Mobile games are certainly among the favorite apps of smartphone users. The size of the industry is so huge that by the end of 2019, the global gaming industry was worth $152 billion and 45% of this revenue, i.e. $68.5 billion, was coming from mobile gaming itself. Due to an unprecedented rise in the number of smartphone users, this rapid growth in the mobile gaming industry seems to be justified too.
While all of this sounds pretty charming, the gaming company owners and developers must also accept the fact that there lies the obvious threat of cybersecurity. In fact, the risk is so huge that the entire gaming industry reported almost 12 billion credential stuffing attacks between November 2017 and March 2019 alone. Despite these alarming statistics, most mobile game developers don’t realize how much impact these security risks can have on their overall revenue and brand reputation.
So, let’s take a look at some of the major security threats the mobile gaming industry is facing right now and what developers can do about it.
Common threats in Gaming Apps & Solutions
When it comes to gaming applications, they have a rather expansive threat landscape owing to the variety of gaming platforms and complex architecture. That is why securing a gaming application can be a huge challenge. Let’s take a look at some of the threats:
1. Reverse Engineering and Malware
The games which receive much higher popularity than the others are also more vulnerable to reverse engineering attacks and malware infection. The underlying art, game assets, code, and data assets of the game can be reverse-engineered by the hackers and repackaged to be launched in the market as a clone. Most of these cloned games are infected with malware too and would indirectly impact the reputation of the original game.
A game called Flappy Bird was introduced in the Apple App Store in 2014 and very soon after the launch, it became one of the top free games in the store. Developers claimed that they were making around $50,000 from only sales and advertisements each day. Surprisingly, after a month, there were 60 or more clones of the game being added to the store each day and most of them were infected with malware too.
2. Flaws in the In-App Purchasing System
While most of the mobile games rely on in-app purchases for their wholesome revenues, most of these purchasing systems have serious security flaws which allow hackers to gain access to add-on items and gaming functionalities for free. In fact, in 2012, one flaw in Apple’s in-app purchasing system allowed threat actors to make 8.4 million false purchases. Over 115 games were affected due to this flaw and the resulting revenue loss was somewhere between $8.3 million to $840 million.
3. Piracy and Unauthorized Installations
There are tonnes of third-party stores for mobile apps around the world and most of them offer Android apps. App developers are generally lured by these app stores so that they could cash in higher revenues. What happens, in reality, is that these untrusted app stores also host the pirated or cloned versions of the apps (especially games). These fake apps not only contain malware but also deny any revenue to the actual game developers. Some mobile game developers have reported piracy rates as high as 90% for their games.
Now that we understand what the underlying security risks are, we must also know what steps must be taken in order to secure the mobile gaming apps. So, let’s take a look at them.
4. Secure Your Code
Unchecked code leads to mobile malware infecting the application infrastructure. This causes bugs and vulnerabilities in the game and often this point is neglected by the developers. Recently, Infosecurity Magazine published a report stating that malicious code is infecting more than 11.5 million mobile devices at a given time and the numbers are likely to increase manifold in the upcoming future.
Developers should thoroughly evaluate their code in order to detect and respond to the vulnerabilities. This would immune their gaming apps against the existing security threats like injection attacks and reverse engineering and surely prevent malicious apps from being circulated in the market.
5. Ensure the Security of the Device
Equally important to secure code is the security of the underlying device. Depending on the application infrastructure, the developers need to come up with ways to check and ensure the security of the host device. One of the primary things a developer should check is whether the app sandbox is intact in the mobile’s operating system or not. The devices which have been rooted pose a great threat as their security model might have been disrupted due to jailbreaking.
Hackers could also utilize the excess permissions given to apps and push their malware to gain basic accesses like SMS and contacts and use them for fraudulent activities. Overall, the security of your gaming app also relies on the level of security which is maintained by the users on their devices.
6. Securing Payment Gateways
Even the slightest of the errors in your in-app purchase system can result in the loss of millions of dollars for your business. You can set up intrusion detection on the perimeter in front of your application backend to identify critical points in your payment system and also use code obfuscation techniques to make it difficult for the hackers to gain access to your systems.
These moves will not only secure your payment system but also give you ample time to react in case of a breach. Since even obfuscated code can be decoded by modern automated tools, it would be a better practice to use clean programming techniques and rely on proper application infrastructure.
7. Monitoring App Security in Real-Time
It is a known fact that a gated and guarded building is safer than a locked building. Similarly, it is advisable to install a motion detection system around your application infrastructure in order to get alerts for potential threats. The field of real-time security analysis is relatively new but enables developers to track attempted attacks on their application and also their origin and frequency.
Now it is a relief that you are planning to monitor the safety of your application in real-time, but what about the other components of the security infrastructure? Without a doubt, the server-side of the system should be protected with security software and firewalls; and client-server communications should be made via SSL and other safer methods. Because access to all the server-side data happens through the client-side, the same protection implementation should be done for the client-side of the application too.
8. Preventing Memory Hacking
The strategy adopted by free-to-play games is to introduce in-app purchases of certain items which enable players to perform better or pass certain obstacles faster. Memory hacking simply isolates the storage point of these items and gives the hacker access to unlimited in-game cash or gold.
In most of the mobile games, the actions performed by a player are recorded on the local device itself and batched up before being transmitted to the server. This prevents network lag and makes the gaming experience better. This enables hackers to use memory hacking tools and target the item batches and attach a modification tool to gain access to the app’s memory and sometimes in-app payments.
However, this can be prevented by detecting any attempt of external memory modification and responding to it. This is either possible if the developer is able to create some memory hacking prevention measure in the game itself or the other option is to go for commercially available tools. Since commercial solutions are equipped with more resources and spend more time on research, they should be a more viable option in this scenario.
9. Secure Your Servers
Most of the expert game designers suggest that online gaming servers are the softest targets for hackers. They are mostly targeted because of the volume of sensitive data they hold. That is why it becomes essential to place all the required safeguards like firewalls, QA tests, intrusion detection systems etc. on your gaming servers. The fact that the security of servers is as important as the game application itself can’t be ignored on any level.
10. Adopt Penetration and Vulnerability Testing
When it comes to mobile game development, you must know how to secure that data of your users and also find loopholes and vulnerabilities that might lead to security incidents. And penetration testing is one of the best ways to do that. It helps you outline the weak points in your application and also helps you prepare your defenses to secure those weaknesses.
When it comes to security, the gaming industry is slowly becoming the primary target of hackers. Most of the gaming businesses are constantly under the pressure of delivering new games and updates at an unprecedented speed in order to maintain their business share in the market. This has led to numerous security issues and vulnerabilities, in fact, more so than in other business verticals, for hackers to target and exploit.
However, with the help of the solutions mentioned above and the assistance of security service providers like Appknox, you can definitely stay assured that your gaming application’s security lies in safe hands. Appknox can check if your third-party in-app purchases like PayPal, UPIs, and others are perfectly integrated. It can also check for vulnerabilities through which users can make free in-app purchases, skip levels, or disrupt normal gameplay. Moreover, you get all the expert advice regarding the correct security steps to take and avoid damage.