With the holidays coming up fast, the mobile game industry is in the middle of its busiest and most profitable few months of the year. According to a 2014 Newzoo report, consumer spending on smartphone and tablet games is highest during December and January. Indeed, some developers tell me they make up to 35% of their annual revenue between Halloween and Valentine’s Day. Game events, sales, promotions, new content releases – most of you mobile game developers have been preparing for the holiday season since last Summer.
But are you prepared on the security front? Let’s look at the most common cheating/hacking scenarios during the holidays. We’ll also explore security measures you can implement to ensure that you keep fraud and cheating from happening, while still providing a great game experience for your players.
1. Limited Item Releases & Sales
Whether it’s Christmas trees, red hearts, or turkey hats, every holiday is an opportunity to sell premium seasonal content that is not otherwise available for the rest of the year. Scarcity, rarity and limited availability work with the spirit of the season to drive sales. During the holidays, game developers often also put out deals on regular in-app purchase items. In both cases, the holidays are a ripe time for fraudsters looking to make a quick buck -- and for players who don’t want to pay for in-game content, looking for a scam. Here’s how:
In-App Purchase Fraud & Increased Chargebacks
Example of IAP fraud being attempted and detected by an app
With the increase in holiday sales volume comes the increased possibility of payment fraud and chargebacks. Risk-management provider Verifi reports that chargebacks can increase up to 50% during the holiday season, while according to Swrve, one in five in-app purchases on Android apps and mobile games are fraudulent.
IAP receipt verification between the client and the server is vulnerable to man in the middle (MitM) attack. Source: Futurice.
Many apps directly send the in-app-purchase (IAP) receipt to the Apple or Google Play store servers for verification. However, anyone using readily available IAP crackers can easily intercept and modify that receipt as it moves between the client and the server. These tools capture some random but valid IAP receipt that was once made, store it, and then let people use it over and over again for the same product -- or even other items in different apps.
Fraudulent transactions also increase during the holiday season, stemming from stolen or fake credit card information and chargebacks from users. Even more concerning, when a player uses illegal payment spoofing software, the software may contain malware or viruses that infect devices or steal personal information.
2. Holiday Game Content & Events
Many games have added fun holiday-themed features or even release a separate app for the occasion. Source: AppAdvice.
The holidays are great fun for game designers – Christmas tree monster! Halloween map! New Year’s fireworks effects! Developers try to incorporate as much special themed content as possible to give players more fun and increase engagement -- special monsters or challenges, increased EXP events, special PvP/PvE/GvG tournaments…the sky’s the limit. But with this fresh content comes new opportunities for hackers:
Top image: Normal game play. Bottom image: Game values strangely high after memory hack. (Source: SEWORKS’ proprietary game memory hacking demo)
The greatest security concern with new content is the increased possibility of game hacks and cheats, largely through third party memory modification tools that are easily found online. These tools help devious players modify game values to give themselves unlimited coins, levels, HP, lives, bullets, energy, and whatever other in-game elements are required to succeed.
Example of how a memory modification tool allows users to modify values
In some cases, a player can even change the results of a battle – even if he/she has lost a game. They just need to use a hacker tool to change that loss to a win, and then transmit that result to the game server. When Bethesda released the Android version of Fallout Shelter in August 2015, for instance, the game’s leaderboard was promptly hacked within hours.
Hackers who do this gain an unfair advantage that ruins other players’ experience, hurting their incentive to make in-app purchases, while even making them want to quit. Not only does this lead to lost potential revenue, but also tends to increase player complaints and quitting. What’s more, developers not only suffer lost revenue through direct fraud, but also wind up with invalid user analytics which may lead to bad marketing or budget decisions.
Defending Your Game from Holiday Hacking
Making sure you have good security measures in place is the best way to start defending against the risks summarized above. I wrote a blog post detailing best security practices for games, which I recommend evaluating before updating the holiday edition of your game. (When developers add security features to a game after it’s live, it’s often too late.)
Here’s other steps I strongly recommend taking:
Implement verification of payments on your game server, reconciling all payments with Google/Apple/Amazon/etc. to make sure verification receipts do not get re-used. This will help to reduce IAP fraud -- particularly fraud that exploits verification receipt systems or attempts to enter an invalid verification receipt.
Monitor any unusual purchase activity, blocking individual player accounts when necessary. For example, if a player normally spends less than $1 per transaction once a month, but suddenly increases to spending $500 a day, there’s clearly reason for concern, and investigation of potential payment fraud.
Monitor your server-side data for unusual (i.e. out of range) values or results. If a Level 1 player suddenly skyrockets to Level 20 in a single day, and you know that it typically takes well over 24 hours for someone to do that, then it’s worth taking a second look.
Apply third party or self-developed memory hacking block tools to discourage fraudsters. Preventing memory hacking significantly cuts down on users modifying game values.
Limit item gifting to friends, since it’s often exploited by scammers -- or eliminate gifting altogether.
Protect operation logic and game values that reside on the client side through security solutions like code or binary obfuscation -- and put that protection into a mandatory update, to ensure every player is using it. Related to this, also implement version checks and controls on the client side, so hackers can’t attempt to switch out certain files or libraries in a protected version with previous unprotected version files.
We spend so much time building and testing the content that drives revenue for us during the holidays, and even increase service operations during prime shopping days. Taking some extra time to implement security solutions up front is well worth the investment. It can also make the difference between having a happy holiday season -- or starting the New Year with a boatload of troubles.