

With 10 pirated copies for every 1 sale, iOS dev pulls game after just one week - crm114
http://pockettactics.com/2012/12/04/hunted-cows-andrew-mulholland-on-battle-dungeons-untimely-demise/

======
krautsourced
Was there no registration or anything to join the servers? If they have a
browser game business, there must have been some sort of account management in
place already? Are they going to re-release with a different user scheme, or
are they reimbursing customers now? In any case, it's pretty shitty for them.
Tbh I wasn't even aware that piracy was such a big issue in iOS. Good to know.

~~~
Jabbles
Precisely. Surely you can give each purchaser a unique code (hash of
transaction number?) to connect to the server with, and only allow one
connection per code at a time. (I don't do iOS dev, but I assume this is
trivial.)

If they can tell who's pirated vs who hasn't (I assume they can), it seems
like something is missing. Is it too cynical to suspect a marketing ploy to
grab headlines?

~~~
taligent
Well it would be a server side check. But even a rudimentary IP address check
would be fine to ensure one connection at a time.

It is all a bit odd I have to admit.

~~~
yebyen
Aside from barring users who are legitimately sharing a connection (and not
even pirating your app)...

How does this actually solve the problem? Pirates are really unlikely to be
colocated with the person who let them have an illegal copy of your app.

------
piqufoh
Apple Game Center is heavily integrated into iOS and provides all sorts of
validation features. Surely the devs could just re-release and force users to
authenticate through Game Center?

Also - any idea if the honest paying game payers are going to be compensated?
In future they'll see paying for a game as i) paying for a weeks worth of play
ii) pirating it for a weeks worth of play. You mustn't punish genuine users
because of others behaviour...

------
huhtenberg
Why can't they distribute the game app as a free client for an online service
with paid accounts? That would seem to be the simplest and most obvious way to
curtail the piracy. Especially given that they _do_ have an online component
of the game anyway.

~~~
rtpg
It complicates the process,and when you make paying for something more
difficult, people are less likely to do it.

I'm surprised that the company can't simply do a 'phone home' procedure when
online services are tried though, verifying through App Store API's (if they
exist) or by making their own things. Does anyone know how feasible that is ?

~~~
davedx
It's totally feasible, the problem is whether the people who are distributing
the pirated version are also capable of cracking the client the same way e.g.
Photoshop cracks work to nullify phone home checks.

Fighting piracy always comes with an effort/reward calculation like that.

~~~
huhtenberg
You got it wrong.

If it's an online game, the license check is performed on the server side and
no amount of clever client cracking won't get around that. When you buy a
license, the licensing server associates some sort of ID with your
installation, the same ID that must be presented to the server for an online
play. No valid license -> no valid ID -> no online play. That's how all
massive online games with free clients work. Easy-peasy. The question here is
what can be used as an ID in case of iOS games, but, again, this is a solvable
problem.

Moreover, the same scheme applies to the standalone software, except there's
an extra step involved with strengthening the executable against any
modifications. What Photoshop did is the lamest thing possible (and I think
it's a valid theory that they did it on purpose to facilitate the piracy
rather than to curtail it). A simple option is to sprinkle 100s of
conditionals around the code (with a simple pre-processing script if need be),
do not issue any sort of messages, but instead just make the code corrupt
heap, stack and do other things that would cause the program to go down after
a while. Then simply sign the executable. This is _very_ effective. For every
complain in the support forums that the program crashed (and a crash dump that
shows the absence of a valid file signature), there's a automatic reply that
it's a cracked copy, you get what you paid for.

~~~
davedx
It sounds like you have a lot of experience in this area. I admit I've only
really touched on it before on projects I've worked on. Do you know if there's
any good books or online guides on this subject, as I find it quite hard to
devise these systems myself?

~~~
huhtenberg
You may want to go through fravia.org archives. It's old, but basic protection
principles don't change that quickly (or, looking at it from the other end,
rudimentary cracking techniques are the same as well).

~~~
davedx
Looks like the domain expired? Oh well, thanks anyway :)

~~~
huhtenberg
_archives_

------
TheAnimus
It is funny, I without hesitation felt sorry for the devs. But then I recalled
sighing at the attitudes of News Corp with The Daily.

It's the same principle, taking a business model that might have worked in the
past and forcing that square peg in to the round hole.

