Mobile gaming saw incredible growth in 2016, buoyed by blockbuster successes such as “Pokémon GO,” “Super Mario Run,” and “Clash Royale.” The mobile sector generated about $41 billion — accounting for slightly less than half of the gaming market’s $91 billion in revenue this past year.
The lucrative expansion of this market is exciting news for developers, but it has also turned gaming apps into prime targets for hackers. Cybercriminals took advantage of the buzz surrounding “Super Mario Run” on Apple devices and released a fake version of the game for Android OS that contained malware. Months before that, hackers took down “Pokémon GO” servers with a distributed denial of service (DDoS) attack.
DDoS attacks make gaming apps unavailable to players, creating frustration among users while directly bleeding revenue from developers. They can easily evolve into ransomware-style attacks in which hackers hold a service hostage until a developer pays a hefty fee. The FBI estimates people made about $1 billion in ransomware payments in 2016 — far eclipsing the $24 million paid in 2015.
The tech industry has developed strategies to effectively deflect and defend against DDoS and ransomware attacks, but security is not a primary focus for every game developer. Most small studios lack the technological resources and in-house staff necessary to make security and continuity major priorities.
The most commonly deployed mitigation strategy for a DDoS is having enough server-side computing power and bandwidth to consume the traffic. Considering botnets the size of the one that attacked Dyn in late October, it’s unlikely a production-size server cluster will be able to keep up — at which point the DDoS succeeds.
By relying on a refined mitigation strategy, it is possible for game developers to increase their threat protections without massive investments in new capabilities. Implementing load balancing along with specialized packet filters and quality of service rules can do a lot to weed out malicious bots. More specifically, a data stream network that relies on techniques such as request verification, threat sequestration, and advanced filtering protocols goes a long way to safeguarding access.
Building a bulwark against DDoS is the most urgent priority, but it’s only one step that developers must take to strengthen security for their creations. Specific techniques and capabilities are important, though an expansive and responsive security strategy is even more essential.
Developers must acknowledge the scope of the threats they face and adopt a culture of data security. Developing fanciful characters and exciting gaming experiences is still a top priority, but games are more likely to disappoint than delight if they aren’t insulated by a thick layer of security measures.
The specifics of any data security strategy will differ depending on who implements it and what sort of budget and resources they have at their disposal. The threat landscape is evolving rapidly, meaning any plan must be flexible enough to adapt on the fly. With that in mind, there are several priorities all developers should focus on as they plan and implement security strategies:
1. Watch for weaknesses. Once the threat of DDoS attacks has been eliminated, developers can shift focus to physical protection and application-layer security. Measures such as modern ciphers and large key volumes ensure that only those who absolutely need access to data have that ability. General optimizations such as fast service requests, simplified code, and smaller packets can go a long way toward protecting the application layer.
2. Shore up everything. Safeguarding the core gaming experience is important, but it’s not the only thing attackers might target. They will also marshal forces directed at billing services, communication systems such as email and forums, and accounts established through third-party services such as social media. Each of these can become a vulnerable attack vector: With the right sort of attack, it’s possible to compromise a gaming app through even the most circuitous channels.
3. Don’t get complacent. Quite a few companies outsource security measures through third-party services, but it’s vital to understand the security guarantees these companies provide and take proactive measures to keep information secure. Strict access controls can help eliminate the sort of accidental and intentional threats created in-house. For example, only two or three people in your company need access to your Twitter account; the password should be locked away in a secure credential management system, and it shouldn’t be easy to memorize.
On the engineering side, try new programming languages such as Mozilla Rust and Google Go to protect your games and services from undefined behavior that attackers frequently exploit, including buffer overflows and double frees. Both languages offer roughly equivalent performance and features to help seal software security gaps.
It won’t be quick, easy, or inexpensive for game developers to put ironclad safety measures in place, but it’s essential to consider the potential consequences of hackers holding your creation hostage. These attacks amplify in frequency and severity on an almost monthly basis, with a growing focus on the gaming arena. Now is the time to take steps to prevent hackers from stealing your most valuable commodity.