Securing Apps With Seworks

 In Interview, Tools/Technology
Seworks CEO Hong Min Pyo.

Seworks CEO Hong Min Pyo.

APRIL 3, 2015 • As with the freemium model itself, much of the worst mobile game app hacking is coming out of Asia. It is not surprising then that some of the best security solutions are also emanating out of Asia. One of those new security firms is Seworks Inc., based in Seoul, South Korea. The company recently expanded across the Pacific to open an office in San Francisco. DFC recently sat down with chief executive Hong Min Pyo to get a better understanding of what the security threats are in smartphone games and how firms such as Seworks avert those threats.

Faced with very low production budgets many independent mobile game developers will devote their scarce cash to spending on marketing to aid discovery of their titles. As a result, resources devoted to issues such as app security measures are more often than not extremely limited. This becomes a Catch-22 as when apps get hacked it often totally undercuts any revenue potential they may have had. Luckily, new and affordable options are arising that can go far in helping mobile games reach and hold audiences without being undercut by hackers and piracy.

DFC: Give us a better idea of what Seworks is all about. Who are your clients, how is the company organized, what are your major tools to fight mobile security threats, and who works there?

Min Pyo: The company is comprised of core security researchers and developers based in San Francisco with an R&D center in Seoul. Core clients include mobile game developers, financial institutions, mobile communication apps, and pretty much any app developer – if you have an app, we can protect it. Our focus is to provide easy-to-use, powerful security solutions for mobile app developers. At its core, Seworks is a group of white hat security specialists founded by a five-time DEFCON finalist.

DFC: Tell us about Wowhacker. You formed the group in 1998 and it is said to have been the largest hacking group in South Korea. What was the purpose of Wowhacker and what did its members set out to do?

CLICK BRIEF ICON to register to get our latest Complimentary Brief

CLICK BRIEF ICON to register to get our latest Complimentary Brief

Min Pyo: I founded Wowhacker. Seworks works in regular collaboration with Wowhacker to research security vulnerabilities and many of our engineers are from the Wowhacker organization. It’s a not-for-profit research group and a security lab that collectively looks for zero day bugs and researches new hacking attack methods, as well as the security technology to defend against them. They spend a lot of time on researching and predicting future hacking methodologies, as well. The group regularly publishes security warnings and technical white papers about security technology, competes at DEFCON’s CTF hacking competition, and connects with white hat hackers around the world to share knowledge.

DFC: What makes the Korean hacking scene special and unique?

Min Pyo: Thanks to South Korea’s strong broadband infrastructure and technology scene, there are a lot of persistent hacking attempts that happen daily from both domestic and foreign sources. This has created hackers who are strong in reverse engineering and web hacking, hacking attempt analysis, and prevention. I honestly think that Korean hackers are some of the best in the world.

DFC: Seworks was formed in December 2012 to specialize in mobile security. What was the relationship to your earlier firm, Shiftworks, that was launched in 2008? What was Swiftworks all about and how does Seworks differ?

Min Pyo: Shiftworks was a security company in the MDM space and mobile antivirus space. It was focused more on security products to help protect the actual mobile device, whereas Seworks is more focused on protecting the mobile application that is installed on your phone. Shiftworks was acquired by Infraware in 2011. After the acquisition, the core engineering team left to form Seworks.

When we started working on Seworks, we were working on fintech (financial technology) applications. While searching for a solution to protect our own app, we realized that there was no sufficient security product that was powerful and easy to use so we built one for ourselves. That has turned into our core product, AppSecu.re. We see the app security market as a new opportunity in the mobile space, and it’s important to us that our company can grow together with other mobile developers and contribute to an overall safer ecosystem.

DFC: The initial focus for Seworks was more Asia-focused, but in early 2013 you received investment funding from Fast Track Asia. How did you put that funding to use and how did it help Seworks lay the groundwork for entering non-Asian markets?

FTA-SMin Pyo: Fast Track Asia’s role with Seworks has gone beyond a traditional investment. The funds allowed us to build our proof of concept, which in turn allowed us to raise our seed round from Softbank Korea and Qualcomm Ventures. From the beginning of the company, FTA has been actively involved in advising us with fundraising, entering new markets, and large enterprise deals.

DFC: When did SoftBank Ventures Korea and Qualcomm Ventures become investors, and how did they help expand Seworks’ focus and reach?

Min Pyo: Both SoftBank and Qualcomm are global investors who have added value with their expertise and wide-reaching network. (Invested in mid-2012.) More specifically, they have helped with:

  • Introducing us to potential customers and partners, particularly from a platform perspective, which can bring about more scale over a typical developer customer.
  • Connecting us to other potential investors, particularly in the security space.
  • Discussing and tweaking our upcoming Series A pitch to US-based investors.
  • Problem-solving our go-to-market strategy, particularly with regards to our business model and pricing.

DFC: How big a problem is mobile game security today?

