My Android game has been pirated, what can I do?

Now i know what you're going to say: "It's useless to fight the pirates, you won't convert those players to paying customers" and you're right, but please hear me out.

My game is a fairly popular premium game on both iOS and Android, my players compete for position in the high score leaderboards. There are some IAP for coins and a few premium DLC. Nothing out of the ordinary.

Every time I update the game a cracked version of that update appears online a day or so later.

I'd like to try and detect people using unofficial copies of the game because they create accounts on my Playfab which in turn costs me money as I get near to the 100k pay threshold, they also ruin the experience for others online with their high scores that takes legitimate players a lot longer to get. They also post in our communities asking questions and wasting our time.

Some have an extra splashscreen with 5play.ru on it and seem to tamper with the player prefs. Although I'm not sure how as the saved online data does not match the data shown in game, maybe they're bypassing it?

So, I'd like to try and detect the cheats and ideally prevent them from creating accounts and accessing the leaderboards.

Does anyone have any idea if this can be done? Or do i just have to leave then to ruin my players experience?

Thanks

 

The only way would be for you to get some transaction id from the store and use that in the account creation process.

If something like that exists, then you can secure it against pirated copies making accounts because the ID would exist purely on the store and your server and no part of the process would depends on local app code.

 

You can get in contact with the support for the store in question (google play) and provide proof that you made it, eventually they will remove it (potentially, a lot of the time from experience they never get back to you or say there is not sufficient evidence).

This is a very common thing in the mobile industry and a good reason why I no longer take any part in the mobile side of games. There is no silver bullet for dealing with this, its just you have to put lots of time and effort into getting them taken down. You should ask if its actually worth it or not, if it is - expect to spend a lot of time as more versions will come up as the old ones get taken down.

 

Apparently they finally added functionality to Application.genuine for Android in 2020.2.0a15 but I don't think it does more than check the package name it was first build with.
Another option would be to check for the signature of the app, and make sure it wasnt re-signed.
Also wonder if you use IL2CPP, just having no assemblies comes with allot of obfuscation.
But of course all these checks are just another barrier that can also be removed if they want to enough. Just have to make it not worth it for them for the size/type of userbase you have.

The only safe way offcourse is do every confirmation online and just use the app as a client, but that gets really difficult for f2p.

 

These copies are not on the offcial stores, they're across many websites that offer illegal android apk files

 

Yes I saw that but I don't think it would be very effective. I am using il2cpp as i need to build 64bit versions of my game.

 

(I only have experience with reverse engineering on PC, but I guess Android uses the same principles...)

A quick and easy solution might be the Anti-Cheat Toolkit.
Save your PlayerPrefs obscured/encrpyted, use obscured data types for important variables like money/coins and use the code hash generator to check if any code was altered.

You also should consider using an Obfuscator, this one has IL2CPP support.
IL2CPP itself is only slightly more protected than Mono. It still comes with metadata that contains all names for classes, methods and fields. All of this (except classes, iirc support for them is experimental) can be obfuscated with the asset I've linked above.
You might have to adjust all of your scripts to make it fully compatible with your project though, this mostly depends on your current project design. You can't call obfuscated methods from (Button-/UI-)events inside the editor for example. You either have to skip the obfuscation for the method you want to call, or you assign it explicitly inside a script.

If you already published builds without obfuscation, also keep in mind that obfuscating builds now is a lot less effective. People can use the old build and compare it to a new, obfuscated one with some special tools. Stuff that is obfuscated now but wasn't before will be found.

Of course all of this won't make your game uncrackable, but if you use both assets together properly it will be a lot more annoying to alter.

Besides that... I have no idea how Playfab works, as we always used our own backend. But if you can, add as many sanity checks as possible. If someone has a ton of coins without ever paying a single cent it's really obvious that he is cheating for example. You can simply auto-ban such players and remove them from the leaderboards.

 

Thanks for the in depth reply, I appreciate it.

