White Paper
Today’s Threats and Strategies
for Securing Mobile Games
2015
Contents
Executive Summary...................................................................................................................................................................................................2
Business Implications of Mobile Hacking — A Real Life Example........................................................................................................3
Common Mobile Gaming Secuirty Threats and Mitigation Strategies.................................................................................................4
Having Your Game Reverse Engineered, Modified, Repackaged and Republished.................................................................4
Hackers Can Purchase In-Game Items for Free......................................................................................................................................5
Hackers Can Ruin A Growing Mobile Game Community....................................................................................................................6
Unauthorized Installations Endanger Players and Damage Revenue..........................................................................................7
General Game SecurityTips....................................................................................................................................................................................8
Today’s Threats and Strategies for Securing Mobile Games
2
Executive Summary
Situation:
Mobile Gaming is rapidly becoming the dominant gaming segment —
and is under attack
The gaming industry, which produced $93 billion in revenue in 2014, is expected to grow by over 9% in
2015 to $111 billion1. Much of this growth is due to the fastest growing segment—mobile gaming.
Fueled by the rapid growth of mobile device users, the mobile gaming segment has already passed the
handheld video games segment and is poised to pass the PC Games segment in 2015 with projected
revenue over $30 billion2. Game developers planning to remain in or get into this market need to
understand that their piece of this pie is at risk from day one. It is at risk due to hacking and the damage
it can do to a game’s bottom line.
Many mobile gaming developers have not yet fully begun to understand the ramifications on long term
revenue loss that hacking is costing them today. This paper reviews the dynamics of today’s mobile
gaming market and summarizes important approaches to combat the common issues facing mobile game
developers. When these approaches to securing games are planned for and executed smarty, the cost is a
small fraction of the potential revenue lost due to hacking.
Problem:
New threats unique to Mobile have largely been ignored and a significant amount of
revenue is “left on the table” as a result
In the rush for share in the mobile game market, many game developers have focused on getting mobile
games to market as quickly as possible without considering the risks hackers present. The consequences
of overlooking the risks that hacking poses to the revenue of a mobile game are staggering when
analyzed. In some real world examples, mobile developers have reported losing 50% or more of their
potential revenue due to hacking (see example below).
Revenue loss due to hacking can take many forms:
• Your game’s assets, art, code or data can be reverse engineered, modified, repackaged and
republished often with malware added into it. This is done without your approval and often times
without you ever finding out about it.
• Your in-app purchasing system can be compromised allowing hackers to gain in-game goods or
items for free, that normally cost money
• Your game’s community can be decimated by hackers ruining the integrity of the gaming experience
you’ve carefully crafted—alienating your community and potential customers.
• Your game can be pirated hundreds of times more often than its paid for resulting in loss of potential
revenue
Today’s Threats and Strategies for Securing Mobile Games
3
Solution:
Revenue Loss from Hacking Can Be Protected Against
It is strongly recommended that game developers spend time identifying weaknesses in their games that
hackers can take advantage of—a number of these weaknesses are described later in the paper. Having
identified these weaknesses—ideally early in the game development process—game developers should
look to apply a three pronged approach that involves defense, detection and reaction techniques to
minimize or eliminate these weaknesses. Doing so can be done in a performant, non-obtrusive and cost
effective manner that will minimize or eliminate revenue loss.
Business Implications of Mobile Hacking — A Real Life Example
Revenue Loss — A Premium Example
Monument Valley is a premium
mobile game available for iOS,
Android and Amazon Kindle
devices for $3.99. Monument Valley
has received universal praise for its
visual style and game design. It has
won a number of awards from Apple iPad Game of the
Year (2014) to Unity Awards – Best 3D Visuals (2014).
It truly is an excellent example of how great games can
be on mobile platforms. However, data released by the
game’s developer, ustwo, revealed that while the game
has been installed on over 10 million devices, ustwo
sold ONLY 2.4 million copies!3 Furthermore, only 5% of
installs on Android and 40% of installs on iOS were paid
for!4
What does this mean in terms of money
lost?