They have a good game, that engaged people, even at a price point of zero that
seldom happens. Hopefully they will be able to think of a way of making money
to sustain it.

Hopefully not the whole freemium thing, as a gamer I hate that.

~~~
gurkendoktor
What was wrong with the business model of The Daily? What business model
should they have chosen? They were using (then brand new) subscription IAPs in
the App Store, which were designed as _the_ square hole for their purpose.

I agree that the business model of the game devs is "wrong" because they were
trying to charge one-time fees for lifetime server support. What if there had
been no pirates, but paying players had played for 10 months instead? Would
that have caused the same server issues? But that is a calculation that seems
to work okay-ish with better DRM (or at least it worked great for Diablo 3 in
the first weeks - I stopped tracking it after that).

------
jiggy2011
I don't get why he pulled it. Surely N / 10 (where N is some positive integer)
will always be better than 0?

What is more interesting here though is that (AFAIK) the only way to run
pirated iOS games is to jailbreak your phone/tablet. I'm going to assume that
waaay less than 90% of iOS users jailbreak their phone.

So this either means that people who are interested in iOS games are _far_
more likely to jailbreak that people who aren't gamers (not an unreasonable
hypothesis but 90% still seems high).

Or there's something about this particular game that makes it especially
appealing to jailbreakers?

~~~
robert-boehnke
It's a multiplayer game and they could not afford paying the servers they
needed

~~~
jiggy2011
I wonder if a solution to that might be to take what I will call the
"counterstrike model" where the game developer doesn't necessarily have to run
all of the game servers themselves.

In other words , when you run the game you get a selection of servers to play
on. If you want to play on the official servers you need an account from the
developer (which you get when you buy it) but if you are a pirate user you get
to run on any of the unofficial servers only. Of course paying customers will
be able to use either official or unofficial servers.

~~~
hmottestad
But how do you give accounts to paying customers?

The only way I know is through in app purchases.

~~~
jiggy2011
Simplest way would be to automatically email the customer a link with a long
randomly generated number (only valid once) when they purchase, when you hit
that URL it prompts you to set a username and password.

~~~
hmottestad
Does the email address come on the purchase report to the seller from Apple?

~~~
jiggy2011
I have no idea, not an iOS developer. I assume there must be some API or email
proxy that you can use to contact customers if they don't reveal the actual
address.

~~~
hmottestad
I don't think there is a way to get any details at all about a specific
purchase on the app store except when using in app purchases.

When using in app purchases you will get a receipt from apple that is signed
with their certificate that you can process and send to your own servers to
limit pirates from accessing the servers.

------
stuaxo
I seem to remember an article before saying this is about the normal ratio.

If you think back to the era of amigas and floppy disks it was probably about
the same.

~~~
meaty
I doubt that was even the case, unless you wrote disk copying software. X-Copy
Pro was the only bit of software I ever purchased :)

Everyone had bags stuffed with 3.5" floppies.

------
hmottestad
I'm not an iOS dev, however I remember that games on the playstation sometimes
requires updates to be allowed to play on the servers.

So one way of combating piracy would be to release updates weekly and disable
access for the old version after another week. Yes, the pirates would be able
to keep up, but updating apps is a much bigger hassle for pirates than for
those who purchased the app.

------
raverbashing
Well, if you know the pirated copies from the licensed ones you can try to
block in the server.

I assume they were naive in thinking that piracy wouldn't happen.

Changing the business model may be a possibility, charging for 'in game'
goods.

~~~
nicholassmith
There's starting to be a pushback against developers releasing games for free
and monetising through IAP if appears 'excessive', and required for the game.
I've seen more than a few comments levied about it, essentially there's a
reasonably vocal group who don't want to pay more than 79p for games, and
don't want IAP to be necessary for their enjoyment.

I don't think they were naive, but they probably didn't expect the piracy
level to be quite as high as it would be. Doing server-side blocking for
pirated stuff is reasonably difficult, as successfully detecting who's pirated
and who's not can occasionally go wrong and burn the paying customers.

~~~
huhtenberg
> _There's starting to be a pushback against developers releasing games for
> free and monetising through IAP_

If a free app is a demo and IAP is a one-time upgrade to the full version,
then it's reasonable and perfectly acceptable. This is, arguably, what the IAP
were actually designed for - a nextgen support for try-then-buy software.

The pushback is typically aimed at tacky milking practices - "a satchel of
coins for $5.99, a pot of gold for $15.99, etc". You either release a limited,
but self-contained playable demo, or a fully functional game. Anything that
falls into a stretch between these two feels like a sleazy bait-n-switch kind
of deal, hence the pushback.