I've just implemented obscured player prefs using anti cheat toolkit. The dev was very helpful on Discord.

I will continue to look into your other suggestions. What I'd really like to happen is to detect a cheat/pirate and quietly not show the account login/creation process at all, allowing them to enjoy an offline experience where they can't ruin legitimate players games.

 

Let us know if you have success with this, good luck.

 

Congratulations! That's how you know you've really made it as a game developer.

 

Thanks. Doesn't feel as good as I imagined it would. Lol

 

Are you using Google Play's license checks and anti-piracy features?

 

I tried but couldn't get it to work

 

Well, i spent a fair amount of time investigating this and I only obscured my playerprefs data as I didn't have the luxury of time and also the risk of breaking things had me worried.

Anyway I released an update yesterday and it's already available on 2 sites. Shame really, it's pretty off putting knowing these guys are doing this

 

Welcome to the state of the mobile games market Its either deal with the pain that is android development and everything that comes with it such as apk theft as you are experiencing, or the pain that comes with dealing with apple

Try to see the positives, you are successful enough for people to spend their time doing this - you are not really losing users as anyone who will install an off market pirated APK, were probably never going to convert to real users of your game anyway

Ignore it and focus on the playerbase you have rather than the black market playerbase you could have and you will be just fine

 

Thanks. You're right but i only wanted to prevent the pirates accessing the online part of the game and spoiling it for the legit players, i know i would never convert them into paying customers but nevermind. As you say, im flattered they're bothering to pirate it.

 

You may be able to use something like https://docs.unity3d.com/ScriptReference/Application-installerName.html to work out if it was installed via play store, or via 3rd party and then block all playfab, IAP etc from that point onwards if it is not from play store

Good luck, dont give up - there is always a solution to the problem at hand

 

This reminds me of when I found a game of mine on The Pirate Bay. All I did was add a comment thanking everyone for their interest in the game

 

Or decide that you can live without online functionality in your games. Mobile development is already bad enough with oddities like every device having a different screen resolution that I wouldn't want to have an online presence that I have to stop from being hacked.

 

You should've put in a "If you enjoyed the game, please consider donating some money to my patreon" link or something.

 

Eh, the game was only like $3 USD at the time. If that is already too much....

 

I would stream some game logic or models partly from a CDN only to verified purchases
but it seems too late if they have your game cracked and online

I've read at some blog of a famous game (can't remember the name)
it was downloaded 4 million times pirated, so I bet its even worse now

online is a must for that world, or just target iOS it has much less piracy

 

That's really not too much.

The pirated copies for our game approached 1 million and that was a couple of years ago, and it's not really a famous game.

 

In the case of an online component, the pirate users indeed cause harm as they increase your server costs for no return. The documentation I found is terrible, but there should be some form of server-to-server receipt validation on Google Play, it's probably worth digging around for that, even if it's something hack-ish like a free IAP or something (I remember those being a thing in iOS back when jailbreaking was more mainstream).

 

I'd see if google's automatic integrity protection works, and read this

 

I will be honest here, massive powerful companies like Riot still have not been able to make a dent in things like hacking in FPS games like say Valorant.

Only NRS had managed to use a Denuvo anti tamper technology in Mortal Kombat 11 which literally took the hackers something like over a year in order to crack it. This is probably the longest a game had gone without being cracked by a scene that tried tirelessly to crack it.

And NRS is a company with an obscene amount of money and talent and resources, they literally created the best roll back netcode in the early days of MKX which they said costed them millions of dollars it was even better than GGPO netcode which is largely considered the gold standard of netcode, because the NRS netcode didn't have the same audio sync issues that GGPO had.

NOW consider this, there are websites where you can go and download simple programs and literally hack MK 11 on Steam and unlock all the DLC.