As you can see in the infographic at right, published by
the developers, they report 2.4 million in official sales
and $5.8 million in revenue. For the sake of example,
let’s assume every person who purchased Monument
Valley installed the game legitimately on two devices
and paid full price. So instead of 2.4 million official
sales we’ll use 4.8 million. As the infographic also
point outs, the developers have recorded over 10
million installs. Subtracting the 4.8 million legitimate
installs that leaves us with 5.2 million installs that
were pirated. This equates to approximately $6.3
million dollars of lost revenue!
The day is approaching when the
mobile device market reaches
saturation and growth in mobile
gaming begins to plateau. Those
developers that have addressed the
risks hacking poses to their mobile
games’ revenue stream will have a leg
up on the competition.
Today’s Threats and Strategies for Securing Mobile Games
4
This is a higher amount than the developers reported that they’ve earned actually selling the game!
This is a very simple example of a very complex problem. However, by beginning to think about the
aspects of game design that lead to this situation and beginning to use approaches to securing mobile
games already used commonly elsewhere, then mobile game developers can begin to minimize the
amount of lost revenue.
Common Security Threats in the Mobile Game Space
Securing a mobile game is a very complex problem. The threats each game faces
from hacking depend upon 1) the type of game it is, 2) the platforms the game
will be made available on and 3) how the game is architected. Let’s review a few
of the more common threats that can be encountered by mobile games and how
they can be mitigated.
Having Your Game Reverse Engineered, Modified, Repackaged and Republished
In early 2014 Flappy Bird rose to popularity, becoming the most downloaded free game in the iOS App
Store. At this time the developer claimed he was earning $50,000 a day from in-app advertisements as
well as sales.5 However by March 2014, approximately 60 Flappy Bird clones a day were being added to
the iOS App Store alone hoping to cash in on the success of Flappy Bird.6 Each clone had its own twist;
some reusing code, some reusing artwork but all fundamentally were the same game. Worst of all—a
reported 79% of these clones contained malware.7
Mitigations:
• If a mobile game is architected to use a client app and a server, then developers need to spend time
considering what portions of the code and data should be on the client or the server without
negatively impacting the game experience. This requires careful consideration as a fully server
driven experience would be more resistant to hacking, however, this approach typically creates a
network data heavy and very slow experience for customers.
• In many cases data and code that would interest hackers must remain on the client to ensure the
gameplay experience is smooth and enjoyable. By applying obfuscation and detection techniques to
protect the code and data on the client, developers can be confident that they will not be hacked.
Some obfuscation and hacking detection techniques can have negative performance characteristics
if applied incorrectly. Developers will need to identify the areas that are most important to protect.
When these techniques are used appropriately they can provide a massive amount of protection
with negligible impact on performance.
• If there is a lot of client data to protect then obfuscation techniques may not be the best approach to
protecting this data. Instead look at using whitebox cryptography and key hiding techniques to keep
larger sets of data protected. This approach can allow you to decrypt and access your data on the fly
while keeping it from prying eyes.
• Developers can also add code that will look for changes in their game and either self-repair or cause
the game to shut down. If there is a server available, developers can send a warning to the server
about what’s been modified. Hackers can often block these types of messages, but with careful
thought and planning, developers can hide the alert in an existing message in order to avoid
detection.
Today’s Threats and Strategies for Securing Mobile Games
5
Hackers Can Purchase In-Game Items for Free
Back in July of 2012, a flaw was found in Apple’s in-app
purchasing system that went public. This flaw allowed hackers
to purchase in-game currency and items without actually
spending money. After this flaw hit news sites it only took two weeks for over 8.4 million false purchases
to be made through just one hacker’s website. Over 115 games were known to be affected including many
of the top games at the time such as Fruit Ninja, Temple Run and Plants vs. Zombies8. Each of these false
purchases would have normally cost between $0.99 and $99.99. The total lost revenue was estimated to
be between $8.3 million and $840 million!
