5 Threats to Mobile Games and 5 Essential Security Measures

Gaming Means Mobile Gaming

With the rise in popularity, mobile games have become a massive target for hackers, and cybersecurity should be a priority for both developers and players.

However recent research shows that mobile games are still not well protected. This could be due to developers struggling to prioritize the long list of overlapping threats which must be mitigated, or concern around the possible negative impact of security solutions on customer experience.

This blog aims to address these challenges and simplify the problem, firstly by describing the top 5 major threats and then describing the top 5 mitigation strategies which every mobile game developer should put in place immediately to protect against these threats. In this way, developers can ensure a secure and enjoyable gaming experience for users. 

You can download our detailed Mobile Game Security Solution Brief, which provides further information on these threats and mitigation strategies and also covers more background on how to evaluate security solutions to ensure they support and enhance the gaming experience. 

What Are the Top Five Security Risks to Mobile Games?

Let's start by listing the five worst things that can happen to your mobile game and digging into each one: 

1. Personal Data Theft and Abuse

Mobile games often provide in-game currency and wallets and collect large amounts of personal and sensitive data. This makes them a prime target for hackers seeking to steal game assets or personally identifiable information (PII) such as usernames, passwords, and email addresses. Hackers can interfere with progress in the game and manipulate virtual currency. They can gain access to credit card details, bank account numbers, or other financial information stored within the game or on your device. This can lead to unauthorized purchases, fraudulent transactions, and even identity theft.

Personal information can also be leaked if game developers don't properly protect the databases and code repositories they use. Researchers discovered recently that Tap Busters: Bounty Hunters leaked user ids, usernames, timestamps, and private messages through unprotected access to Google Firebase. 

2. Illicit Copies of Games

Cloned or repackaged games pose a security threat because they allow hackers to exploit popular titles for financial gains. The clones may contain malware or other malicious code to allow them to access and illegally use personal data such as login credentials and financial information. Some copies of games encourage cheating and may introduce bugs and crashes, all of which have potential to derail the reputation of the game. 

Developers should, of course, implement robust code protection to protect games from code alterations or injection attacks.

3. In-App Purchase Fraud

In-app purchase bypassing is a serious threat as it leads to lost revenue. It also harms the integrity of the game and may reduce player engagement. As an example, fraudsters can create a guest account and then use a stolen credit card to level-up/buy digital goods or load the game virtual currency on the account. They then sell the account online and the buyer can link the account to their social media account in order to use it. This leads to direct loss of revenue for the developer as well as potentially chargebacks arising from the use of stolen cards. 

To ensure the security of an in-app purchase system, developers should use security measures such as server-side validation, encryption, app attestation and anti-tampering to detect any modifications to code or data.

4. Cheating 

Emulators can enable players to access mobile games on their PCs or laptops, offering a more comfortable and potentially powerful platform with better hardware and no battery issues. Some emulators also allow for automation of repetitive tasks, which might eliminate some more tedious aspects of games. 

However emulators can provide significant advantages in competitive games, especially when combined with keyboard and mouse controls or automated scripts. This can create an uneven playing field for mobile players using touch controls, leading to frustration for other gamers. Some emulator software even offers pre-built scripts or hacks that grant unfair advantages like wallhacks, aimbots, or infinite resources. This undermines the integrity of competitive gameplay and disrupts the balance for legitimate players.

In addition, using emulators can introduce security risks, especially when downloaded from untrusted sources. These emulators might contain malware or spyware that can steal personal information or compromise your device.

Developers employ techniques like server-side checks, anti-cheat software, and machine learning algorithms to defeat cheaters, but the battle is an ongoing one.

5. Stealing and Abusing Secrets from Mobile Games

We mentioned theft and abuse of personal data but one of the worst scenarios is the theft of secrets such as API Keys that can be reused by hackers to target backend services directly.  

Mobile apps are notorious for storing the keys in ways that can be easily accessed. Obfuscation can make it harder to extract secrets from source code, but hackers can get another opportunity to grab secrets at runtime by manipulating the app, the environment and/or the communication channel. 

The Tap Busters: Bounty Hunters leak which we mentioned previously also exposed some sensitive secrets including API keys which were hardcoded in the application's client side. 

Similarly a leak from the widely used Escalators game exposed some critical API Keys including  the Firebase URL and its key, as well as Google and Apple in-app payment API keys. While the API keys were obfuscated, the research team found instructions to deobfuscate the data online. 

Developers should use methods to keep secrets out of code and make sure they can be rotated easily if compromised.  

