Security is a big deal. Security issues touch all of our lives in many ways, whether we’re changing many passwords with a sigh, because of the Heartbleed vulnerability or replacing our plastic with a snarl, because Target, Michaels and Neiman Marcus, and others, had their point-of-sale systems hacked and millions of credit card accounts were compromised. The list of these kinds of breaches and hacks in recent years could go on and on.
For many gamers, their first experience with security issues and games was dropped into their lap three years ago, when Sony experienced a recurring and broad invasion of their PlayStation Network and Sony Online Entertainment accounts. Sony suffered weeks of downtime, took a PR hit and an estimated $170 million to cover all the costs after the hack.
With mobile games and smartphone/tablet use overall on the rise as a market segment, a reasonable question is how to keep mobile games (and all apps, really) secured. In fact, it’s not hard to see how malicious apps are affecting gaming and gamers already, in one case with the recent proliferation of malicious Flappy Birds clones arose after the game was officially taken down by its creator.
Min Hong, CEO of SEWorks, will be discussing the always timely topic of application security and game developers at LOGIN 2014. Before he speaks at LOGIN 2014, we chat with Min first to get his perspective on the topic and his upcoming talk.
Events for Gamers: Min, you’ve had an interesting career that’s taken you through several segments of the security industry. How did your path ultimately lead you to starting SEWORKS?
Min Hong: I’ve been interested in computers and programming since I was fourteen. In 1998 I founded WOWHACKER, a group of programmers focused on security research and hacking prevention, which I lead to this day. After college, I went to work as a security researcher for 6 years before starting SHIFTWORKS, a security software company that was acquired by Infraware. SEWORKS is my latest startup, and we decided to focus on mobile security solutions. The world of mobile is still new and growing, and we have found that security practices and solutions are not as prevalent in this relatively young industry. So we decided that we’d apply our expertise and experience in creating simple security tools for developers on this platform.
E4G: As mobile becomes a bigger player in BYOD (bring your own device) in the enterprise and as a platform where more leisure time is spent, there’s a proliferation of security companies addressing a wide range of security issues in mobile. What do you feel differentiates SEWORKS from the other players in the field?
Min: At our company’s core we are engineers and builders with extensive experience in the security field. Some of us have been working together for over 14 years, and the passion we have for our work is reflected in what we make. We create products that we would use for ourselves, so making sure that they are easy to use and effective against the latest security threats are our highest priority. Our Android security solution Medusah (www.medusah.net), for example, is the only one available in the market that offers 1) anti-decompile protection, 2) requires no integration with your app, 3) doesn’t affect app performance, and 4) obfuscates on the binary level. This is a huge plus for companies as it requires no extra work for engineers. It is simple, elegant and fast in stopping the threat at the initial point of entry. Our core development philosophy is to ensure as little work on the developer side as possible while producing optimal results.
E4G: In the mobile space on the development side, which market segments (enterprise, productivity, gaming, etc) do you believe to be more security conscious and which segments are most in need of keeping up with the evolution of threats on mobile?
Min: The enterprise sector is more active in employing security measures. Since they deal with big data and a lot of sensitive information, they tend to be more aware and active in ensuring the security of whatever they need to protect. For example, there’s a lot of consumer-facing security solutions (anti virus apps) or solutions that help to protect your app environment, or help to secure your data.
I’ve found gaming companies in Asia, particularly Korea and China, are more open to using security solutions. Perhaps it’s because they have years of experience in dealing with fraud and hacking attempts from the PC-based MMORPG and web game days, but overall they seem to more active in seeking out and implementing security measures.
Some developers we have talked to in the US are employing some security practices, like performing server checks for every single transaction or action that happens in a game. That can slow down your app (leading to user frustration and churn), and eat up a lot of data. Frankly, it doesn’t lead to the most optimal gaming experience out there.
E4G: What security threats do most game app developers dismiss or miss altogether in their development process, and why do you think they should be concerned about them?
Min: People tend to overlook or dismiss the fact that your app can be decompiled, exposing the source code and libraries. They say “It’s ok, because we store all the important data on the server anyway.” But because of the nature of Android and the Java language, when your source code is exposed, you have a lot of problems to deal with. Your public key can be leaked, ad-supported free games can have their ad network codes swapped out or deleted to “ad free” versions, etc. With free-to-play games, sometimes server verification won’t work correctly so people can use tools like Freedom to bypass the purchase flow and mimic an in-app purchase, tricking your server into thinking that a valid transaction has been made. Some good practices include detecting client tampering, monitoring the status of your app, and making sure your source code does not get exposed.
E4G: What do you feel is the best way to integrate security considerations in the app development process from the ground up?
Min: While Integrating a source code obfuscation solution (ProGuard, etc) in the earliest stages of app development can help, but this isn’t entirely bulletproof. Obfuscated source code can be recovered with simple scripts that are available. Source code level obfuscation is good, but it’s better if you can 1) prevent the decompiling altogether (anti-decompile) and 2) prevent users from modifying values (memory hacking prevention). Binary-level obfuscation is best since you are stopping the problem at the source.
You can search for memory hacking tools online, and you’ll find tons of results. There’s no way to block each individual tool, or block certain patterns. You have to block the memory hacking altogether by making it impossible to access the memory in the first place. Also, to prevent purchase fraud, make sure you store the transaction receipt, detect and block rooted devices, and make sure your server is doing a secondary check against the purchase information.
E4G: As of this interview, you’ve been confirmed as a speaker for LOGIN 2014 but your talk hasn’t been officially posted up. Can you tell us what you will be sharing at your talk and why game developers should be in the audience?
Min: I will be talking about the most common security flaws in Android and presenting examples of how these have been exploited. I will also be sharing recommendations and best practices on how to address these risks.
E4G: Besides speaking, what else are you looking forward to accomplishing at the LOGIN Conference this year?
Min: We’re just starting out in the US market. I hope to meet more game developers to learn about their concerns and issues to create better security tools for them in the future. And to promote our Android security app, Medusah (www.medusah.net).
Paul Philleo, Contributing Editor