This type of hack is known as a ‘man-in-the-middle’ attack. Since this event, this type of hack is
commonly known in the hacking community and while Apple addressed this particular vulnerability, the
basic problem still exists. Hackers typically test every mobile game that includes in-app purchases to see
if it suffers from similar vulnerabilities and if a developer’s mobile game suffers from this problem, the
developer will almost certainly lose revenue once the vulnerability is identified and distributed through
the online hacking community.
Mitigations:
• The first and best means for mobile developers to begin to protect their mobile game’s in-app
purchases is to develop a purchasing flow that utilizes a server the developer runs and operates that
validates purchases with the app stores before delivering the purchased items to a customer.
• Beyond just verifying purchases, developers have to also consider where the status and quantity of
in-app purchases are stored. If this data is stored in a location that hackers can access, then
developers need to consider applying encryption and obfuscation techniques to the code that
manipulates this data and the data itself.
• A last and final guard developers can employ against circumvention of their game’s in-app
purchasing system is to add self-repairing code or server alerts when hackers attempt to make
fake purchases or tamper with the fulfillment data itself.
Today’s Threats and Strategies for Securing Mobile Games
6
Hackers Can Ruin a Growing Mobile Game Community
In 2014 all of the top ten mobile games worldwide by revenue across both iOS and Android contained
some form of multiplayer interaction. Digging down further, seven of the top ten games featured
multiplayer gameplay as a major facet of the game experience.
Multiplayer features are a major draw among mobile game players, enabling them to play online with and
against their friends. Bringing players together like this builds online communities for these games
where players discuss and strategize their next move and make new friends and enemies. It’s this
community that hackers can easily disrupt by their actions.
Hackers looking to get ahead in the game end up negatively impacting directly or indirectly, intentionally
or unintentionally, the play experience of legitimate customers. This in turn drives legitimate customers
away from the game damaging its community and ultimately its revenue and longevity. Players who have
paid and played fairly don’t want to be surrounded by hackers that cheapen their experience and their
efforts.
The actual impact of hackers on a game’s community is very
hard to measure because of the human aspects involved:
• Was a hacker a legitimate paying customer that
converted to a hacker out of frustration of being taken
advantage of by other hackers?
• Did the player lose everything they earned in the game
due to a hacker and never return to the game again out
of frustration?
• Are the discussions about the game dominated by topics
involving hacking and negative play aspects that scare
away potential customers?
These are just a few of the ways that hackers can damage a
game’s community. You can search on the Internet for almost
any popular mobile game’s name followed by the word ‘hack’
and find numerous websites, forum posts, and news articles
discussing hacks for that game as well as players complaining
about hacks for the same game.
Rank
Game
1
Clash of Clans
2
Puzzle & Dragons
3
Candy Crush Saga
4
Monster Strike
5
Game of War–Fire Age
6
Hay Day
7
Farm Heroes Saga
8
Disney Tsum Tsum
9
The World of Mystic Wiz
10
Brave Frontier
Bold = Multiplayer heavy
Mitigations:
Today’s Threats and Strategies for Securing Mobile Games
7
• Developers need to consider what gameplay features hackers will want to attack. In this
consideration, take into account which gameplay features can be kept on the server and which will
need to be in whole or in part on the client. This process needs to take into account the playability
of the game for legitimate customers. It is easy to consider moving all at risk gameplay features to
the server but this approach will often results in a very bad play experience for customers.
• Around these targeted gameplay features that remain on the client, identify the variables that are
important—movement, speed, score, health, position, etc. Determine what values are legitimate. If
a player reports an illegitimate value in one of these variables then respond to it appropriately.
Understanding when a hacker crosses one of these boundaries is a key step in identifying how
hackers are attacking your game.
• Look at protecting these key gameplay values as well as your checks for out of bounds values
with obfuscation techniques and detection techniques making them harder for hacker’s to get at
and control.
• Add support for banning hackers at the game’s account layer so that once a hacker is identified
they can be removed from the game and their impact on your community minimized.
• Lastly, developers need to keep an eye on the Internet for reports of hacking in their own social
channels as well as forums and groups where hackers interested in your game congregate. Have
these areas investigated regularly as hackers often will find ways to take advantage of a mobile game
that developers have never considered.
