This is a story about a developer who was using the Apple store for his in-App purchases when he first went live with his game. After the first day, his logs said that he made over $1000 in sales, but when he checked Apple’s store reports it said that he had only made a couple dollars! What happened was that several users had hacked into his game, unlocking all the in-App purchases they could find. By the time the developer realized that he had been subjected to fraud, he was already disheartened. This happened with his first SPG (single player game); his next upgrade was to make it multi-player in order for the game to become more popular with added competition. In multi-player competition games it is especially important to know that users are not able to hack a way into the local files of the game. Without fraud prevention and cloud security, how can any designer claim that they care about competition?
Fighting In-App Purchase Fraud
Some gaming experts believe there’s no reason to fight fraudulent exploitation of files in single player mobile games. I disagree. First and most importantly, I think building interpersonal competition and sharing favorite games starts with SPG’s. I think that it is more commonplace to find mobile gameplay talk occurring in offline discussions than the one’s you see online. What do I mean by that? I believe that a lot of gametalk is shared between people personally and face to face in social settings.
The kind of social interaction I’m talking about here is a meaningful sharing of experiences from person to person. How do I know that my sister reached the 190th level in the game Candy Crush Saga? Well, I didn’t hear about it on Facebook. She told me what level she reached. But if I were to ever find out that she did it because someone out there showed her the cheats to get around gameplay obstacles, I would be less enthusiastic to take up the challenge and try to beat her score. The whole point of playing is to be the best, and this can only be true in a game economy that cannot be hacked.
Another issue related to fraud prevention has to do with the distribution of virtual wealth in your game’s economy. People often believe that it’s more fun to play a game when all the features are unlocked, that it somehow would be better if they could play unhindered. In reality however, whenever a player hacks into a game and unlocks its virtual economy, the challenge of playing is lost. Without immovable obstacles, hacks like these can take all the fun out of playing. The best designed games are ones that have built-in features which provide players with challenges that are long lasting and indefinite. Removing sinks or having unending pools of coins upsets the balance of the game, no doubt making it less enjoyable.
Game hacking also messes up your analytics, filling your data with inaccuracies about user behavior. Such falsities might cause you to make poor decisions about balance or cause errors in judgment about user acquisition. And errors like these can get very expensive.
2 Ways Games are Getting Hacked
When Users Learn How to Fake an In-App Purchase
It’s easy for some people to trick the game into assuming that it’s communicating with Apple’s servers when it’s not. Even though this technique requires a high level of expertise, there are several hacking services that exploit the backdoor vulnerabilities that all games have. Every game is potentially a new victim to hacking attacks on its infrastructure. There are new programs that hackers develop and share with others that are used by millions of users every day to allow them to hack the local files of their mobile devices. One such source is IAP Cracker, but there are many more out there.
Users Learn How to Overwrite the Store’s Balance file
This one depends more on the app’s overall architecture and development, because every game stores their own economic balances in their own unique way. Rather than using any names you might recognize, let’s just say that maybe you’ve seen some videos on YouTube about how to crack some of the more popular mobile games out there; it seems that all of these kinds of overwriting hacks are based on the same method. Users first find a way to access the system files of their mobile device and then try to figure out which files hold their game balance. Then they figure out how the file is built, and with a certain amount of persistence, they then try modifying the settings file or replace it altogether with a completely different one. If they succeed they would publish a video tutorial in YouTube to show others how they hacked the game.
Ways to Prevent Hacking and Fraud
My calculated guess is that most in-App hacking happens from already unlocked mobile devices, from iPhones that are jailbroken (Apple) or on smartphones that have been rooted (Android), or upon poorly developed mobile games that just lack any backend security whatsoever. This claim is not based on data but simply on the fact that most of the hacking methods rely on having access to the device operating system and file system.
The good thing is that most mobile phones haven’t been rooted or jailbroken and don’t provide easy access to the lower levels of the device’s infrastructure, thereby making it more difficult for users to mess around with store bought models. However, neither Google or Apple have so far been able to prevent users from hacking through to the device’s infrastructure level, and either way I wouldn’t rely on them ever being able to stay ahead of all the hackers out there.
Use a Server to Protect in-App Purchases
Perhaps the best way to avoid hack attacks is to use a server to protect your game. While this might be a good beginning, it’s certainly not enough to protect you from all future hacking techniques and exploits.
How Server Verification helps
Server side verification can be used to eliminate some of the above examples of fraud, but probably not all of them. Specifically, games that use server-side verification do not protect the local storage of the game’s system files from getting hacked. In other words, server-side verification, no matter how robust and secure, is not enough.
Detecting in-App Purchase Hacks
The next step would be to figure out how to detect in-App purchase hacks. To do this, you would first need to implement server-side verification. Both Google and Apple provide an easy to use tool for verifying your in-App purchases. Server verification happens when the client is sent a receipt from the store, which when verifying, then sends the user’s receipt to another server which in turn verifies the in-App purchase inside Google Play or iTunes (I explain this in greater detail here).
Monitoring any Irregular Activities
The best way to prevent hacking is to monitor your statistics and look for any irregular activities that relate to your in-App purchase transactions. A simple comparison can be conducted between transaction reports provided by Apple and Google and a report from another analytics provider. Then you can isolate all the instances where purchase transactions appear in your logs but aren’t counted as purchases in the store. Once you find a few suspicious transactions, you can then lookup and get the logs for the users that you’ve flagged, and look for additional patterns of behavior that commonly indicate fraudulent activity.
There are three common types of indicators of fraud
- Several transactions for the same download occur with no activity or time in between purchases
- When over $50 worth of purchases are made by a given user in a single day
- Balance change greater than the largest amount of coins available for purchase
This is just to start you off. If you use a separate analytics log you will be able to find even more patterns of behavior. For these behaviors create filters so that they get flagged automatically. I recommend that you set up broad conditions for your filters at first, and let it send any anomalies found to you automatically, then just manually review the shortlist that the filter provides (perhaps upwards of 20 flags per day is manageable). If you find yourself reviewing a lot instances that turn out to be legitimate purchases, you can always narrow your filter’s criteria and tweak it whenever your list gets too long to review quickly.
What to do when you find someone suspicious of hacking into your games
When you find users engaging in fraudulent activity, you can choose to take your own course of action. Besides removing the disingenuous activity in your view of the analytics data, you can sanction hackers further by removing their balances or even ban them from using your game.