Heartbleed and Games on Android

Last week there was a lot of excitement about a new vulnerability found in OpenSSL.  OpenSSL helps secure most of the encrypted communication on the Internet, so any vulnerability in it can potentially put a large amount of data at risk.

Heartbleed doesn’t allow an attacker to listen to your communications with a server directly, but it does allow an attacker to read data in the server’s memory.  Here is an overview of how the vulnerability works, thanks to xkcd (http://xkcd.com/1354/):

Is Heartbleed a problem for Android games?

In theory, this vulnerability is symmetrical.  If the client is using a vulnerable version of OpenSSL, the server can read memory directly from the client’s memory.  That sounds scary, but in reality there is little to be worried about.  Here’s why:

- The only servers that could potentially read your data are the servers your game already connects to.  These are typically the servers of companies like Google, Facebook, Twitter, and possibly the game developer.

- The only data that is accessible to an attacker is the data in your game itself, which is usually very low-value data outside of the game.  Android protects (or “sandboxes”) the memory used by apps so that they cannot read or write memory used by other apps on the system.  Any attempt by an attacker to read memory outside of your game would result in your game crashing, at worst.  No data outside your game would be lost.

What about games with advertisements or analytics?

In theory, a malicious advertiser could also steal your game’s data using the Heartbleed vulnerability, if your game talks to the advertiser’s server.  However, extracting data that would be interesting to an advertiser or analytics provider in an automated fashion is difficult enough that even malicious advertisers would be unlikely to bother for games.  And, as we described above, usually the data in your game is not very interesting outside of your game.

Additionally, advertisers make their money by having application developers integrate their advertising service, so if it was ever discovered that they were trying to steal application data, they would very quickly go out of business, since most application developers would be unwilling to work with such an advertiser or analytics provider.

But my game lets me log in to Facebook and Twitter, and lets me buy stuff on Google Play!  Can’t someone use Heartbleed against my game to steal login credentials or payment data?

Normally, all of these connections are made through different apps, such as Facebook, Twitter, Google Play, or your Android web browser.  As described above, the memory of those apps is inaccessible to your app on Android, so the data is not vulnerable to Heartbleed via your game.

But Bluebox’s Heartbleed Scanner App says my game may be vulnerable!

The Bluebox scanner app is unable to directly determine whether a particular app is vulnerable, because the apps are not running an OpenSSL server that listens for connections.  Instead, the Bluebox app just checks to see if your apps have any version of the OpenSSL library at all.  From https://bluebox.com/technical/heartbleed-bug-impacts-mobile-devices/:

“Additionally we scan all of the applications on your device and present you with ones that contain their own openssl library — you should follow up with those app developers to confirm they are using a safe version of OpenSSL.”

Any game that ships with OpenSSL will always show up as possibly vulnerable, regardless of whether the version of OpenSSL the app uses is actually vulnerable, because the Bluebox app has no way of telling if the app is vulnerable.

What is Apportable doing to protect my game data?

We have already implemented the patch to our OpenSSL library so that future releases of our games and our SDK will not be vulnerable to Heartbleed.  We will be releasing updated versions of the apps we ship on an ongoing basis.  

The most important thing you can do is check if the servers your games connect to have the vulnerability, since personal information you have shared with your game could be on those servers, and an attacker could try to steal data from those servers using Heartbleed.  McAffee has a Heartbleed scanner for public use: http://tif.mcafee.com/heartbleedtest.

If you want more information about Heartbleed, we would recommend starting with http://heartbleed.com/.  It contains a more detailed overview about how the bug works, and links to a lot of excellent technical information about the vulnerability.

Developing for Android with Objective-C and Apportable

When developing for iOS, you can take most any open source library and drop it into your application, and within a few minutes have something working. With Java Android development, this is of course more difficult. When you realize that the NDK isn’t nearly as supported as its Java counterpart—and that creating a rapid prototype, and transitioning into a releasable candidate takes considerably more time and effort—there’s been no easy road on Android.

Apportable was designed to do all of the heavy lifting that application developers do for any top-notch title on Android, and is designed for companies big and small. The basic idea of compiling native code for Android is not a new one, of course; the hard part is making it all work seamlessly.