Unauthorized Installations Endanger Players and Damage Revenue
Android controls around 77% of the smartphone market in China9. However, the Google Play store doesn’t
exist in China at this time. Instead there are dozens of third party app stores in China where users can
download mobile games for their mobile devices. In some cases app developers work with these third
party app stores to host their apps and receive revenue. However, some of these third party app stores
don’t strike distribution deals for apps and instead, in order to stay competitive, these third party app
stores end up hosting pirated versions of apps that people download. In this situation app developers
end up left out of any revenue generated from these pirated versions of their apps. Often times these
pirated versions will also include malware7 or introduce game breaking bugs10. This is a critical concern
for game developers that are trying to grow audience in China.
Multiple game developers have reported 90% or higher piracy rates for their games. The large bulk of
piracy is seen coming from China and Russia4,10,11,12. This holds true for mobile apps that aren’t officially
released in these territories as well as apps that are released in these territories. This is an absolutely
staggering amount of piracy!
Today’s Threats and Strategies for Securing Mobile Games
8
Mitigations:
This is a very hard problem to defend against and requires three key pieces to begin to defend a game
against piracy.
• First — Require players to authenticate against a server in order to login and play.
• Second — Require the client to download something from the server that’s required to play,
typically the player’s character record or saved game.
• Third — Make sure there’s some form of protection on the networking layer, in-memory layer
and on disk layer of a game that covers the portions of code that deal with authentication as
well as the portions dealing with receiving and unpacking the player’s saved game or state.
Coupling these three techniques together will usually completely deter a hacker from pirating your game.
As the hacker does not want to go through the effort of either recreating the server gameplay elements
from scratch within the client nor does the hacker want to be stuck with having to stand up their own
server that attempts to replace the true game server. Both scenarios ruin the value proposition for the
hacker which significantly reduces the chances that your game will be pirated.
General Game Security Tips
Beyond the specific examples given above there are some general tips mobile game developers should
keep in mind.
Think Security Early and Often
From day one be thinking about how hackers may take advantage of your game’s design. It’s much easier
to mitigate these risks during the initial designs and implementation than it is to correct for them shortly
before launch, or worse yet, after launch. The earlier developers mitigate hacking risks the less impact
hacking will have on their bottom line.
Once an Intrusion Has Been Detected - Delay and Randomize Reaction
As Long as Reasonably Possible
Often detection techniques that recognize when a hacker is tampering with your game will immediately
react once the detection identifies a hacker. How this is handled largely depends on the type of game and
the specific situation encountered. Some examples of common reactions are to immediately crash the
client, immediately send an alert to the game server, or to immediately disconnect the hacker. Smart
hackers will recognize what has happened when this occurs and this provides the hacker insight into how
to then attack your detection and disable it. Consider adding a random time delay when a detection
is tripped or run the detection at a random interval. Both approaches will put distance between the
hacker’s actions and the game’s reaction making it harder for the hacker to identify what exactly they did
that caused the reaction. In doing so, you add layers of security and difficulty for the hacker that
hopefully is frustrating enough to cause them to give up.
Today’s Threats and Strategies for Securing Mobile Games
9
Don’t Tackle This Problem on Your Own
Many game developers think it’s impossible to keep hackers out of their games and don’t attempt to
protect their game at all. Other game developers attempt to develop anti-hacking techniques for their
games in-house. Unless the game developer happens to have anti-hacking experts on staff these in-house
solutions typically end up being expensive to implement, prone to issues, don’t scale well and add time to
a development schedule. Ultimately it’s an uphill battle that a single development team is going to lose;
the ratio of hackers to developers on a game team is far in the favor of the hackers. However, game
developer’s you are not alone!
Other games developers are battling hackers every day and there are companies that specialize in antihacking and anti-tampering solutions that can tilt the battle in the developer’s favor and mitigate revenue
loss from hacking.
Look for developers that have been successful at thwarting hackers and learn from their experience.
Speak with security companies, like Arxan, and see if their anti-hacking solutions are right for you. The
effort may seem overwhelming initially, but compared to losing as much as half of your game’s revenue
—which could be in the millions of dollars—it’s an easy call to spend time investigating what options are
available. Invest time in protecting your mobile game and retake your lost revenue.
