Sponsored By

In Defense of Gaming: How Developers Can Protect Against the Top 5 Hacking Risks to Mobile Games

Many mobile gaming developers have not yet fully begun to understand the ramifications on long-term revenue loss that hacking is costing them today. Developers need to realize that their piece of the pie is at risk from day one.

Rennie Allen, Blogger

March 31, 2015

4 Min Read

The need for sophisticated and robust protection to secure the gaming industry is well warranted, considering the global revenues at stake. According to market research firm DFC Intelligence, global revenue from video game software will grow to $70 billion in 2017. The firm also forecasts that, by 2017, 66 percent of game software will be delivered digitally.

Game developers planning to remain in or get into this market need to understand that their piece of this pie is at risk from day one. Many mobile gaming developers have not yet fully begun to understand the ramifications on long-term revenue loss that hacking is costing them today.

For example, Monument Valley is a premium mobile game available for iOS, Android and Amazon Kindle devices for $3.99. Monument Valley has received universal praise for its visual style and game design. It has won a number of awards from Apple iPad Game of the Year (2014) to Unity Awards – Best 3D Visuals (2014). It truly is an excellent example of how great games can be on mobile platforms. However, data released by the game’s developer, ustwo, revealed that, while the game has been installed on over 10 million devices, the game publisher realized revenue for ONLY 2.4 million copies! 

The loss of approximately $6.3 million dollars in revenue is a clear example of the direct adverse impact of mobile hacking.  How can this be?

Let’s take a look at a typical “gaming app break-in” and the top 5 risks that come with it:

But, isn’t my gaming app encrypted?

  • Yes, apps from both the Apple Store and Google Play are, in fact, encrypted.

  • Unfortunately, it takes just a few minutes to (1) decrypt an app using freely available tools.

  • This is the first step in the break-in!

So, what’s the big deal if someone gets access to a decrypted app?

  • Decryption provides the hacker with access to the app – in binary code format.

  • Apps with unprotected binary code are at risk because it’s quite easy for a hacker to (2) reverse engineer binary code back to source code. If you could imagine that your flawless app was a highly secure castle … by leaving the binary code unprotected, it’s like providing free access to the information inside, including the blueprint for the castle and all the security controls, to anyone who was looking for it. 

  • It is also quite easy for a hacker to (3) reuse or “copy-cat” an application, and submit it to an app store under his/her own branding (as a nearly identical copy of the legitimate application).

  • Many apps also use cryptographic keys to encrypt or decrypt sensitive data residing in a local store or in memory. Attackers may be interested in (4) replacing cryptographic keys used by the application in order to decrypt and copy sensitive data from a local repository or memory stream.

Isn’t it really hard for hackers to hijack my well-written games and take over control to perform nefarious activities?

  • Unfortunately, no—it’s not that hard.

  • As an example, there are (5) “method swizzling” attacks. In a “swizzling” attack, hackers can attack critical class methods of an application to intercept API calls and execute unauthorized code, leaving no trace with the code reverting back to its original form. Essentially, it involves modifying the mapping so that calling API A will actually invoke API B – and API B can store credit card information on another server, capture customer information, and be configured to perform any number of nefarious activities! 

Mobile App Security Tips for Developers:

  • Spend time considering what portions of the code and data should be on the client or the server without negatively impacting the game experience.

  • Consider applying obfuscation techniques to protect the code and data on the client. Doing so correctly can give developers confidence that their game assets will not be stolen.

  • Add code that will look for changes in the game and that cause it to either self-repair or cause the game to shut down.

While this provides a summary of application risks that are typically targeted for malicious gain and how these risks can be addressed, there are many more points for developers to consider as a significant amount of revenue is being left on the table as a result of this new threat to mobile games.  For more on this topic, check out our new paper Todays Threats and Strategies for Securing Mobile Games

Read more about:

Featured Blogs

About the Author(s)

Daily news, dev blogs, and stories from Game Developer straight to your inbox

You May Also Like