"The app stores don't really police themselves," says Jonathan Carter, technical director of Arxan Technologies.
"They're the wild west."
Specializing in run-time application self-protection for mobile, desktop, server applications, since 2001 Arxan has made security its business.
Now as scores of devs file past the company's GDC 2015 booth, Carter and the team are spreading the word about the scale of attacks being levvied against mobile games every day.
"In mobile, the hacker has access to the code the developers are using," Carter explains.
For example, attackers can reverse engineer a code and uncover the intellectual property written into that code. Consequently, intellectual theft and redistribution is becoming an increasing problem as thieves rip off a game and release it in the same store.
Tresspassers won't be shot
Additionally, "attackers can also modify the code of the game itself, so they may produce a cheat which is damaging to the brand of the game. Particularly in multiplayer, we've found that frustrated players will then walk away, resulting in revenue loss."
Carter explains that the key issue is reverse engineering and unauthorised modification stem from the fact that the developer has no control over the environment in which the application is running.
"Here's the reality," he says.
"If I'm an attacker and I want to distribute something via the legitimate stores, there are a number of ways to get around the protections.
"The App Store and Google Play provide tools that scan code and look for suspicious activity - attackers know this, and employ their own type of obfuscation to bypass the security. The same protective tools that we use to defend our games buy the hackers time for them to break in.
Developers should be deploying within their code some sort of run time detection capability around integrity violation.Jonathan Carter
"A lot of the time in security, we'll have legitimate features that get used in non-legitimate ways."
Before we don our tinfoil hat and retreat to the basement, Carter thankfully highlights a few ways though that developers can protect their games.
First, developers should apply a rigorous level of obfuscation, taking into account performance impact in sensitive time critical parts of their code.
Second, the name of the game is modification. Developers should be deploying within their code some sort of run time detection capability around integrity violation.
Pay attention to the details
In particular, Carter says devs should be detecting whether or not their code has been modified around licensing, ads, authentification, authorisation and other codes that store or transmit sensitive information.
"Frankly, most developers aren't even doing this," Carter scolds, "not even simple stuff.
"Devs should be taking any code written in Java and translating it to its native C equivalent. This will make it a bit harder to reverse engineer back to the source code by the attacker.
"They should be performing checksums against code ranges that store, transmit or process sensitive information."
But Carter acknowledges that a lot of the time, the lack of security in apps is not actually the developer's fault.
"A lot of the time builders are simply building to spec, and if security is not part of what they're told to build the system will be vulnerable. Devs must follow what they're told to build, so security must be included in the architecture and design process.
"Often development needs that need to be met are usability, performance, scalibility, maintenance and only then security. So there are many competing demands for developers attention, and in gaming particularly they're obsessed with speed.
"In those cases you need to fine tune and be judicious about where you're applying protection to your game - the areas that need it most."
