Mobile gaming is boom. 2020 app revenue topped $111 billion, 30% more than all of 2019, according to research firm Sensor Tower. It estimates that gaming hit $79.5 billion on mobile, and 43% of that gaming revenue comes from in-app purchases, according to 2020 study from Wappier.
With in-app purchases making up such a large percentage of mobile game revenue, hacks that enable gamers to get free stuff without making in-app purchases are a huge threat. And hacking is simple to do. To illustrate just how easy it is, take a look at this YouTube video, in which a mobile gamer shows how to use an emulator to cheat in the Jurassic World mobile game on Android. In less than 5 minutes, he creates his own patch for the game, which makes in-app purchases free.
Emulators aren’t just used for bypassing in-app purchases. Just as concerning, the use of emulators, debuggers and other tools enables malicious actors to create copycat games and even transform the game into a trojan that carries malware.
Bots are another problem, especially for mobile games that thrive on player-vs.-player competition. Originally developed for purchasing coveted pairs of sneakers, the automated bots are everywhere, and in mobile gaming, they can ruin the experience for other gamers, potentially reducing the game’s customer base and its long-term viability. Especially in resource management competitive games, bots make it much easier to A 2020 survey from mobile measurement firm Adjust shows that 41% of mobile gamers have paid for a bot to help them win, spending an average of $65, and 63% said the prevalence of bots negatively affects their gaming experience.
Finally, hackers recognize that the data stored in mobile games is also quite valuable, so they use traditional static and dynamic analysis tools and techniques to harvest unprotected app data stored on the device, such a passwords, user data, license keys, API keys and backend server information, which they either monetize directly or use in downstream attacks.
Unfortunately, despite the risks, far too few developers take the measures necessary to prevent tampering and reverse engineering. After all, the Verizon Mobile Security Index 2020 notes that 43% of organizations knowingly cut corners on mobile security to “get the job done.” But it’s critical for the mobile game industry to implement stronger security to prevent these kinds of breaches and cheats for growth to continue at its current pace. Thankfully, there are measures mobile game developers can take to protect their apps.
Protecting the game and the data stored in the game
Reverse engineering, debugging tools, tampering with workflows, jailbreak/rooting, using emulators and simulators, as well as static and dynamic analysis are the building blocks of every hacker. Mobile games also store all the data created by the game and the gamer, service domains and URLs, APIs and API keys, external services and SDKs, app permissions, communication methods, as well as the certificates used to establish “trust” between the game and its backend. Hackers, good and bad, focus their efforts on exploiting the gaps in the protection used in games. To stop these attacks, protecting the game and the data generated and stored in the game is critical.
Shielding the game with Runtime Application Self-Protection (RASP is central in any first line of defense. This will protect the game against any attempt to tamper with or reverse engineer the app. In addition, good RASP protection also prevents debugging of the app and running the app on simulators and emulators for malicious purposes.
Code obfuscation is the next line of defense. Obfuscation will mask all the game’s logic and prevent hackers from learning how the game works.
Most hacking tools rely on Jailbreak and Root. So the next line of defense is to prevent the game from running on a Jailbroken or Rooted device. Strong jailbreak and root prevention will protect the app against hacking engines like Frida and all cheating engines.
And finally, it is critical to encrypt all data stored in and generated by the game, including data in memory. Protecting memory will prevent modification and theft of in-app purchases via ROM-hacks.
Combatting network-based attacks
Once you protect the game itself and the data stored in the game, preventing network-based attacks is the last line of defense. Man-in-the-Middle (MitM) attacks are the most common network-based attacks.
There are many different ways of protecting against MitM attacks. My recommendation is to use more advanced methods of ensuring secure connections like certificate validation, certificate pinning, TLS version enforcement, and cipher suite enforcement to ensure data in transit is protected. Cipher Suites are a set of algorithms used to secure a TLS connection, and there are hundreds of different suites with varying levels of security. In fact, many have been deemed too insecure to use by security professionals. It’s important to establish which ciphers an app will accept to ensure that only approved, secure cipher suites are allowed.
Certificate pinning is another effective way to ensure the integrity of the network connection between the game and its backend, and to ensure that the certificates of the backend server can actually be trusted. Certificates operate on a chain of trust, with “higher” certificates validating the authenticity of “lower” certificates. Ultimately, the chain of trust is founded on a certificate issued by a provider trusted by the platform on which an application is running. However, if roles are not enforced, an attacker can issue their own certificates to mount a MitM attack or present a forged certificate to the app. To thwart these attacks, each certificate must include information about its role in a common extension called “Basic-Constraints.” If a certificate does not have this extension, a TLS implementation won’t enforce it.
Security implementation
Unfortunately, mobile security experts are in short supply, and, even if a team possesses the right skills, manually incorporating security can lengthen release schedules, which can be a serious competitive disadvantage in such a competitive market. Thankfully, there are ways to implement these features without having to do so manually. SDKs can be incorporated into apps, though these implementations do require some manual coding and present some critical limitations when it comes to obfuscation. Another option is a no-code platform that can embed obfuscation, encryption, anti-MitM and anti-tampering capabilities into an app binary in just a matter of minutes.
Mobile games are a huge business, but its growth could be hampered if the games, themselves, are insecure. It’s time for developers and publishers to get serious about security for the sake of their business and the mobile gaming industry as a whole.
Tom Tovar is CEO and co-creator of Appdome, the mobile industry’s first no-code mobile solutions platform.