Let Arxan Help with Your Mobile Game Security Solution
• Arxan offers the strongest security in market. Due to our approach which involves establishing a
multi-layer, interconnected Guard Network that works at the binary level
• Arxan is the most deployed and proven solution in the gaming industry. Leveraged by 7 of the
top 10 game developers to protect PC, mobile, web and console games
• Arxan's approach can be applied to both client and server binaries, helping protect your
products from threats internal and external.
• Arxan’s approach has a manageable impact on game performance—enabling very fine control
of the security/performance trade-off that is critical for high performance games
• Arxan also provides out of the box whitebox cryptography with advanced key hiding techniques
to keep your data secure.
• Arxan’s approach has no impact on legitimate players
• Arxan provides an easy and scalable approach to implement with key benefits such as:
— No changes to source-code require
— Easy to integrate into legacy applications and games
— Automated insertion of self-protecting code
• Arxan offers world class support with its field engineers who are specifically skilled at helping
developers architect successful protection plans
About Arxan
Arxan provides the world’s strongest application protection solutions. Our unique patented guarding
technology 1) Defends applications against attacks, 2) Detects when an attack is being attempted, and 3)
Responds to detected attacks to stop them, alert, or repair. Arxan offers solutions for software running on
mobile devices, desktops, servers, and embedded platforms – including those connected as part of the
Internet of Things (IOT) -- and is currently protecting applications running on more than 300 million
devices across a range of industries, including: financial services, high tech/independent software
vendors (ISVs), manufacturing, healthcare, digital media, gaming, and others. The company's
headquarters and engineering operations are based in the United States with global offices in EMEA and
APAC. For more information, visit http://www.arxan.com
Today’s Threats and Strategies for Securing Mobile Games
Footnotes
1
2
3
4
5
6
7
8
9
10
11
12
10
AGC Partners. "Gaming Update 2014." Gaming Update 2014. AGC Partners, Sept. 2014. Web. 16 Feb.
2015.
Pearson, Dan. "Report: Mobile to Become Gaming's Biggest Market by 2015." GamesIndustry.biz.
GamesIndustry.biz, 22 Oct. 2014. Web. 16 Feb. 2015.
"Monument Valley in Numbers." Monument Valley Development Blog. Dan Gray, 15 Jan. 2015. Web. 09
Feb. 2015.
Ustwogames. "Interesting Fact: Only 5% of Monument Valley Installs on Android Are Paid For. 40% on
IOS. There's a Sneak Peak of Data!" Twitter. Twitter, 05 Jan. 2015. Web. 09 Feb. 2015.
"Flappy Bird." Wikipedia. Wikimedia Foundation, n.d. Web. 09 Feb. 2015.
Brown, Mark. "A New Flappy Bird Clone Is Added to the IOS App Store Every 24 Minutes." Pocket
Gamer. Steel Media Limited, 5 Mar. 2014. Web. 09 Feb. 2015.
Mcafee Labs Threats Report | June 2014. McAfee Labs Threats Report (n.d.): n. pag. June 2015. Web. 9
Feb. 2015.
Arthur, Charles. Apple Offers Fix for In-app Purchase Hack, but Users Can Avoid It. The Guardian, 23 July
2012. Web. 9 Feb. 2015.
Smartphone OS Market Share. Kantar Worldpanel ComTech, n.d. Web. 12 Feb. 2015.
Byrresen, Jonas. "The Chinese Pirate Surprise Attack!" Gamasutra Article. Gamasutra, 13 Oct. 2014.
Web. 12 Feb. 2015.
Seznec, Yann. "Gentlemen! Or, How Our Most Successful Game Is Also Our Least Profitable." Gamasutra
Article. Gamasutra, 20 Aug. 2013. Web. 12 Feb. 2015.
Davies, Chris. "95% Android Game Piracy Experience Highlights App Theft Challenge." SlashGear.
SlashGear, 15 May 2013. Web. 12 Feb. 2015.