Yes you heard that correct, you can unlock all the costumes in game that was limited edition and all the DLC without even paying for it literally through the steam servers. NRS tirelessly updated and patched this and the hackers kept bypassing it. Until they got so fedup they waited for NRS to stop releasing patches then release a final hack to unlock everything. This is the major reason why Ed Boon doesn't want to offer cross play between PC and Consoles the open nature of PC just means too much hackers same with Android.

So if NRS and Ed Boon with all that money and resources pumped into protecting MK 11 only temporarily worked what chances does any of us have?

My tip in life advice, stop bothering with pirates, most of them aren't even from 1st world countries most of them are from places like Russia and Asia etc which is known for massive piracy because of the lack of things like Forex many of these so called pirates couldn't even buy these games if they had the cash and wanted to buy it because they would have to get a hold of forex to start with. And how are they even getting a credit card to buy your game?

Where I live in the Caribbean its very difficult to get a credit card, it's not like the US where banks want to give you a credit card it's the opposite because our money is monopoly money on the world stage.

There is a reason the United States can create unlimited money out of nothing to the tune of trillions in debt and never suffer the effects of inflation like other nations. They don't have a forex problem because their dollar literally is the dollar.

 

I get what you're saying, but I assume there are levels of hackers and no matter how 'successful' my game is, it's nothing compared to AAA games and so i assume the hackers hacking my game do so cause they can, cause it's unprotected.

 

Hmm, interesting. I'll look into this. Thanks

 

Did it work for you? I've tried enabling the automatic integrity protection and it does not seem to work after me trying to recompile/redistribute my own APK downloaded from Google Play. The App Integrity in Play Console is enabled.

 

When I tried it developers had to register their interest in it, I did that and never heard anything back. So no, it never worked, nothing did unfortunately.

 

That's very unfortunate. I also contacted google play console support a moment ago and they said they only enable that feature for selected Play partners and not released to public yet. I guess they are still running trial. Sigh~

 

Yeah it's a shame more can't be done. My latest game will be free with ads and an IAP to remove those ads. I'm also using obfuscation from the start and encrypting the playerprefs. Hopefully all of that will remove the incentive for hackers to bother with it but I don't know. I guess I'll see soon enough when it's released.

 

I quickly read the thread and I don't think I've read anything about it, but there is one thing I wonder: to report to the police who deal with cybercrime? (I am referring to who is hosting the download of the pirated app) (in this case I think it is copyright infringement as well as probably fraud)
Has anyone ever tried?

 

The hardest 2 parts about game development nowadays are:

1) Managing how to work in the field with a never ending competition that, for the most part more ressources than you.

2) Managing how to word on the backend field of "unorthodox" usage of the stuff you poured your soul into.

The more you fight against the waves, the more you waste your time and energy and at any point, you constantly risk either to drown or return at the point you started. It quite philosophic, but true regardless.

Then how can you make it work then? It depends on what you, yourself, can do and how you can turn the force against you into a less bad thing.IIf you think that your game being pirated and released 4M times outside of your control as something only bad, you're missing the potential: your game got downloaded 4M more times. Then why not making use of those additional 4M downloads?

I admit it's not easy, but people who got money buy many things and if they refused to buy a game or pay for something in your game, maybe they just have different sense of value than what you're proposing.

For instances, I'm currently working on a different approach with my current main project which is 100% free, no agressive in-game ads and no premium shop and, yet, my estimates gives me that I can generate some substencial and renewal revenues out of it without any need to even implement complex security against local hacking. In fact, I might gain from people copying my game around.

Basically, I'm currently working on deals with product embeddements and and custom merch sales. There are international shops that offers some honorable profits over sales if they are exclusive on the items and they manage everything for you. They may make 70% of sales or even 80%, but they run the raw materials, prints, shipping and customer support. If your game bring 1% of ALL your userbase to purchase a $30 T-Shirt, you make $6 of that and no pirates can make a dime of it. If remember that 4M downloads? If 1% of that generates you just $5 through 3rd party sales, that's 200K.