Why Western Mobile Game Developers Need to Worry About Asian App Piracy

By now, just about everyone in mobile gaming has heard about the legal battle between Chinese developer Lilith Games and US-based studio uCool, with Lilith alleging that uCool copied its game Allstar Heroes with its current hit, Heroes Charge.

It’s hardly the first time a game has closely modeled artwork/game mechanics of another title. (Remember NimbleBits’ open letter to Zynga?). But it’s quite another thing for one developer to use someone else’s source code. If you’ve seen the video Lilith posted to support a claim of source code theft by uCool, you know what I’m talking about: it apparently shows clear evidence that uCool’s Heroes Charge contained source code that was written by Lilith.

Screengrab of "Lilith Games copyright" Easter Egg allegedly in uCool's Heroes Charge

Many mobile developer colleagues assume that app piracy is an “only in Asia” problem, but the Lilith/uCool controversy shows this is not the case. Western games like Threes and Angry Birds have suffered from illegal cloned apps being released in Asian app stores in the past, but Heroes Charge/Allstar Heroes is the first publicly documented legal case of a Western developer cloning an Asian game. (This is not to say that apps haven’t been cloned before, but usually without such unambiguous proof that this cloning happened by decompiling and repackaging the app’s source code.)

The fact is, mobile game development is a global business, and what happens in one region impacts other markets too. Let me explain:

First Game to a New Territory -- Copycat or Not -- Becomes That Territory’s “Official” Game

Heroes Charge is yet another instance of a copied game entering a new territory before the original creator (Allstar Heroes, in this case) was able to do so, establishing a brand name and user base that may be difficult or impossible to unseat. Lilith has yet to officially release Allstar Heroes in the US, while uCool published their game to the American market last August. Since then, Heroes Charge has attracted much attention, hitting top 100 grossing in the app store. That’s a seven month head start; seven months to acquire users, monetize, and establish themselves. So ironically, as Allstar Heroes notes in their Facebook post, the US market’s perception is that Allstar Heroes copied Heroes Charge!

The trouble is, most games are usually first released to a limited number of countries. Developers typically lack resources to localize and market their game to multiple regions, let alone support large-scale live ops across many countries, and are usually uncertain whether a particular title will do well or not. Not to mention the inevitable struggle for a few months after launch to stabilize the game, push updates, build up and maintain a sustainable user base, get decent traction and monetization, etc. Expanding into other countries takes a backseat to just getting stuff to work. It can be months, or even years, to have the bandwidth to think about tackling new markets. It’s like launching a new game all over again.

This phenomenon is commonplace across various Asian territorires, but now it’s going global. Which takes me to my next point:

Losing Access to a Region = Losing Lots of Revenue

Here’s a picture of why Lilith is so intent on bringing Heroes Charge down: it makes a lot of money. Compare the performance of Allstar Heroes to Heroes Charge:

The higher the rank, the greater the revenue. Just look at all that money Allstar Heroes could be making!
 

King.com’s Candy Crush Saga

We’ve seen this happen for years in Asia. Someone takes a game, copies it, and releases the title in other countries that the original creator has not yet entered. King.com’s Candy Crush Saga has numerous clones in the Chinese market, and as Motley Fool pointed out last August, “[the] mobile gaming market moves fast -- anyone who wanted to crush candy in China has probably already done so through the English version or a Chinese clone.” In other words, copycat games flooded the China market before King could prepare a China-specific version. By then, the market has tired of the game, partly due to users playing the English version, as well as Chinese-made clones. Decreased interest does not bode well for a successful launch or for revenue.

Candy Crush clones - from left to right, Candy Frenzy, Candy Heroes, Candy Smash. In some cases, not only is the art style copied, but level design/map layout is identical too.

Android’s open platform allows for easy app publishing with little to no review, and one would think that the iOS app review process would have noticed that one game looked nearly identical to another in both game play and graphics, but so many games look alike and reviewing thousands of apps every day means a lot of them will fall through the cracks. Asia’s fragmented marketplaces make it nearly impossible to keep tabs on every single one market, and to monitor the hundreds of app stores on a daily basis requires resources that a developer can’t spare. Even when a similar game comes on the scene, the time and resources necessary to analyze and determine whether the game is merely similar or is really a clone can be daunting.

Why Asia? Well, it is the largest mobile gaming market, with just under $6B market size. And you know what’s next? North America. With a $3B market. Cloning is no longer “just an Asia market problem.” It’s coming here, to our backyard, and we need to pay attention and take preventative measures.

Sever-Side, Post-Facto Protection Is Not Enough

When I explain why app piracy isn’t just an Asian market problem to colleagues, I often get a response like this: “It’s OK if the client side gets compromised, we store all the important data on the server anyway.” No, it’s not OK.  

Consider the Heroes Charge/Allstar Heroes case: if Lilith Games’ claims are true, it was technically possible for uCool to reverse engineer and repackage a client side app, and figure out how and what data was stored on the server side through information gleaned from the source code on the client side --  as well as make frequent server pings to Lilith’s game server. This information would make it possible for uCool to create and operate their own servers, and sufficiently replicate the original game’s servers. They’re not alone in doing this.

The majority of successful app clones behave just like their original counterparts, including similar server-side structures that allow them to run their services independently. Naturally, when developer think about security, resources are spent on server side, because that’s where the data is. What they often forget is this: The key to the server is through the client.

As an industry, we’ve been sluggish to implement active measures for security. We are more reactive to security issues after they happen, instead of being proactive about it. But in working with different app developers on security issues, I’ve found that it costs at least 4 times as much to recover from app piracy or hacking, compared to having security measures implemented beforehand. Simply put, hacking costs more than you think.

Lilith spent a lot of engineering time and resources to plant the tell-tale Easter egg inside their source code in order to submit it as evidence to the courts that Heroes Charge was pilfering their source code. They could have avoided all this and protected themselves in the market if they had just ensured the source code couldn’t be stolen in the first place. Source code level obfuscation is a good step, but multiple security experts have demonstrated that this can be easily reversed. If an app can’t be decompiled, it can prevent reverse engineering, or make it so difficult that it discourages people from trying.

To be fair, app cloning, cheats and exploits are not specific to mobile gaming. It exists across every category of apps. However it hits gaming harder, simply because of the sheer size – gaming accounts for over 80% of revenue generated on mobile. And as I hope this post makes clear, Western game developers will need to worry about it more and more.

So what can the average game developer do to protect themselves? I’ll explain in detail in a follow-up post.