Mobile games cheating: Lessons in app economy and security. A Q&A with Tom Tovar, CEO Appdome

Cheating in video games is more common than you think, but when does it cross into fraud, and how is it connected to mobile app security?

Note: This feature was first published on 8 June 2023.

I talked to Tom Tovar, the CEO of Appdome recently during Black Hat Asia 2023 about the evolution of mobile app security, the line between ‘innocent’ cheating in mobile games and outright fraud. I learned that there’s a new mindset developers are taking to manage an app economy rife with cheaters, and how it impacts everyone’s gaming experience.

This interview has been edited for length and legibility.

How prevalent is cheating in mobile games?

Tom: Mobile game cheating is widely prevalent, but there's an interesting grey area in the cheating space. If you think about it purely from a developer standpoint, I want people to use my game. If they cheat, they're still using my game. And so there is this open discussion within the mobile developer community of whether all cheating is equal and whether we should allow some of it - different game makers, different studios might take different views. And this has also gotten more complex when you think about the platforms that are used to cheat inside mobile games. These are things like Bluestacks, Nox, Nemu and other emulators. They have venture capitalists that have invested in them and brought those platforms mainstream. They actually bill themselves as somewhere to get a better game experience, even though it's actually their methods inside of their platforms that can enable cheating in games.

So, there’s a grey area. But is there a line between cheating and fraud?

Tom: How do you distinguish between cheating and fraud? Well, cheating is something you do while you're in the game. Fraud is something you do, to not be in the game. Let's say for example, all I really care about is redeeming points for cash. So, one could create a hack inside of the game to do a repetitive action or create hundreds of fake accounts and refer these fake accounts to get credits that they can then cash in. I'm not playing the game but doing something to create a synthetic currency that I can convert or sell somewhere else. So, if the ultimate function of the cheat takes the user outside of the game, or keeps the user off the game, I think people are going to draw the line there.

These exploits happen with any app with digital coins, even in e-commerce apps. Do you think it’s overlooked just because it’s “a game”? 

Tom: You know, I played games my whole life, and we used to love the cheat codes that give us more points or more capabilities or whatnot. That class of cheat kind of keeps us in that game and keeps the gaming community alive. But you are right, that a lot of applications these days have synthetic currencies. These are not hard cash and Bitcoin or whatever, but point systems, reward systems, reputation, levels and things of that nature. Even Tiktok has the same mechanism. So, you could create a hack that gave you a million and a half followers, or a million and a half likes. All applications have synthetic currencies.

I run our cyber research team at Appdome, and we definitely look at what's happening in the mobile gaming space and say, “Oh, okay, we might allow that over there, but in a financial services app or in a crypto exchange app, we would never allow that.” Then we would bring what we learnt from the gaming app over to the other apps to defend it better. I think when you step back and you look at the mobile game cheating space, it's an amazing area of innovation.

Funny you said innovation. Do you see cheats being developed in games and then moved over to other apps or vice versa?

Tom: There definitely is an exploit economy. In good markets, grey markets and black markets there's a concept of flipping. This is where I build something, I sell it to you, you enhance it, you sell it to somebody else. So, this exists for exploits as well as for any benign code out in the world. So there definitely is a class of innovators who's out there creating the artefact (code), and then there are people who are using the artefact to carry out whatever ends they're doing. So, there's a whole economy there. And I prefer to look at it as innovation because these are technologists, these are developers. Very, very smart. Very, very sophisticated people who are, you know, creating things out of code.  

For a mobile app security company, do you then look forward to seeing new cheats and exploits pop up?

Tom: Always. I personally believe that users themselves are no longer equipped to self-protect. And so app developers, publishers have tools like Appdome to be able to deliver more protections inside applications to keep us all safe. One of the things that we spend a lot of time with developers on is being aware of and paying attention to the innovation in malware, in cheats, in synthetic fraud on a mobile device and inside mobile apps. Hackers don't ask permission. Hackers don't tell you what they're doing. So, you have to look for inspiration from around the ecosystem. There's definitely a way to bring what you learn from one industry into another.

We have a whole section on our platform called anti-cheat. And a lot of times, I'll talk to mobile banks or gig economy apps and say, “Look, I know it's called anti-cheat and you might think it's for mobile games, but the methods in here are being used against your app”.

How does cheating impact the economy of a game or app?

Tom: Context is critical to understanding what is good and what is bad. I'll give you an example, if I'm a driver in a gig economy platform, and I want to get the best rides available with the maximum dollars. So anytime a ride comes up, I'm using an automated program (hack) to capture that ride to lock everybody else out and then decide for myself later if I want to keep it or not? We as users experience this by drivers accepting a ride and then cancelling it, accepting, cancelling, accepting, cancelling. It's a form of cheating, but no financial transaction is happening, so it's not fraud, right? But the quality of our user experience is degraded. 

We see the same thing in airlines where they offer discounted fares to frequent flyers. Hackers can use a program to give themselves 10 million points or something, so they can gain a ticket and then resell that ticket to somebody else. Is there a loss to the airline? No, no loss. They published the fare, they got the fare that they published, but to you and me, the other legitimate members of the program, there's an economic loss because we don't participate in that program. So, context is important.  

We’ve talked about the people who develop cheats and the economy. But how about those who use cheats? How can experiences be managed?

Tom: I don't want to say I'm leading it, but I'm certainly a big voice in it. There's an amazing movement around creating different user experiences when bad things happen. In the classic cyber defence model, a bad thing happens, you close the app, notify the user and stop all activity, right? These days, developers and publishers are looking at more nuanced responses to attacks. It might be, for example, that an attack does not warrant closing the app. Maybe I leave the app up and running, but limit transactions, so the user can still be in the application. They can still navigate around, learn, explore, maybe do some informational things.

There’s a difference between allowing cheating blindly and allowing cheating intelligently. I'm going to accept it, but the key is I want to know. Because knowing and having data telemetry or intelligence about what's going on, allows you as a publisher, to be informed and to make database decisions. You're now empowered, based on that information. So now imagine I'm a mobile game developer, and someone's using Bluestacks, and I can detect that X percentage of my users are using that platform to cheat in my game. Now I can pick up the phone and call Bluestacks and say, “Hey, about 5% of my users are using your platform to cheat inside my game. Wouldn’t it be great if we worked together and provided a joint solution to the users who want to use your platform and my game? Maybe I can give you your own arena.” Sandbox. And maybe I could do a promotion where I take the players who are not on your platform and promote them into this arena. So now if I'm the platform vendor, if I'm Bluestacks, all of a sudden, I'm not operating in the grey zone. I'm operating in the light.

In the mobile app security landscape, do you see a difference between those who create cheats and those who use them?

Tom: There's always going to be people who create things and people who use things; and people who create things intending good and someone who uses it for bad. That’s just universal, not just in code, but sadly in life.

Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.

Share this article