Our investigation found that the Roblox app on Android appears to have numerous potential security issues under the hood that could put the platform and its players at risk.
Roblox is an incredibly popular online game creation platform, boasting a whopping 100+ million installs on Android and 199+ million monthly active players in total. It allows players to create their own games, share them within the platform, and play games created by others. Predictably, the game is very popular with kids, particularly so in the middle of the coronavirus pandemic, as children are required to stay at home during lockdowns.
Roblox also incorporates microtransactions, with players able to buy and sell cosmetic items, as well as pay in-game currency to give their characters new powers and abilities. Users who create games on the platform can also earn money from user-generated content.
And wherever there’s money involved, there’s also potential for cybercrime.
The use of microtransactions, coupled with massive numbers of very young players, makes the platform ripe for potential abuse, including scams, account theft, and security breaches. In light of this, we at CyberNews wanted to see if the Roblox app had more potential security issues under the hood that made it susceptible to new attack vectors.
Since most Roblox players and creators seem to be enjoying their games on Android, we downloaded the Android version of the app and ran a static analysis to scan its source code for possible security red flags.
Unfortunately, the results of our analysis were quite alarming: Roblox appears to have numerous potential security issues on Android that could put the platform and its players at risk.
Needless to say, we informed Roblox about our findings, hoping that the company would take them into account and tighten their security practices. Unfortunately, our emails and calls went unanswered for months.
What were we looking at?
In order to carry out this investigation, we used the Mobile Security Framework (MobSF) to analyze the code of the Roblox app (version 2.460.416177) on Android phones for potential vulnerabilities and security issues.
We also looked at how Roblox stores its data, how the app secures its communications, how it handles its activities and intents, and whether there are any hardcoded API keys inside.
What did we find?
Here are the biggest takeaways from running a static analysis on the Roblox app on Android:
- Roblox failed to pass MobSF and Average CVSS security scores due to poor security practices
- Manifest analysis shows potential security issues
- Roblox uses weak and insecure hashing algorithms and local SQLite databases to protect and store sensitive data
- The app is susceptible to the Janus vulnerability on older Android devices
- The Roblox Android app uses a hard-coded API key, which could potentially result in data theft, as well as tampering with how the app deals with data and API requests made by the app
All these security issues, coupled with a local database used for saving player data, make Roblox a perfect example of a potentially vulnerable application that could be breached by cybercriminals armed with malware tailored to target Roblox and its players.
As you can see, there’s a lot to unpack here. So, let’s get started.
Subpar security scores
To assess the security of the Roblox app on Android, we used one of the most comprehensive mobile app security assessment frameworks on the market: The Mobile Security Framework (MobSF). In short, it’s an interface for a set of tools used by security researchers to perform static and dynamic analysis of Android apps.
Upon completing static analysis of an app, MobSF gives two scores for an at-a-glance assessment of app security:
- The Average CVSS (Common Vulnerability Scoring System) score is the average score of all vulnerabilities found within the app, with each vulnerability having its own CVSS score depending on how severe it is. The lower the Average CVSS score, the better.
- The MobSF Security Score is the framework’s own scoring system that determines which of the scanned elements of the app were deemed vulnerable by the MobSF scanner.
As soon as we finished performing static analysis, we were alarmed by Roblox’s surprisingly low scores: the app got a 6.4 Average CVSS score and a 10/100 Security Score.
A CVSS score of 6.4 means that the vulnerabilities found within the Roblox app on Android pose a Medium security risk, meaning that the risk “is likely to have a serious adverse effect on the organization or individuals associated with the organization,” while a 10/100 Security Score indicates many potential security problems present within the app.
Even though poor security scores in themselves don’t necessarily mean that an app is rife with actual security holes, they’re a pretty good canary in the coal mine for security experts, indicating that something isn’t right with the app’s code, security-wise. Which is exactly what happened in our case.
Every Android app has an AndroidManifest.xml file in its project source archive. This file describes basic information about the app in the Android operating system, Android Developer Tools, and Google Play.
