Started from blocking mobile game plugins, Gamania CloudForce now enters the financial App information security market
Gamania CloudForce was formerly the IDC, information security, system and network business departments of Gamania; it wanted to solve the problem of plug-ins undermining the fairness of mobile games at first, but has only started expanding towards the information security protection of financial Apps such as online banking and payments etc. recently. For them, the difficulty of preventing mobile games from being cracked is the same as the information security strength required for online banking and mobile payment Apps.
Most people are already used to plug-ins for mobile games, but very few people know that the difficulty to prevent mobile games from being cracked is as difficult as the information security strength required for online banking and mobile payment Apps. The general manager of Gamania CloudForce Paul Ding who started from information security of mobile games, stated that: “Games are actually far more complicated.”
Information security of mobile games is similar to the information security protection of other Apps
Gamania CloudForce was formerly the IDC, information security, system and network business departments of Gamania; it wanted to solve the problem of plug-ins undermining the fairness of mobile games at first, but has only started expanding towards the information security protection of financial Apps such as online banking and payments etc. recently.
As a matter of fact, the most common information security attack on mobile games is tampering with the database of the game or modifying the values of the game, and these are commonly known as “plug-ins.” The general manager of Gamania CloudForce Paul Ding explained that originally the life cycle of mobile games was only three to six months, but will become even shorter with plug-ins, and this has a direct impact on the revenue of gaming companies. This is why our original entry point was purely wanting to solve the problem of these game plug-ins.
During the process of working on information security for mobile games, they discovered that the attack techniques and approaches of plug-ins were more or less the same as the hacker intrusions of general Apps. This also allowed the information security of Gamania CloudForce to extend its tentacles to other Apps after becoming independent from Gamania; two years ago, they became one of the few industries in Taiwan that focused on the information security of Apps. Now, among the thirty-something banks in Taiwan, at least a third of them are clients of Gamania CloudForce.
Paul Ding gave an example: The “plug-in” that we hear most often is a noun for games; looking from the technical aspect, it is actually “dynamic injection.” It is like attaching a hook on the App to monitor and control the App from elsewhere; similarly, this can be used to intrude financial type Apps.
Another technique that hackers use quite often is to modify local files; in games, hackers might need to modify the data in the memory. This concept and practice are similar to hackers hacking into online banking Apps; they are also intrusive modification or intercepting related data transmitted during the execution process. Even though the information of financial type App is highly sensitive, when it comes to preventing hackers from intruding Apps, Paul Ding thinks that it is actually more complicated for games.
Paul Ding explained that games involve a wide range of aspects; to write a plug-in, hackers must clearly know whether the behaviors, logics and memory data of the game can be intercepted in order to have the chance to tamper with them. For example, if it takes a minute to walk slowly from point A to point B in a game, to achieve “teleportation” through plug-in, the address used to control that memory must first be captured and modified.
Also, to crack a game, not only do the many game scenarios and attributes need to be considered, the modification methods for RPG and strategic games are also different. Even if they might both be strategic games and might both have five players connected simultaneously, or P2P games, their modification methods are all vastly different.
In comparison, mobile payment and online banking are actually just transactions; they just need to confirm the amount and object to transfer, get certified by a third-company, return data, and once the data of both parties are certified, the transaction is complete. “For games, the complexity might be at the same level as these payment and e-commerce Apps,”he said.
“Information security tests of government Apps barely passed”
As one of the earlier companies in Taiwan that focused on the information security of Apps, Paul Ding said Taiwan actually still has a long way to go in this field.
From his observation, the revenues of financial companies are unlike gaming companies where their revenues are impacted directly by plug-ins; therefore, when it comes to information security, financial companies care more about whether they can meet government regulations. Even though the government’s Mobile Application Security Alliance had released up to 30 MAS marks for the test items used to test the security of Apps, he thinks that even by passing the MAS test, it means that the information security just barely passed.
However, since the data and information involved with financial Apps are more sensitive, financial companies have higher requirements for their own information security than what was required by the government. If they only reached the passing border for information security, financial Apps could be cracked easily and the market will be full of pirated twin Apps with backdoor embedded; once users download the counterfeit version, their information might be leaked.
Even if businesses are willing to spend money and buy information security tools, they might not necessarily get the results they want. Paul Ding stated that even though many financial companies spent a lot of money buying information security protection tools for their Apps, currently most information security companies on the market provide SDK implantation solutions. The key to achieving effective protection is that the company itself must have great programming abilities, otherwise there will still be many loopholes in their information security even if they have the tools but no skills. The solution that Gamania CloudForce came up with for this is to let Apps wear an “iron suit” to prevent reverse engineering, block cheating tools for games, prevent Apps from being tampered with and encrypt the saved data of the App.
Enterprises still do not care about the information security protection of Apps as much as the information security protection for websites
To many enterprises nowadays, the role of Apps might be even more important than websites, but based on the observation of Paul Ding, many enterprises still do not invest as much in the information security of Apps than they do for websites.
“For websites, they know they need to buy firewalls, WAF (Web Application Firewall) and IPS (Intrusion Prevention System); these could easily cost over NT $10 million,” he said, “but when it comes to Apps, they might only be willing to spend a couple hundred thousand dollars hoping to solve all the problems with this amount of money.”
To Gamania CloudForce, whether it is for App or websites and whether it is for games or finance, the steps and reasons for information security protection never changes.
Paul Ding suggested that in order to improve the information security of Apps, businesses must first clearly know the development framework and specifications of the system. Next, information security protection must be divided into “black box” and “white box”; black box refers to testing whether systems have loopholes externally by using tools and hacker behaviors, and white box refers to testing program codes and finding loopholes internally. After finding the vulnerabilities, which mechanisms to use to strengthen the information security is finally decided.
Not only in Taiwan, Gamania CloudForce also started to actively expand its business overseas during the first half of this year; they have clients in Korea, Hong Kong, and Southeast Asia, and the industries include finance and mobile gaming.