Min Pyo: First, some background: The mobile gaming market is the largest revenue-generating category in mobile apps, but highly-saturated and difficult to differentiate within. Consequently, game developers typically spend more money on marketing than on developing the actual game. As such, the first few months after a game is launched are more critical than ever. Without sufficient protection measures, a newly launched game is essentially handicapped. While security solutions like AppSecu.re do not necessarily increase the chances of a game succeeding, they ensure that the chances of success aren’t hindered.

i-love-coffee-SAll that in mind, security is a significant problem for mobile game developers. Consider a couple examples of games that failed due to insufficient protection:

  • A Korean game called I Love Coffee entered the Chinese market, and within days, a copycat called Coffee Lover showed up with the exact same gameplay and assets, just with its name changed. This led to a loss of users for the legitimate creator as it was extremely difficult for anybody to differentiate between the two games.
  • An Asian game developer we’re familiar with used a common but weak obfuscator solution before launching in China. Within the first six months many cheats and cracks for the game showed up on forums, which turned away users due to complaints of unbalanced gameplay. This developer decided to migrate to our solution, AppSecu.re, which led to zero cheats and cracks, but unfortunately, the damage was already done in those first six months. This developer did not see sufficient ROI, and decided to suspend operations for that game in the Chinese market.

DFC: Please describe the main security threats to mobile games.

Min Pyo: The main types of threats are:

  • IP theft (e.g., proprietary algorithms, assets) from source code.
  • Cracks / pirated software.
  • Copycat games which lead to increasing user acquisition costs.
  • Cheats / hacks (e.g., free virtual currency) which lowers revenues and creates gameplay imbalance.
  • Identification and exploitation of client and server-side vulnerabilities exposed in source code.

DFC: One of your early products was an app protection service named Medusah Hair. Tell us more about what security services you have rolled out, which ones came first and why.

Medusah Hair-SMin Pyo: Medusah Hair was our first product – a mobile app binary obfuscator and encryption, and an anti-memory hacking module, for Android. It was our first MVP that we created to garner market validation. After Medusah we launched a new product called AppSecu.re, which still includes Medusah Hair as one of the three main components. AppSecu.re has three main functions: (1) Scan, (2) Protect, (3) Track.

In (1) Scan, we added a free scanning feature that allows developers to upload their game/app to identify vulnerabilities associated with reverse-engineering and decompiling.

In (2) Protect, we removed the Medusah branding for an easier-to-understand “Protect” name; we also added support for Unity-based games (for both iOS and Android). We ensure integrity is maintained so that the game/app behaves the way the developer intended the app to behave. Plus, by preventing decompiling/reverse-engineering we protect against IP theft, copies and piracy. And by preventing source code analysis, we make it significantly more difficult for a hacker to identify vulnerabilities, which lead to client and server-side attacks

In (3) Track, we developed a live dashboard that allows developers to track every install of their app for hack attempts, in real-time, and to be able to invoke a kill-switch for an app at an install-level. Our real-time monitoring of every install of a game app gives transparency into exactly when and what type of hack is being attempted. With this data and our optional kill-switch, developers can shut down this game app at the individual device level and also gain insights into hacking behavior – the markets and regions where most hack attempts are occurring.

The Scan feature was added for two main reasons – to educate plus create awareness and to increase the funnel into our complete AppSecu.re product. The Track feature was added based on our customers’ feedback in how they wanted greater transparency into their games, and when/how they are being hacked. With this new Track feature, we are also providing analytic insights – sort of like a Flurry for security.

DFC: How much mobile game revenue is lost to hacks, who pays the costs, etc.?

Min Pyo: We’d rather not cite specific numbers. In terms of who pays the costs, the majority of that goes to the developers, as the hacks basically lead to the increased chance of failed games, and ultimately, revenue loss.

AppSecu.re's tracking dashboard.

AppSecu.re’s tracking dashboard.

Consumers also suffer, albeit not financially, but due to things like unbalanced gameplay and malware-infested games.

DFC: Are there differences in the number of attacks on mobile games in South Korea and Asia compared to North America, Europe, South America?

Min Pyo: We do not have specific numbers that we can share publicly, but it is very clear that the sheer scope/quantity of mobile game hacks is higher in Asia compared to the rest of the world. Asian game developers are much more aware of these attacks and are proactively taking measures to protect against them. We regularly have developers reaching out to us to inquire about our solution.

In the Americas and Europe, however, while there is some level of awareness, it is significantly lower compared to Asia. This phenomenon actually gives Seworks an advantage in serving the American and European markets as we already serve and understand the Asian market. This gives us a preview of the attacks to come beyond Asia, allowing us to build and prepare the appropriate solutions ahead of time.

DFC: How seriously is the problem of securing mobile games and applications being addressed?