When performing static analysis, looking at the Manifest file is important because it determines the permissions that the app will ask for, as well as the commands that it can execute. For this reason, developers should always ensure that the AndroidManifest.xml file is properly configured, as any misconfigurations can result in security vulnerabilities that threat actors can exploit.
When we looked at the Roblox Android manifest file, we found some glaring issues:
The most alarming potential security issues that caught our attention were the fact that the app’s broadcast receiver was shared and accessible to other apps on the device, while the following services were not in Protected mode and had intent filters incorporated:
- com.roblox.client.fcm.RbxFcmListenerService (note: this issue has been patched in the latest version of the Roblox Android app)
- com.roblox.client.game.ActivityGame (note: this issue has been patched in the latest version of the Roblox Android app)
Intent filters are rules that permit or restrict app operations and can be used by developers or threat actors to request an action from another component of the app (for example, request user data from the app’s database in real-time).
This means that the threat actors who are aware of this issue can try to steal Roblox player data by creating malware that is specifically designed to target Roblox’s broadcast receiver or its intent services.
Insecure storage of potentially sensitive data
To avoid storing sensitive user information in plain text and thus exposing it to threat actors, developers tend to hash emails and/or passwords with a secure hashing algorithm. Using a strong hashing algorithm is important because weak algorithms can easily be de-hashed by anyone with a modicum of technical knowledge.
Sadly, Roblox appears to be using the weak hashing algorithms MD5 and SHA1 to hash some of the data within the application logic, putting that data at risk of being exposed to threat actors.
In the worst-case scenario, if said information is sensitive, such as player credentials or personal user information, bad actors could easily steal it and use it to carry out credential stuffing attacks against Roblox players.
Not only that, but Roblox also stores its weakly hashed user data locally in a dedicated SQLite database and executes raw SQL queries.
This could potentially make the Roblox Android app vulnerable to SQL Injection (SQLi) attacks.
Even though this is not difficult to fix, the raw potential of being susceptible to such an ancient vulnerability is rather alarming from a security perspective.
A critical vulnerability on older Android devices
According to the official Roblox system requirements, the platform runs on devices that run on Android 4.4 higher. During our analysis, we found that Roblox uses the highly vulnerable Jar Signature Version 1 in order to support older versions of Android.
Even though newer signature versions (v2 and v3) were also present in the code, those versions are only supported on Android 7.0 and higher. This means that the Roblox app is susceptible to the Janus vulnerability on older Android devices that run versions 4.4-6.0, which amounts to about 7.5% of all Android devices.
A hard-coded API key
Finally, we found a hard-coded API key inside the Roblox app. API keys are used by the app to access parts of the Roblox network, which means they should never be accessible for anyone except the developers, who, it seems, left their API keys hardcoded for their own ease of use.
This is a nontrivial oversight by Roblox developers. With an API key in hand, cybercriminals could potentially cause damage to both Roblox and its players, including:
- Stealing player data, such as their app credentials or personal information
- Tampering with how the Roblox app deals with the data
- Altering the API requests made by the app
To avoid this, Roblox developers should save the API keys into memory or at least encrypt and decrypt them on the fly, so that they are not available in plain text for anyone to access.
Bottom line: Roblox should up their security game
Our analysis of the Roblox app on Android has shown that even a publicly traded organization with decades of development experience, hundreds of millions of customers, and a budget to match can be potentially vulnerable to security lapses.
One might suppose that a company as successful as Roblox would follow good security practices, but the truth seems to be a little more embarrassing: obsolete hashing algorithms, potentially insecure data storage, and hardcoded API keys all point towards a less than stellar approach to security.
To be clear, our findings do not mean that Roblox is a disaster security-wise, but there could be multiple security risks under the hood. Hopefully, Roblox will address them in the near future, before these risks turn into actual vulnerabilities.
More great CyberNews stories:
Subscribe to our monthly newsletter