Rolling Our Own

Cross-platform development can mean a few approaches. You can create an environment that defines a common API for both platforms; you can create a “lowest common denominator”-based solution; you can create a shared implementation backend and multiple frontends; or you can flat out re-write from scratch for each platform. 

Solutions like Unity require developers to re-write their app against Unity's API. We think that if you’re going to “buy in” to a given strategy, it might as well be one that you’ve already made a commitment to. And lets face it—iOS isn’t going anywhere. 

Freshly ground

Over 95% of our platform is not Java. We emit native machine code that’s executed directly on bare metal—no re-interpretation, no transliteration. Just raw, native power. We’ve even re-implemented the parts of Android’s native toolchain that we felt needed it.

Superpowering the Future

We’ve got a new build system that’s orders of magnitude faster at creating incremental builds. We’ve added features to conditionally link jars so that applications built with our SDK are smaller and leaner. 

Try out the SDK for yourself—for free—at www.apportable.com 

Our Internal Spritebuilder Game Jam!

On Thursday, January 30th, 2014, Apportable had its first internal hackathon event - the SpriteBuilder Game Jam! This event celebrated the launch of SpriteBuilder in the Mac App store on January 21st. We had about 20-25 folks participate in the jam, many of whom had never tried making any type of game before. Each team had up to 6 hours to create their game and record a demo. Our celebrity judges, Nicole Aptekar, Benjamin "Benji" Encz, and Rob Jagnow, then selected their favorite jams from the day. All 13 entries were given honorary superlatives by the judges, and 5 entries were awarded Grand Prizes. These were the 5 winners along with their prizes:

Oregon Space Trail (Elliot and Zander) - Free Instapainting

Phogix (Breckin) - Naming rights to an upcoming animal in PG's game Animal Voyage

Silent Karaoke (Sergey) - Exotic Swedish Punch
Blink Dagger OP (Michael H. and Christina) - Logo/graphic of choice laser-etched into laptop

Operator Pong (Collin) - Original poem composed by Jim and Christina on topic of choice

Introducing SpriteBuilder: The Objective-C Game Development Suite for iOS and Android

We are happy to announce the release of SpriteBuilder! SpriteBuilder is the first complete game development suite for rapidly developing iOS and Android games with Objective-C and Xcode.

SpriteBuilder is the culmination of years of tireless effort from hundreds of contributors. We have brought together the maintainers of the four of the most popular open source iOS game tools (Cocos2d, Cocos3d, CocosBuilder, and Chipmunk) to create a new, integrated development experience. SpriteBuilder 1.0 also includes the much anticipated v3 release of Cocos2d, the most widely used iOS game engine.

Read more on the SpriteBuilder blog.

Apportable Welcomes Peter Alau to Lead Business Development

Apportable is thrilled to welcome Peter Alau, former V.P. of Business Development at Digital Extremes, to the Apportable family.  Peter is a veteran of the electronic entertainment industry and has worked for Sony Computer Entertainment America, Maxis, Electronic Arts, Linden Lab, Sony Online, and GameSpy/IGN.  

On why he chose Apportable, Peter explains, “Apportable impressed me immediately. They are filled with brilliant engineers who not only grok the problem, but have exceptionally smart ways of solving them. What’s more, they do it very quickly - a requirement in the mobile world.”

Alau comes to Apportable to help us achieve our vision of creating the premier cross-platform tool set for mobile developers. As Peter explains, “Apportable wants to be the advocate and arsenal for the developer. Developers have been saying that the swelling renaissance in game design is currently hindered by platform tool limitations, so we are trying to level the field for all platforms and give developers freedom to build excellent games and other apps without worrying about OS issues.”

Alau will be running Business Development and evangelizing Apportable’s software and services. “It’s an infectious place to be, and I’m thrilled to be part of the team,” says Peter.

Venture Village: "Apportable: Wooga’s secret Android shortcut"

Cross-posted from VentureVillage

As the app economy rises, so do companies that make developers’ lives easier – and Apportable, which helped Berlin’s Wooga with its latest social game Jelly Splash, is ready to ride that trend.

