Securing Mobile Gaming Applications
May 16, 2012
The Gaming Industry is moving at lightening speeds to get mobile content to their players to enhance player in-house experiences, integrate with loyalty programs, and provide new betting opportunities. Whether the applications reside on in-house devices or are downloaded by players to their personal devices, securing these applications is critical.
Key Security Concerns
There are a couple key security concerns you should address in your mobile application rollout:
Application Security – Mobile applications pose similar threats to the gaming environment and added complexity -malware, rooted devices, backdoor applications with access to your application, loss of encrypted player information. Is your application able to secure against these threats? Whether your application will be developed in-house or by a trusted 3rd party ensure that the application is not only thoroughly tested against application attacks, but that you have a very strong understanding of the information your application leaves on the device itself. All mobile applications should, at minimum, be assessed in three ways:
Transport, Backend Assessment – Analyze the site functionality, protocols and supporting backed end systems and web services that are prone to attack and penetration. This should be assessed using manual techniques targeted toward your application and system architecture. Why? Because that will be what the attackers will do.
Decompilation and Reversing - Analyze the application’s presentation layer for data leakage and insight into the application logic. Examine any binaries for data leakage as well. Search for unsafe functions and verify that security misconfigurations don’t exist.
Forensic Analysis - Perform a high-level forensic review of the application to understand whether application data is being stored improperly on the device, and what other information the application may be accessing on the device or leaving on the device.
Device Management - If your enterprise owns the device, how will you manage it (access controls, security patches and updates, application updates, lost/stolen device management) remote wipe/lockdown, logging, backup/restore? Do you have a mobile device management (MDM) system? MDM systems can provide device management, restrictions, application security such as what applications can be loaded onto the device, and many other security solutions.
Internal System Integration – Will your application allow access to internal systems such as club rewards, booking, or gaming environments? If so, and the application has become infected or the access has provided a backdoor into your environment, you need to protect your internal systems via access controls. You need to determine, possibly based on type of device:
- What will you allow to access (device, application, browser, wireless, etc.) to internal systems?
- Who will you allow to access internal systems and how will you manage this access?
- How will you allow, deny or restrict access?
- Will you need to log this access and if so what will you log, and how? Will your SIEM or log management system support these types of logs?
- Simply put, who will manage the support of a non-working application? If this is in-house built, what type of support structure will you need to have in place to manage devices and/or end user support? If this is a 3rd party application what will be your support structure for end-users and for your company if issues arise?
- Make sure that you fully understand who is responsible for patches, vulnerability fixes, malware issues, and any other security issue that might arise from this application. For instance, if a player suggests that your application was responsible for infecting their phone and their confidential data (or system) was compromised – who is responsible?
- Continue to verify throughout the application’s lifecycle (and subsequent updates) that the application continues to maintain security against new vulnerabilities or security changes within the application.
- The PCI-SCC, the credit card standards body, has particularly strict requirements on taking credit card data on mobile devices and through mobile applications. At the moment, their focus is on mobile devices that act like point-of-sale terminals and require the devices and applications to meet PCI-PTS (hardware) requirements and PA-DSS (application) requirements to take credit cards. However, ANY application that takes or potentially may take credit cards (including applications that route users to websites) should be developed to meet PA-DSS and assessed and reviewed for compliance.
- There are numerous documents and FAQs that can help you in this respect on the PCI SCC Website (https://www.pcisecuritystandards.org) or you can contact FishNet Security for more information on how you can remain compliant with your mobile devices and applications if you need to accept credit card payments.
- Player Privacy requirements
- PII (personally identifiable information) data, such as a player’s name, rewards information, race, location, gender, occupation etc.) all have a market, and hence, financial value. How well does your application and/or device protect this information? Your policies and procedures, and your security around the application and supporting systems that store the data, must be secured based on your region, and local regulatory bodies’ requirements.
- Location awareness – Geo location has its own security issues and though it enhances player’s experience, and in the case of some state regulations (such a Nevada), allows for sports betting applications, it does have security implications to player privacy. It’s essential that you:
- Identify and develop security against the risks and threats posed by the application’s geolocation feature
- Secure the application and keep it secure (patching, updating application as new vulnerabilities are identified)
- Secure the device – this includes patches, antivirus programs, physical and logical access controls (if you manage the devices), device access controls to enterprise systems.
- Secure the data it collects in backend systems – use encryption in transport and on the server that contains the data.
Mobile apps accessing your website – even if your application is just a downloaded application that’s enhanced for mobile devices, you should ensure that security of the application and the website applications, systems and backend supporting servers maintain security and compliance requirements:
- If your web application has never been penetration tested, you should have that done to establish a good baseline configuration
- Ensure your website’s application is tested at least once a year and or is continuously tested for vulnerabilities
- Ensure your webservers are penetration tested, using manual and automated tools to find system level vulnerabilities.
- Use File Integrity Monitors on critical systems files to alert you if these web applications or system files change without authorization.
- Set up a SIEM for logging and alerting for the web server, application server and database servers.