to forward content they have makes it a bit harder. It is still possible to bought and downloaded to others. It is up to the intercept the game delivery via for example a device to prevent the game to be forwarded to computer. another phone.7 In J2ME there is no built in copy protection. Combined-Delivery Furthermore compiled java games can easily be decompiled to source code with a de-compiler Is much like forward lock but if a game is (For example jad). This makes it easy to forwarded to another mobile phone user, the analyze the source code of a game and to game will still run. It will then run either in a remove any copy protection existing. To protect demo mode with maybe just a few levels or from this threat there exist obfuscation software with a time limit of game play, or maybe that can be used to make it harder. Obfuscation playable only once or during 24 hours. changes the compiled code making it more complicated and in a way that makes it very Separate-Delivery hard to understand by humans. Obfuscation does not prevent from decompiling although it Is much like Combined-delivery, but content is makes it hard to find where the copy protection delivered encrypted in one package and the is located and how it is designed to work. usage rights are delivered separately. This Obfuscation programs work with special makes it possible for a user to send a game to a patterns and are often predictable. friend etc. and the friend then have to option to Disadvantages of using obfuscation are that either get a preview license or a full version there is software that can de-obfuscate license for the game. obfuscated code for known obfuscators. Obfuscation also often comes with a performance penalty. Mophun has this already solved. The distributor will sign each game with a special tool. Distributors get new signing certificates each month to prevent people from using stolen certificates. Games developed in Mophun have 6 a time bomb protection (makes sure that a game Nokia DRM and Download FAQ can only be installed on the date it was signed). 7 It also has an optional IMEI lock. This locks the A Generic DRM Framework for game so that it can run on the phone with the J2ME Applications specific IMEI number it has been signed for only.
Jens Olsson DVD011 06-04-06 4(5) Another generic solution is to make the Many developers use a checksum to make it program connect to the author’s server and harder to fabricate registrations. This solution require the user to logon with a serial number relies on that the server and the game share a for example. Then the program retrieves some secret algorithm for calculating checksums and small essential parts of the program from the this algorithm has to be protected from the server that is required for the program to run.8 malicious user. One method is to compile the program at In Java there is a serious problem with this delivery. It is then possible to have a program scenario because the algorithm to calculate the that is locked to the specific phone model and checksum is inside the game binary and can maybe other parameters like IMEI number for therefore be examined and reverse engineered example. The problem with this is that most with a de-compiler. A tool to register any score market places for mobile games on the Internet can be invented. To protect from this we need and on the WAP portals does not support to prevent users from reverse engineering the compile at download. So this solution is maybe source code. only a solution in theory. In Mophun the built-in code tampering and At Imotus one of our approaches to the problem code de-compilation protection makes the life is to make sure a certain binary of the game is much easier. All games released on the Mophun valid for one phone model only. It is not as fun platform must be certified and is then encrypted for people trying to break copy protection on with a private key. All mobile phones have a software that runs on only one phone because public key that can decrypt the games. This they will then target a much smaller audience. It makes any code recompilation useless if the is also not that easy for people to share games aim is to copy the program or make changes, with each other because chances are that people because there is no way to have this code who want to share have different phone encrypted again so that it can run on a handset. manufacturers and phone models. There are In theory it would probably be possible to find over 7009 mobile phones that support for out the key and get the unencrypted binary from example J2ME so this may be a big problem for the phone. people trying to release cracked versions. I have not found any documents describing this Another solution would be to use OMA DRM, approach thought. developed by the Open Mobile Alliance, to prevent the code being decompiled and Challenge 2: High score list examined. OMA DRM (Open Mobile Alliance Digital Rights Management) is something quite similar to the protection used in Mophun. Many games for mobile phones offer the players after finishing a game to upload their high score to an on-line high score list on the None of these solutions however protects from World Wide Web. This is usually done by malicious users listening to network traffic sending the name and score and some kind of trying to analyze the algorithm by taking web server. The problem with this is how to samples. However one of these 2 methods prevent users from reverse engineering the combined with a for example Diffie-Hellman binary and find out how the request looks like handshake and encrypted connection to transfer and create their own (client-side security). the high score over would probably be sufficient to protect the transmission. 8 Mobile phone development: J2ME Versus Brew 9 Mobilehall
Jens Olsson DVD011 06-04-06 5(5) Challenge 3: Multiplayer Challenge 4: Solution gaming protection Just as with multiplayer games on personal One problem with delivering games to an end computers, it is possible to modify the binary user is how to protect the solutions and graphics code of a game so that it will give you etc from use by other parties. With java for advantages over other players. But it is maybe example as earlier mentioned is easy to extract even easier on a mobile phone because most both source code and resources like images and games are written in Java and can therefore be sounds with a de-compiler like jad and a jar de-compiled to fully understandable and archive utility. editable source code. Just decompile, edit some parameters and recompile. In Mophun the whole game is encrypted and can only be decrypted by a mobile phone. On a PC it is often possible to solve this by Furthermore if someone gets the old of code to actively validating using the server. On a use Synergenix must validate and certify the mobile phone on the other hand it is much more game. There is no other way to get the game difficult. Network connection on those devices released, and this of course increases security has far too high network latency for this to even though it would still be possible because work in real time. the key is in every phone. Conclusion Software protections in the mobile world are rather similar to protections on the personal computer. There exit a few advantages and disadvantages though. Most mobile phones are closed devices and are protected in a way that it is very hard to access the internals in order to bypass copy protection etc. If combined with sending the games encrypted we got a rather good copy protection and it feels like copy protection on the mobile phones are much easier to achieve there than on PC. The high score problem is something that cannot be completely solved. The device has to have some way of reading the game, and then it is also possible for people to read it if they reverse engineer the device. Maybe to be sure, high score lists can only exist on turn-based games that connect to a server to validate the result. En encrypted game and a diffie-hellman type handshake would probably be sufficient though. It will require very much of the malicious gamers to bypass such a protection. Sources About Brew Website, http://brew.qualcomm.com/brew/en/about/about_brew.html, 2006-03-29 Mobile phone development: J2ME Versus Brew, http://www.colinfahey.com/2002dec14_j2me_cell_phone/mobile_j2me_vs_brew.htm, 2006-03-29 Code Obfuscation, http://palisade.paladion.net/issues/2005Aug/code-obfuscation/, 2006-03-29 Gamesutra, http://www.gamasutra.com/features/gdcarchive/2003M/Crowley_Dale.ppt#360,12,Technology Breakdown, 2006-03-29 Symbian Website, http://www.symbian.se/, 2006-03-30 Nokia DRM and Download FAQ, http://www.forum.nokia.com/main/1,6566,1_41_50,00.html, 2006-03-30 Mobilehall, www.mobilehall.com, 2006-03-30 Mophun developer page, http://www.mophun.com/developer/, 2006-03-30 A generic DRM framework for J2ME Applications, http://nsantos.home.cern.ch/nsantos/papers/nsantos03DrmFramework.pdf, 2006- 04-06