Remember Pokémon Go, the location-based augmented reality mobile game from Niantic Labs that became an overnight global sensation when it launched in 2016? Well, the game has had a record 2019 having surpassed its launch year in revenues, announced a live AR multiplayer feature, and, on a slightly dissonant note, sued an “association of hackers” for creating and distributing unauthorized derivative versions of the company’s mobile apps. Around the launch, we’d covered some of the app-related issues in some detail, and here’s a quick recap of the situation as a prelude to multiplayer mobile gaming security in 2020.
The staggered release of Pokémon Go meant that obsessive fans in as-yet unserved regions gravitated to repackaged apps. The relatively innocuous of these apps merely contained modifications to by-pass in-app controls. However, the sheer demand for these apps also meant that unscrupulous actors were now able to get players to download versions that had either been injected with Trojans and adware or, worse still, completely repackaged malicious apps with no Pokémon code whatsoever. These repackaged apps, however, do not automatically spawn any Pokémon in regions where the official app is yet to be launched. To get around this, players had to hack API communications to spoof locations. At scale, the proliferation of repackaged apps and API abuse opens up a new vector for sophisticated DDoS attacks.
The Pokémon Go launch provides an illuminating snapshot of how mobile gaming apps can become the epicenter of a sequence of escalating security breaches. This is what the gaming industry has to contend with as the industry moves into mobile-first gaming mode.
Mobile games account for a whopping 45% of the $152 billion global gaming market, for nearly three-quarters of all global mobile app spend and for a third of all app installs. Revenue from this format already outstrips that from PC/Mac and home console gaming. And the popularity of mobile multiplayer games too is skyrocketing with these games currently accounting for 7 out of the top 10 grossing games in the App Store.
The massive shift to mobile gaming represents one of the most attractive attack vectors for cybercriminals. However, in some circles, the gaming industry still has a reputation for being a black hole for cybersecurity and/or relatively new to cybersecurity. And the extensive evolution of the gaming landscape in recent years, with the integration of cloud, mobile, streaming, and social networks, means that the industry now has to secure an attack surface far greater than it has ever been.
Security specialist McAfee’s latest mobile threat report has flagged 2020 as the year of mobile sneak attacks that will be increasingly difficult to identify and eliminate. For the growing mobile gaming industry, the primary challenge is to deploy a zero-trust mobile security strategy that thwarts malicious incursions without compromising the player experience.
Let’s refer back to the Pokémon Go launch to understand how some of the issues could have been addressed.
Take repackaged apps, for instance. Code obfuscation and app hardening techniques can certainly make it tougher to examine internal code/logic and reverse engineer apps. A far more effective approach would be to completely remove API keys from the application code, making it impossible to reverse engineer. Instead, API keys are provided through a remote centralized service as and when they are needed.
In this approach, the management of API keys is centralized in a single proxy server that serves as a security layer that handles API requests and serves up the relevant keys for each requested API. This approach also provides the added benefits of simplifying app development and deployment, reducing app complexity, and eliminating issues around key renewal and revocation.
The only remaining concern is securing the API of the proxy server itself. This can be addressed by deploying a client-side solution that eliminates all issues related to the security of static API keys even as it facilitates the proxy server approach to validating the authenticity of apps and API requests.
In the gaming context, reverse engineered apps and abused APIs can lead to several dire consequences including account takeovers, stolen credentials, and hacks and cheats that can affect the user experience of regular players. However, these are just two threats out of many more that mobile game publishers have to address.
Take scripts, for instance, which allow players to automate the build-up of valuable game resources to establish a dominant position in the game. Though in the larger scheme of things this may seem like a victimless transgression, it is not. In multiplayer mobile games, where several players compete against each other in real-time in a complex and dynamic ecosystem, game manipulation can deliver an unfair and undeserved advantage to some players at the cost of the playing experience of others.
Over half of all gamers (60%) already feel that widespread cheating has impacted their multiplayer gaming experience and many indicate that some possible outcomes could be that they either purchase less in-game content (48%) or even entirely stop playing the game (77%). It, therefore, becomes imperative for game developers and publishers to address all exploits and modifications that impact paying customers and, eventually, their revenue streams.
And there is indeed a wide range of exploits, some unique to mobile gaming and others pertinent to the mobile channel, to be addressed such as account takeover, fake account creation, DDoS attacks, credit fraud, app impersonation, scraping, MiTM attacks, and API abuse.
Today, there are several off-the-shelf, comprehensive and robust mobile security solutions that game publishers can turn to without having to code every solution from scratch.
Consider all the gaming-specific threats and hacks that we have discussed so far, for instance. Today, there are multi-factor end-to-end mobile security solutions that offer an integrated and comprehensive approach to total threat protection for mobile gaming apps. Some of these solutions take an Identify-Verify-Certify approach to mobile security to ensure that no gaps or loopholes are left unaddressed. They identify the authenticity of running apps to ensure that they are not unauthorized or derivative and block API access to fake/tampered apps, along with botnets, scripts, etc., even if they present valid user credentials. They then verify that even authenticated apps are not running in compromised environments such as rooted/jailbroken devices, on debuggers/emulators, or utilizing malicious instrumentation frameworks. And finally, these solutions certify that apps are communicating securely with backend services with no possibility of MiTM intrusions.
Gaming companies have the internal technical resources to create solutions from the ground up for every one of these hacks. Until now, most build vs buy debates in the industry have been skewed towards the former based on the misplaced notion that off-the-shelf solutions do not address the unique security requirements of mobile gaming. But that has to change if gaming companies are to stay ahead of the constantly evolving nature of mobile threats.