Apportable, based in San Francisco, employs about 50 people and is supported by a $2.4m seed funding round led by Google Ventures. It makes software to automate the process of turning an iOS app into an Android app. Code in Objective-C, the main language used by Apple for iOS, make a few minor adjustments and get two functional apps. Need new features? Change the code just once. (For a more detailed explanation, try this blog post or this demo video.)

Clients so far include Björk (for her Biophilia app album), the company behind “galactic mote” game Osmos and Wooga, which used it to build the Android app for Jelly Splash, now at 15 million downloads across all platforms since August 2013.

“Jelly Splash is our broadest and most rapid cross-platform release yet,” the company said in a blog post at launch. “That means that we’ve used a few speed boosts to get the game to you as soon as possible.”

Normally, Wooga Corporate Development Manager Sebastian Kriese explained, new games would be built by separate teams for iOS and Android. With new games built and tested for iOS first, Android would usually be several steps behind. “Even now with Diamond Dash, it’s still a different feature set on Android,” Kriese said.

“We also had issues and challenges about how the game would feel on different platforms. If you use another technology and another team you might not achieve the same quality or the same feeling.”

So, after hearing about Apportable, they asked for a quick prototype to see if it’d be an alternative way to bring Jelly Splash to Android. “It was pretty amazing,” Kriese said. “We had the iOS game and three days later we could play almost all levels on an Android phone. It wasn’t perfect but it was already working pretty well.”

Wooga sent two engineers and Kriese as project manager to San Francisco to work with Apportable and produced a final version from “zero to launch” in eight weeks, speeding up the process “by a factor of months”.

The service comes for a price – Apportable offers a free basic service and either $1000 or $15,000 per developer per year for “indie” and “pro” licenses. Enterprise clients such as Wooga pay on a case by case basis and get extra features and support.

It’s the time to market that matters for Wooga, Kriese said. “In China, 95 per cent of the smartphones are Android. If we want to grow in these regions, we have to go all out on Android and bring games out as soon as possible.”

It will be up to individual teams at Wooga whether they use Apportable for new projects. Other companies working in a similar space include Unity, which uses a different method to bring apps to iOS, Android, Windows Phone 8 and BlackBerry 10.

Pocket Gamer: "Breaking down barries: iOS devs launching Objective-C games on Android"

Cross posted from Pocket Gamer Biz

More iOS developers than ever are taking Objective-C based games across to Android, with cross-platform solution Apportable claiming its breaking down traditional dev barriers.

The Apportable platform gives developers the ability to convert iOS games to Android automatically, without extensive changes to the original Objective-C or C++ code.

It works by cross-compiling Objective-C code for iOS to machine code that runs directly on an Android device's processor.

Freedom, speed, and performance

It's an approach that affords Apportable the freedom to optimise complex applications for speed and performance that rival the iOS version and outdo equivalent Java versions.

Recent partners include Pocket Gems, with the firm having launched Animal Voyage: Island Adventure simultaneously on iOS and Android.

"The Apportable platform is so far ahead and so much more complete than anything we've ever seen," said Pocket Gems engineer Jeff DeCew, before adding that Apportable "is improving at a rate faster than we can adopt" on the development side.

No sacrifices

Indeed, DeCew believes that through the use of Apportable, Pocket Gems has been able to ensure the quality of its products on all fronts. 

"One of the things we were worried about was the possibility that working on Android would slow down and inhibit iOS development," explained DeCew.

"We've had to make very few compromises on the iOS side to make our game great on both platforms.

"With the help of Apportable, Pocket Gems is free to focus on creating and improving the gameplay experience instead of rewriting code for Android."

Hemisphere Games: "Our Apportable Android Experience"

Check out this post from Hemisphere Games on their experience using Apportable!

It’s been three equinoxes since Osmos launched on Android. In that time, quite a few developers have asked us about our porting experience, probably due to the quality of the port as well as the game’s success on the platform. Our answer: we worked with Apportable. “How was that?” people ask. Our answer is, in a word, “Great!”

The tl;dr version of this post is:

    • Apportable’s platform allows you to “cross compile” your iOS project into a native Android app. (A .apk which you can publish to Google Play, etc.)
    • Yes, it works. It’s kind of crazy.
    • The folks at Apportable are brilliant, professional, and downright decent.
    • You can now try their service for free, and depending on your app’s features, you may never need to pay them a penny.

Read on...