Common Cyber Security Threats in Gaming Applications and Solutions: Securing a mobile gaming application can be a complex task. Threats vary depending on various factors – type of games, platforms, game architecture and more.
Game Content, Art, Code or Data can be Reverse-engineered, Modified, Repackaged and Brought to Market.
Take the example of a really popular game – Flappy Bird. In 2014, within a month of its launch, Flappy Bird became the top free game on the iOS App Store. Interestingly, the developers claim that they earned around £50,000 a day with in-app advertising and sales. Just one month later, 60 different Flappy Bird clones were added, every single day! Malware was also found in 79% of these clones.
Vulnerability in the In-App Purchasing System that Allows Hackers to Access Items for Free
In July 2012 there was a bug in Apple’s in-app purchasing system that allowed hackers to buy the game’s currency and other items for free. This resulted in 8.4 million fake purchases being made through just one hacker website! It was known that over 115 games were affected, including many of the top games of the time such as Fruit Ninja, Temple Run and Plants vs. Each of these fake purchases would normally have cost between £0.99 and £99.99. The total loss of revenue was estimated at £8.3 to £840 million!
There are dozens of third-party app stores around the world specifically for Android apps. In many cases, app developers work with these third-party app stores to host their apps and generate revenue. Some of these app stores end up hosting pirated versions of applications that people download. This not only denies the actual application developers any revenue, but most of these applications also contain malware, which also leads to a bad reputation.
Several mobile game developers have reported piracy rates of 90% or more for their games. Most of the piracy is reported from China and Russia.
What About Penetration Testing & Ethical Hacking?
The number of hacker attacks on mobile applications and especially on games is increasing. Most developers of mobile games have not yet grasped the long-term impact this can have – on sales, brand reputation and operational cost for the business. The costs associated with securing testing web applications, such as cyber security companies like Aptive who perform pen testing cost a fractional amount when compared to the potential loss of revenue due to the web / mobile application or game being exploited by a real hacker.
Appknox
Appknox specializes in mobile security. Let Appknox help you in providing better security for your work.
Appknox can do the following:
- Check the in-app buying services of third parties like PayPal, Freecharge, etc. and see if they are perfectly implemented.
- Find vulnerabilities that allow users to skip levels, make free purchases, disrupt normal game play, etc.
- Get advice on how to take the right security measures to prevent damage.
- Check whether the security mechanisms you have implemented are working correctly or not
Situation
As you know, the gaming industry has become one of the biggest businesses in the world – even bigger than Hollywood. The gambling industry generated revenues of about £93 billion in 2014, which are expected to increase by 9% to about £111 billion by 2015.
If we call ourselves gamers, then the credit goes to all these developers of mobile games. One of the segments to keep an eye on is mobile games. Since 2009 the growth of mobile users sprouted exponentially, which is why mobile gaming has surpassed many other platforms including long-time #1 highest grossing gaming peripheral, the PC. While all of this sounds great, mobile game developers who want to stay in this market need to understand that their share of the pie is also at risk.
Loss of Revenue through Mobile Hacking
In the rush to bring apps to market, most of these developers keep security in the back seat instead of using development frameworks like the OWASP security testing methodology for video games. Often the time to market is everything to them, and that can prove costly. A few real-world examples show how mobile game developers have lost 50% or more of their potential revenue through hacking.
Real Life Example: Monument Valley app
Monument Valley is a paid mobile game available on iOS, Android and also on Amazon Kindle for £3.99. It is an excellent game with brilliant graphics that has earned them many awards, such as the Apple iPad Game of the Year 2014 and the Unity Awards for Best 3D Visuals 2014.
In a statement by mobile game developers, Monument Valley was said to have been installed on 10 million devices, but only 2.4 million copies were actually sold. Moreover, only 5% of installations on Android and 40% of installations on iOS were paid!
In an infographics released by the developers, the company reported 2.4 million sales, representing £5.8 million in revenue. Assuming that everyone who bought this product has installed it on at least two devices, that still leaves about 5.2 million installations that are not billed! That’s 6.3 million dollars in lost revenue!
Cyber Security Tips
Think Safety on a Daily Basis
Well, the first and most important safety tip is to think about safety every day. Michael Dell said in 2014 in a statement that “safety must be something you do every day”. It’s important to think about how hackers can exploit the design and architecture of your game from day one. It’s easier both in terms of time and money if you take care of it early.
Using Intrusion Detection and Obfuscation Techniques
Look at how you can protect important game values and your checks for out-of-bounds values with obfuscation and detection techniques that make it difficult for hackers to access and control them.
Developers need to consider what game features hackers will want to attack. In making this consideration, consider which gameplay features can remain on the server and which must remain on the client, in whole or in part.
Preventing Piracy by Adding a Line of Defence
Although this is the most difficult part, it can be largely controlled by using some methods. Add server lever authentication before players can log in and play. Add a method that requires the client to download something from the server that is needed to play. Finally, add protection at the network layer, storage layer, and disk layer of a game that deals with the part of the code that is responsible for authentication.