Min Pyo: It typically remains a low priority for most developers. In the past year, there have been many headline-grabbing hacking incidents, which has certainly raised the awareness of security, but there is an inherent lack of understanding of what types of security solutions are available. And 99% of the time, functionality, features, and time-to-market are prioritized over security. Many organizations are just not willing to invest in security until there is a fire. However, it should be noted that investing in security post-breach costs four times more than when done in advance.

DFC: What can kind of protection can Seworks offer mobile game developers and distributors?

Min Pyo: We ensure that the integrity of a game is maintained. We protect against revenue leakage and increasing costs by preventing:

  • IP theft (e.g., proprietary algorithms, assets) from source code.
  • Cracks / pirated software.
  • Copycat games which lead to increasing user acquisition costs.
  • Cheats / hacks (e.g., free virtual currency/leveling up) which lowers revenues and creates gameplay imbalance.
  • Identification and exploitation of client and server-side vulnerabilities exposed in source code.

We deliver this protection through:

  • Binary-level obfuscation and encryption (prevents decompiling and reverse-engineering).
  • Anti-memory hacking.
  • Real-time monitoring of all apps, with a kill-switch option based on hacking .attempts.
  • 100% SaaS-based for zero integration and fast time-to-market.

AppSecure logo-SDFC: Seworks focuses on mobile client security versus device or server protection. What led you to that specialization?

Min Pyo: Server protection is a crowded market that has been around for many years. Mobile device protection, while newer, is one of the earlier security markets to develop for the mobile space and is also fairly well established.

Mobile client security, on the other hand, is in the earlier stages with fewer players. Given the fact that mobile devices are becoming more and more like small PCs in our pockets, but with a much greater wealth of personal and sensitive information, it is only logical and imminent that mobile client security will grow just as PC client security grew many years ago. Our CEO saw that existing mobile client security solutions were inadequate in their level of security and difficulty of use, and decided that building a world-class, zero-integration mobile client security solution now would allow us to get into a growing market with a key differentiator, and be ready to capture significant global market share.

DFC: How unique are you in this client approach, and why?

Min Pyo: We are unique in how we deliver our solution – 100% SaaS with zero integration – our comprehensiveness from scan to protect to track and the numerous file types we protect, plus our flexible pricing model, all set us apart.

DFC: Can you name any specific clients that have benefited from using your solutions and how?

Min Pyo: In gaming, they include GREE Korea, Gamevil, NHN and Smilegate, among many others. Beyond mobile gaming, we are serving clients in diverse verticals including finance, social, education, public services, security and enterprise.

DFC: Tell us more about your business model. As we understand it you license your security tools. Are prices variable depending on the client and is licensing the only way you generate revenue?

seworks_3d_logo_wall-SMin Pyo: We are constantly evaluating our pricing, but we currently offer two models: (1) annual license per app, (2) $/MAU per app with a free tier and cap.

Most of our customers are familiar with and prefer the annual license model, but the MAU model resonates well with gaming developers. By having a free tier up to a certain MAU level, we are essentially offering a risk-free model in which the developer only pays once their app is doing well. And, even once an app passes that free threshold, we are only getting paid based on the number of active users. The cap ensures that it never becomes cost-prohibitive for a highly popular app.

This MAU model is important in the gaming world because a developer never really knows how well their game will perform once it’s released. As such, it is too risky to pay a large annual license fee upfront to protect a game that may or may not do well. At the same time, putting in place protection measures before a game is first released is critical since hacks, cheats and copies will significantly lower the chances of a newly released game succeeding. Our MAU model addresses this exact problem by removing the aforementioned risk.

DFC: It seems like it would be a lot of work to add a security solution to a product. Considering many app developers are small operations is it really feasible for them to consider security solutions?

Min Pyo: This is a good point, and something we are directly addressing with our zero-integration solution in AppSecu.re. Features and time-to-market are always the priority for developers, so security usually takes a back seat. Because our solution requires zero integration and is affordable – the pay-as-you go model, where you only pay for what you use – we have removed these issues and lowered the barrier to entry. The developer is then left asking: “Why not?”

DFC: Beyond licensing fees, how much time and cost does it take to install your solution?

AppSecu.re is designed for ease of use.

AppSecu.re is designed for ease of use.

Min Pyo: Our solution literally takes minutes – the only two variables that impact time are file size and Internet bandwidth. Just upload your compiled APK, check relevant options and then download the protected APK. Developer and users do not need to learn or integrate anything.

DFC: Your product line-up seems to be more focused on Android than iOS. Is that an accurate appraisal, and if so, then why?

Min Pyo: Not necessarily, because AppSecu.re works with Unity-based games for both Android and iOS. That said, Android and Unity apps have the most powerful and efficient options, primarily due to Apple’s platform policies and its App Store review process. However, we are doing research to see if there exists a method to provide zero-integration protection for native iOS apps.

There is the future possibility of working closely with Apple to provide the key to access an AppSecu.re protected app to perform their static analysis, but we’re still researching methods at the moment. And we would need to gain more momentum in the Android market before doing so.

Start typing and press Enter to search