首页 > 代码库 > Mobile game forensics

Mobile game forensics

My friend Carrie‘d like to know "Garena 传说对决" violates any mobile risks such as insecure data storage or sensitive data disclosure . Let‘s take a look at this very popular mobile game "Garena 传说对决" . It would be very interesting~

技术分享

 

My friend Carrie‘s confused about "Certificate Pinning". Let me show you how to verify  "Certificate Pinning". Use a proxy server to intecept any sensitive data when user log in.

技术分享

 

Nothing found and only an error occurs. Good job~

技术分享

 

Let me show you the SSL handshake.

技术分享

 

Second we take a look at its encryption method and key. It‘s AES 128bit encryption, but what happen to the key??? Poor lazy developers, she/he must be a funny guy~

技术分享

 

 

Furthermore we extract its folder and take a look inside it.

技术分享

 

Look! Account name in plaintext found in cache.db-wal. Fortunely password is encrypted. Nice job~

技术分享

 

Anything else? E-mail address in plaintext!

技术分享

 

No way gps location found! Why Garena needs to know where user live? That‘s too much. It‘s my privacy!!!

技术分享

 

Garena does well on "Certificate Pinning" but it should take user‘s privacy into account. Don‘t leave those sensitive personal data in plaintext on any plist or database files. At least Garena should encrypt those data. And most important of all, don‘t collect my gps location. No need to know where users live. It‘s none of your business. Concentrate on improving your game to make it more attractive and secure. That‘s what Garena should do.

 

Mobile game forensics