The risk of app piracy is high and with that comes significant risk to brand reputation, ranking and revenues. Luckily we’ve put together a handy guide on what how to avoid this growing issue.
As much as £3 billion is lost each year across 14 billion app instals globally to pirated apps, according to mobile security company Tapcore.
A must-read resource from ironSource offers some important insights and advice into the different types of app piracy and the different approaches that can be taken to protect the app.
There are six types of mobile app piracy and six actions you can take:
1. Impersonating attack
What it is? Using an external app, pirates impersonate the app to trick it into providing infinite in-app purchases (IAPs). In practice, when the app requests a billing receipt from the app store, the pirated app responds and gives a fake receipt.
What you can do? Check and double-check! Make sure the app validates all purchase receipts. Run your own signature using variables like the item and the time of purchase, then check they all match. If they don’t, cancel the receipt.
2. Replay attack
What it is? Hackers replay the attack approach above but also have a validated receipt that “looks” legitimate. Think of a bus, subway or train ticket validated for “a ride”, but only discerning eyes can tell if it is valid for “the ride” in question.
What you can do? Send the receipt to your app’s personal server – since it is generally harder for a pirate to hack your server, than your app. Run the signature (same as above), and that will allow you to determine if the receipt is really valid – or if it’s been used before.
3. Bypassing the validation server
What it is? Pirates have hacked both the app and the server. The loop is closed as the compromised app queries a server that has been hacked and is looking the other way.
What you can do? This is a sophisticated attack that needs a smart response. Each time the IAP is made, send a random number to your server along with the receipt. Since each IAP is paired with a random number, it’s tougher for the pirate to game the system.
What it is? Hackers exploit the refund feature and policy – trying to get back virtual currency they didn’t purchase in the first place.
What you can do? Keep a local record of the items bought by every user. When you see a purchase for with there is no receipt, or the receipt is marked as cancelled, take the product and send an event that the purchase was refunded. (Be warned – ironSource notes this approach “might only be possible for non-consumables.”)
What it is? Corrupt software modifies the game’s memory. In practice, the trainer scan’s a game’s memory and looks a number of IAPs and changes that number – say, from 100 gold bars to 1 billion.
What you can do? Double-check transactions using a log and – when virtual currency is cashed in – compare the sum total with the balance in the game. If they don’t match, chances are the user (hacker) has manipulated the game’s memory.
What it is? Hackers get their hands on your APK (Android Package Kit) and change the values in the code to their advantage.
What you can do? It’s a trade-off. It would be best to simply move everything to your server. It protects your app – but it also prohibits your users from playing offline. Not good for the user experience – and prohibitively expensive to boot.
It’s clear that combatting app piracy is a moving target, and an ongoing activity that will command a huge amount of your effort and resources. This is where monitoring your app across all of the App Stores is an important element of your app management strategy.