Mobile games aren’t just diversions anymore. Thanks to in-app purchases, microtransactions and advertising networks, games such as “Candy Crush Saga” and “Clash of Clans” have become some of the most profitable applications on iOS and Android, and the category as a whole dominates the revenue pie for all smartphone and tablet software. For example, current free-to-play sensation “Flappy Bird” alone generates roughly $50,000 per day in ad revenue.
The rising competitive pressures of the App Store and Google Play mean that a growing number of developers rely on ads to support free-to-play business models. While perhaps a shrewd economic move, this strategy has left many users exposed to surveillance. Government agencies around the world have capitalized on leaky mobile ad networks to keep tabs on players, but the broader risk is that the sheer scale of mobile games – the iconic “Angry Birds” franchise boasts more than a billion downloads across its properties – magnifies these flaws and opens the doors for widespread privacy infringement.
Ad networks often play fast and loose with user data such as contacts lists, which are sometimes transmitted unencrypted across the Internet. While gaming may seem like an odd focal area for the security community, in truth it occupies much more consumer mind share - and accordingly invites much more attention, ill-intentioned and otherwise, from watchers – than productivity software, social networks or anything else. As much as possible, users should consider paying to remove ads if the option is available, and keep a close eye on any unusual activity on their devices and in their inboxes.
Third-party ad networks may be soft underbelly of mobile game security
Mobile applications have a unique set of vulnerabilities, given that a lot of them track user location and request access to the device’s address book. The quantity and quality of information that these applications, along with the ad networks that support many of them, has shifted the focus of surveillance from PCs to smartphones.
Unlike PC software – most of which is paid for upfront or as part of a subscription – the majority of successful mobile apps are free and only make money from ads or subsequent microtransactions. While many developers are usually scrupulous about properly encrypting user data, ad networks are less so. Much of the information they collect is only tangentially related to what the app does:
- Almost 40 percent of Android apps can determine location
- Half can access the unique PIN to unlock the device
- Fifteen percent can figure out phone numbers
- Of the top 25 social network apps, all but one ask for email access and all but two request address book integration
The permissions that seemingly innocuous apps ask for can be jarring. “Angry Birds” requests location and access code, while Brightest Flashlight – a free utility downloaded on Android between 50 million and 100 million times – got itself into hot water after it was discovered sharing device ID information and location with advertisers.
Amid reports that agencies such as Britain’s GCHQ were keeping tabs on players, mobile game developers such as Rovio, which created “Angry Birds,” have denied that their practices have enabled surveillance, instead raising the possibility that ad networks were responsible. A Facebook spokesperson told the South China Morning Post that the company encrypts mobile data, which would differentiate it from advertisers that sometimes share plaintext contacts lists.
Still, the current commercial environment on mobile means that many developers are looking for any way to undercut rivals on price. Persistent tracking and ad networks do the trick for them.
“One popular method that app developers employ to generate revenue is by sharing user data with advertising networks and analytics companies,” observed the authors of an Appthority report on mobile application vulnerabilities. “In some cases, developers are paid based on the amount of data they collect and share about users. Have you ever noticed an app that’s constantly running in the background (that really has no need to)? It’s possible that it’s tracking your location and sharing it with outside parties for advertising purposes.”
If third parties wanted to capitalize on this wealth of information, they would naturally go after games. The same report found that more than half of paid iOS apps and 36 percent of free iOS apps were games, with similar figures for Android. Recent revelations about NSA and GCHQ activity suggest that these agencies may have been looking at “Candy Crush Saga” and “Angry Birds” in addition to Pinterest and Google Plus. While not a game, the latter is notable for being a built-in system app on hundreds of millions of Android devices.
Does paying for mobile games make them less risky?
While it’s apparent that developers and ad networks sometimes fail to prioritize user privacy, the underlying issue may be economic. If it’s true that there’s no such thing as a free lunch, then free mobile games are proving it by extracting sensitive data in lieu of money from the end user. Would people be better off simply paying for the game upfront to remove ads?
Across the board, paid apps exhibit fewer risky behaviors than their free counterparts, although they’re not perfect. Far fewer paid apps on iOS and Android track location, for example, but the share is still 41 percent, according to Appthority. Only 28 percent of paid apps utilize analytics or ad networks, and 21 percent request access to the address book. Though few paid apps are completely free of risky behaviors, overall they contain only one or two vulnerabilities apiece.
In recent years, the line between paid and free has gotten blurrier. Massively popular Japanese messaging app Line is free to download, but makes billions in revenue from a built-in gaming service and a shop that sells digital stickers. Assessing the relative risks of free and paid apps may become more difficult going forward, meaning that users will have to pay attention to other things to ensure that they’re as safe as possible. They should check to see what permissions each app asks for, and consider removing any of them that seem to trigger unusual activity such as spam email or unsolicited phone calls.