Faced with low production budgets and tight deadlines, many mobile game developers often devote their scarce cash resources on marketing/discovery — but little or nothing on protecting their app from malware, IP theft and other security threats. But ironically, marketing a game actually helps make it even more vulnerable to hacking, because if it grows in popularity, hackers are much more likely to identify the game as a good candidate for exploitation. This puts mobile game developers in a Catch-22 position: If their game doesn’t earn much money or downloads, it’s relatively safe from security breaches — but when it is successful, it becomes a target for malicious attacks which can undercut any revenue the game might have earned. DFC Intelligence founder and CEO David Cole explains more.
This is not just a problem for low-budget indie developers, by the way — colleagues in the mobile security industry tell me that they regularly encounter obvious security vulnerabilities in apps from major publishers and top tech companies.
In any case, the stakes have never been higher. Revenue from iOS and Android games is expected to reach $20 billion in 2015. DFC Intelligence forecasts that the mobile game industry could equal the revenue generated in PC and console games within 3 years. However, few mobile users actually pay for games. As discussed in our interview with Peter Dille of Tapjoy, advertising is becoming an increasing source of revenue for mobile games. Unfortunately, advertising can create even more opportunities for hackers.
To help developers better understand the security matrix they’re facing, here are some key points to understand:
The App Stores Are Not 100% Safe - Not Even Apple’s App Store
Thanks to Apple’s stellar reputation and the company’s rigorous app review process, many developers assume that their games are quite safe from tampering on the App Store. However, as security expert and SEWORKS CEO Min Pyo-Hong has written, iOS apps aren’t secure, with Apple’s review system a major vulnerability: “Unless a reviewer has infinite time to research every single app that has ever been submitted and published,” as he puts it, “it’s simply impossible to catch and filter out copycat apps… this process [also] misses a lot of hacked or cracked apps — a serious security liability for users, and a grave economic blow to honest app developers.” (DFC profiled Min last April.)
Security concerns are even greater on the Android platform, as most developers know, and existing solutions, even from Google, are far from perfect. Google Play does have a server-side malware scanner that reviews apps in Google’s store and third party stores. However, as Min recently told me, it is still far from thorough: “In repeated tests,” he said, “we have found that [Google Play’s scanner] doesn’t thoroughly block malicious apps. A few have been able to slip through the cracks, and malware developers can sometimes upload corrupted apps faster than Google can block them.”
Which takes me to our next point:
App Vulnerabilities Are Rampant
With app stores so insecure, it’s no surprise that the most successful apps (even from major publishers) face near constant attack: Gartner Research estimates 75% of mobile apps fail basic security tests; according to security firm Arxan, 100% of top paid Android apps and 73% of free Android apps have been hacked. (iOS fares only somewhat better, with 56% of top paid iOS apps and 53% of free iOS apps targets successfully hacked.) Among the most rampant exploits is decompiling the mobile app to reverse engineer and extract the source code, then using the source code to produce copycat apps — commonly known as app piracy or app cloning.
Mobile Game IP Theft Isn’t An Asia-Only Problem
Another common misunderstanding among many developers is that game piracy is an “only in Asia” issue. And while it’s true that China and other major Asian markets must contend with a disproportionate threat level, it’s a mistake to think these problems will stay in Asia.
Mary Min, head of business development at SEWORKS (my fellow panelist at Casual Connect 2015’s session on this topic), recently explained it this way: “The first game to a new territory, copycat or not — becomes that territory’s ‘official’ version of a game. The trouble is, most games are usually first released to a limited number of countries.” Because of this, a copycat version of a Western game often gets launched in Asia months before the developer has the time to localize and launch the original title in that market. By then, however the copycat may have already become extremely popular and earned a lot of revenue. So ironically, the late-to-market official game not only misses out on making that money, but is sometimes accused of being a pirated game!
Free and Financially Scalable Security Solutions Exist
The good news is there are a number of reliable and relatively economical security solutions on the market, many of which developers can implement with just a nominal amount of extra work or additional costs. Google offers a free obfuscator/packer for Android games, which most developers can install in a matter of hours; real time verifications, which shield against IAP fraud, also take a few hours or days to implement at most. (Read Mary Min’s break-down of vulnerabilities and their solutions here.) For added security, developers should strongly consider third party security solutions, including mobile vulnerability analysis services (NowSecure, VeraCode, etc.), DexGuard, the paid version of Google’s free obfuscator/packer, or SEWORKS’ cloud-based SAAS. Whatever your choice, an investment in security is no longer a “nice to have” feature, but a basic cost of being in the mobile game business.
Comments