The Top Five Mitigation Strategies To Protect your Mobile Games

If you apply the following mitigation strategies you can block the threats highlighted above: 

1. Put Anti-Tampering in Place to Stop Client Manipulation

Anti-tampering can detect any unauthorized modifications on the client device, by using integrity checking, root detection, and emulator detection. Once it detects malicious activity, it activates a response, such as denying access or shutting down the app entirely. 

Anti-tampering can prevent cheating by detecting hackers trying to interfere with code to give themselves an unfair advantage in the game. It can also prevent hackers from bypassing the in-app purchase system or accessing personal data.

2. Use App Attestation to Defend Against Clones and Copies

App attestation makes it harder for hackers to clone app code. It detects at run time whether an app has been modified or repackaged, blocking access to APIs and backends from anything except unmodified genuine apps. 

3. Use Runtime Application Self Protection (RASP)

Protection against static attacks alone is not enough to fully protect your gaming app. You need to combine code protection with runtime protection for real-time monitoring, automatic blocking of malicious requests, and app-specific protection. 

Runtime protection provided by a RASP solution can monitor the device’s memory for known cheating tools or detect when a user is running a game in an emulator. It can also block malicious code and shut down the app to prevent vulnerabilities from being exploited. 

4. Protect the Communications Channel to the APIs

Mobile apps are particularly prone to Man-in-the-Middle (MitM) attacks even if TLS is used to encrypt traffic between the app and backend servers.  If an attacker has access to a mobile device they can use a MitM tool, such as ‘mitmproxy’ to intercept traffic. Attackers can manipulate traffic to and from the backend to steal data or keys, even if two-factor authentication is used. 

Certificate pinning is a solution which can protect the channel. Also, anti tampering and client integrity checks can prevent attacks on the device. 

5. Get Secrets out of your App Code 

Hardcoding sensitive data into the client side of a mobile app is unsafe, as in most cases, such data can be easily accessed through reverse engineering. The API keys used to authenticate and authorize access to backend services from mobile apps must be protected from being stolen and abused. Developers need to get secrets out of their code, and manage cryptographic keys securely and handle key rotation appropriately for ongoing security.

Approov Provides Easy, Fast, Effective Protection for Mobile Games

Approov provides mobile game developers and studios an easy way to stay ahead of mobile cheaters, hacks, and player emulator platforms. With Approov in place, you preserve fair play, secure private data, and protect company revenue streams. Approov mobile runtime application self-protection (RASP) protects your games with minimal impact to game development and no impact on game performance.

• Approov is 100% accurate and never creates poor user experience caused by security false positives. Over-the-air updates mean secrets and policies can be updated immediately without needing to update code and  deploy a new version of your game.
• Approov is simple to deploy and operate, providing immediate protection without the burden of complex security measures or excessive management overhead. Approov integrates easily into your DevOps pipeline for a streamlined workflow.
• As your user base expands, Approov ensures a seamless customer experience. It maintains optimal game performance, never obstructs legitimate users, and effortlessly scales to accommodate millions of users. 

With Approov in Place You Can: 

• Block Illegal App Copies: Approov app attestation blocks everything except your genuine and untampered mobile app, running in a safe environment, from accessing your backend API’s, so you can eliminate the threat of cloned and copied apps once and for all.
• Detect and Defend Against Cheating Tools and Emulators: Approov detects and defends against popular cheat engines and cheating apps, making sure your game works as intended.
• Detect Rooted, Jailbroken and Modified Devices: Approov protects  iOS, WatchOS, Android and HarmonyOS by detecting rooted or jailbroken devices as well as the presence of GameGuardian, Cycript, Cydia, Xposed, Frida, Magisk, Zygisk and others. You decide what is acceptable with a high level of granularity via over the air policy updates. 
• Protect Against Runtime Attacks on the Game: Dynamic instrumentation tools can tweak mobile games at runtime. Approov RASP attests the actual executing code, providing robust and continuous protection against any runtime tampering.
• Stop Man-in-the-Middle Attacks: Approov Dynamic Certificate Pinning protects from mobile Man-in-the-Middle attacks and makes it easy to manage and rotate certificates over-the-air.
• Prevent Exploitation of Secrets: Game developers need to get API keys and secrets out of app packages. Approov keeps API keys and certificates securely in the cloud, delivering them “just-in-time” only when app and device integrity checks are passed. You can rotate them easily and immediately via over-the-air updates. It also works for any third party APIs you use.

Conclusion: Now is the Time to Secure Mobile Games

The cybersecurity risks presented by the growth of mobile games are real and the consequences of lack of security are serious. Fortunately, game developers no longer need to decide between customer experience and security:  there are cost-effective security solutions which provide effective protection and are easy to deploy and manage.

Download the Approov Mobile Game Security Solution Brief to learn how to easily and quickly defend your mobile games from attack.

Schedule a demo today!