The people at CNS security firm who we interviewed at the end of last year have sent us ten recommendations for staying safe when developing games and applications for mobile devices.
Never assume that the end user won’t try something stupid. If the
application asks the user to enter a number into a field, they could
legitimately type ‘one’. If the application doesn’t check that the input is
a number before trying to process it, it may lead to a security
Sanitise Onward Data
Don’t rely on the receiving service to filter the content your application
sends. For example, if gamer tags or high scores are sent from the game onto
a third party score site. Attackers may be able to attack the third party
via your application, potentially putting your application at risk.
Never request that your application be run as a system level account like
root or Administrator. If a bug exists in your application and an attacker
manages to exploit it, they may be able to run commands at the program user
level, with access to the system account meaning the attacker could take
over the entire computer.
It is very rare that an application or game would need a high privilege
level to run, and often operating systems provide APIs to developers that
allow them to access system devices (e.g. graphics cards) without having to
directly run as a system user.
Keep it Simple
Nothing is gained by having overly complex code. Clear and concise code
allows errors to be spotted quicker, and also allows multiple people to
write the code at once without running into problems. If another person or
team takes over development, proper code layout and commenting can reduce
the amount of time required to become familiar with the program, allowing
for faster development of patches and updates.
Important data such as high scores should be kept in a place that the user
cannot modify, preferably on a server where they can be audited and checked
for validity. Storing important data on the device may allow users to easily
cheat in the game.
If information which is potentially sensitive (e.g. user’s address, contact
information, credit card number, etc.) is transmitted over the Internet, it
should be done so over a secure connection, ideally one that uses SSL / TLS
and uses certificates to validate the end server.
Information which is not transmitted in this way can be observed,
intercepted, or even modified by an attacker before it reaches the server.
Encoding is not Encryption
If sensitive data is to be stored, ensure that it is properly encrypted
rather than encoded, using a strong and public encryption algorithm.
Encoding is not a secure way to store data, as anyone with knowledge of the
encoding algorithm can easily retrieve the encoded information. With
encryption, even if the attacker knows the algorithm used (and it should be
assumed that they do), they still have to find the secret key before they
can decrypt the information.
Never try to invent your own encryption algorithm. Cryptographers have
worked for years to create a small set of algorithms that are considered to
be secure by Information Security specialists, which should give you an idea
of how hard creating secure encryption algorithms is!
Make sure that if your application crashes, is doesn’t drop into a
development or debug mode, but rather catches the exception and returns the
user back to their desktop or home screen.
If developing for a mobile device, make sure to look into and make use of
any security features and APIs that the manufacturer provides. An example of
this is the data protection API from Apple for iOS.
Don’t Use Untrusted APIs
There are plenty of APIs out there on the Internet, but not all of them can
be trusted. Make sure to search for any related vulnerabilities in the API
before using it, and if possible, only use open source APIs that have large
communities behind them. Some closed-source APIs are also secure to use, but
be wary and always do proper research on them before including them in your
Train2Game would like to thank CNS for these helpful tips to keep you safe!