Train2Game News: Ten tips from CNS to keep your apps safe

Hut-3 1The people at CNS security firm who we interviewed at the end of last year have sent us ten recommendations for staying safe when developing games and applications for mobile devices.

Input Validation

Never assume that the end user won’t try something stupid. If the
application asks the user to enter a number into a field, they could
legitimately type ‘one’. If the application doesn’t check that the input is
a number before trying to process it, it may lead to a security
vulnerability.

Sanitise Onward Data

Don’t rely on the receiving service to filter the content your application
sends. For example, if gamer tags or high scores are sent from the game onto
a third party score site. Attackers may be able to attack the third party
via your application, potentially putting your application at risk.

Least Privilege

Never request that your application be run as a system level account like
root or Administrator. If a bug exists in your application and an attacker
manages to exploit it, they may be able to run commands at the program user
level, with access to the system account meaning the attacker could take
over the entire computer.

It is very rare that an application or game would need a high privilege
level to run, and often operating systems provide APIs to developers that
allow them to access system devices (e.g. graphics cards) without having to
directly run as a system user.

Keep it Simple

Nothing is gained by having overly complex code. Clear and concise code
allows errors to be spotted quicker, and also allows multiple people to
write the code at once without running into problems. If another person or
team takes over development, proper code layout and commenting can reduce
the amount of time required to become familiar with the program, allowing
for faster development of patches and updates.

Tamper Prevention

Important data such as high scores should be kept in a place that the user
cannot modify, preferably on a server where they can be audited and checked
for validity. Storing important data on the device may allow users to easily
cheat in the game.

Transport Security

If information which is potentially sensitive (e.g. user’s address, contact
information, credit card number, etc.) is transmitted over the Internet, it
should be done so over a secure connection, ideally one that uses SSL / TLS
and uses certificates to validate the end server.

Information which is not transmitted in this way can be observed,
intercepted, or even modified by an attacker before it reaches the server.

Encoding is not Encryption

If sensitive data is to be stored, ensure that it is properly encrypted
rather than encoded, using a strong and public encryption algorithm.
Encoding is not a secure way to store data, as anyone with knowledge of the
encoding algorithm can easily retrieve the encoded information. With
encryption, even if the attacker knows the algorithm used (and it should be
assumed that they do), they still have to find the secret key before they
can decrypt the information.

Never try to invent your own encryption algorithm. Cryptographers have
worked for years to create a small set of algorithms that are considered to
be secure by Information Security specialists, which should give you an idea
of how hard creating secure encryption algorithms is!

Fail Safe

Make sure that if your application crashes, is doesn’t drop into a
development or debug mode, but rather catches the exception and returns the
user back to their desktop or home screen.

Mobile Devices

If developing for a mobile device, make sure to look into and make use of
any security features and APIs that the manufacturer provides. An example of
this is the data protection API from Apple for iOS.

Don’t Use Untrusted APIs

There are plenty of APIs out there on the Internet, but not all of them can
be trusted. Make sure to search for any related vulnerabilities in the API
before using it, and if possible, only use open source APIs that have large
communities behind them. Some closed-source APIs are also secure to use, but
be wary and always do proper research on them before including them in your
application.

Train2Game would like to thank CNS for these helpful tips to keep you safe!

Train2Game News: Train2Game Interviews CNS Group

CNS GroupThis week on Thursday 12th December, Train2Game’s Harry Cole interviewed Edd Hardy and Andy Smith, auditors at CNS Group www.cnsgroup.co.uk.

The conversation was in-line with previous interviews where Train2Game get expert insight from people working in the games industry and employment areas of interest to our students.

Harry was joined by Train2Game students; Muir and Chris, who were on the call to ask questions directly to the experts. Students were also encouraged to submit questions ahead of the interview which Harry asked on their behalf.

Points discussed include: firewalls, layers of security, potential pitfalls with different types of technology, facial recognition, global satellite positioning and advice about best practice.

Please make sure to have a listen to the interview and let us know what you think. If you have any questions or would like to be involved in future discussions then please get in touch with Harry via the forum.

In the interview Harry requested a best practice list for the students, which he will post when it becomes available. We have further interview planned for next year, with games developers and cloud solution providers, so make sure to stay tuned.

You can hear the interview here: http://www.spreaker.com/user/train2gamestudentradio/train2game-interview-cns-group