Piracy and cheating have been problems for video games ever since they were invented. Today I’ll be talking through some of the challenges in fighting these issues on the Oculus standalone platform.
My name is Shaheen, and I work on security technologies for Oculus headsets. Our operating system is based on Android. Android is a very open platform for several reasons.
First, applications don’t have to be signed by a specific entity to be installed. Second, Android offers users a command shell to administer the device and run command-line tools.
Third, the Android community is extensive and has a wide variety of freely available tools. Oculus Quest is like a video game console in many ways, but one key difference is that every Oculus Quest can be a development kit.
Like Windows, users can poke around the device using the command shell. Unlike Windows, users don’t get superuser access. However, the passport that they do have gives them enough to poke around the system and applications.
Together, these attributes make it easier for everyone to develop for VR, but they also make it easier for a user to reverse engineer applications. While an open platform encourages more and more people to build for VR, it also presents challenges in fighting issues like piracy and cheating.
Android is also an open-source platform. The code greatly benefits developers looking to learn how the system behaves and debug reliability and performance problems. Open source also means that it takes less effort for someone to build a compatible platform like an emulator potentially.
This means you have fewer guarantees about whether the platform underneath your application is trustworthy. Being able to trust the platform is an essential factor in how you choose to protect your content.
If the platform underneath you is an emulator, it can be challenging to trust fundamental things like time.
Facebook works to build that trust in the forum by enabling certain features like Secure and Verified Boot. We also ship security patches with our monthly releases.
Finally, we’re also continuing to invest in platform integrity by building attestation technologies and services. So watch out for those shortly. Because the Android platform is so open, it’s wise to take steps to ensure your own content’s authenticity and integrity. For example, verify assets when you load them into memory or treat multiplayer clients as if they’re adversarial.
Verifying your content may feel a little bit silly, but it’s a prime vector for abuse from hackers. Here are some extra speedy guidelines to assist shield your content. Cryptographically signing your belongings will cross hackers from manipulating your information to control your code, which is a lot greater difficult.
Treat network clients as malicious bots. If you host a web service, take steps to ensure that only authentic clients are connecting. Finally, fixing security vulnerabilities in your applications will deter hackers from exploiting them.
Here’s a screenshot of the security vulnerabilities test results page in the developer dashboard to highlight that last point. There, you’ll find a list of security vulnerabilities that we saw in your application. Fixing them is super essential for applications that do a lot of networking.
This was a quick introduction to the challenges of fighting piracy and cheating on the Oculus standalone platform and some of the things you can do to protect your content. There’s much more than can be covered in a lightning talk, and every application and game is different. So please help us understand how you’re experiencing these issues so that we can build solutions together.
As you move forward in building your content, consider how hackers can manipulate it. This will go a long way towards identifying the right solutions for everyone. Thank you.