~~~
nicholassmith
That seems to be one aspect, but I've seen games getting railroaded for having
a limited aspect with a pay to access additional functionality, and people
saying "I'd prefer to have paid X amount for this app not IAP", even in cases
where devs have made it free to get more traction.

I personally think companies releasing apps now should be bold enough to stake
it and go "it's $10". Square Enix are, it seems to be working for them,
sometimes.

~~~
huhtenberg
For what it's worth I personally don't even look at free games anymore,
because there's always a catch. So, yeah, I guess it's a form of a pushback
due to the massive abuse of IAP that doesn't align well with user's genuine
interests.

------
NateDad
I can't believe their solution is to not run an online multiplayer game.
That's the ONLY kind of game you can assure 100% payment for. They just fail
at development. This is a known and solved problem. Look at WoW. You have to
log in with a valid account to the game server to play online with people.
Yes, it's a slight barrier to entry. Oh well, deal with it, it gets you 100%
paying customers. This is not hard.

------
madisp
I thought that piracy in multiplayer games was a solved problem these days.
Even the first Half-Life (1998!) had an online authenticity check.

~~~
jiggy2011
No, if the authenticity check is client side you can hack the asm to neuter
it.

If it runs server side you can redirect those packets (often as simple as
changing HOSTS file) to a server that you control which can be set to always
say "yes, you are legit!"

This is why a lot of games are now removing LAN play, because if you can run
the pirated game on a LAN you can use a VPN to turn it into an internet game
etc.

~~~
rmc
_No, if the authenticity check is client side you can hack the asm to neuter
it._

This is security 101 people. Don't trust what the client says.

~~~
jiggy2011
The issue with games however is that often all the actual content and game
that you want to get access to actually lives on the client. For example Call
of Duty singleplayer campaign. If you have most of your interesting stuff on
the server (e.g WoW) then of course it makes sense to do checks server side.

This is why DRM is fundamentally broken for singleplayer games (or music , or
movies) in that you _have to trust the client_.

~~~
rmc
Yes for single player games.

For mulitplayer games that require a server, you only allow them to connect
and do the multiplayer bit if they have paid. Simples.

~~~
jiggy2011
Not quite so simples.

Your choice is either to do as these guys did and run all the servers
themselves in which case you need to factor the lifetime cost of running the
servers into the purchase price or charge subscriptions.

If you ever take the game servers offline the game then becomes unplayable and
will preclude modded servers (which were fun in games like CS) and LAN play.
There's till a risk that if your game is popular enough someone will
reimplement the server.

So the other way to do it is to allow third party servers or build the game to
work on a type P2P system (I think a lot of xbox games still work this way).
At that point you are basically back to the original problem.

------
josephlord
Probably the best solution would be to switch to recurring in-app subscription
to the online service. This is I think easier to verify and harder to pirate
and should align the revenues with the costs (avoiding getting nice sales up
front and not being able to sustain the servers in 18 months time).

Some hacks might work if they don't want to go down this route like issuing an
update that contacts the server for a unique ID on first run and treating
those that don't update quickly as suspicious - request them to email the
iTunes receipt or something.

How quickly is regarded as suspicious could be worked out by looking for when
there is a divergence between installs (and unique ID requests) and the daily
update totals the app store provides. Duplicated IDs should be easy to detect
it they access the service later.

------
cletus
I've seen the other side of too many of these stories not to be skeptical, if
not outright cynical. Let me explain.

1\. There are no absolute sales figures here. It may be that the game sold
dismally and a story about piracy might have gotten them developer a ton more
PR than the game ever would've;

2\. The issue in this particular case is not number of copies (pirated vs non-
pirated) but the amount of hours spent from pirated vs non-pirated. Even that
doesn't tell the whole story. Perhaps this game required a critical mass of
users (some do)? If so, pirated users might ultimately be beneficial.

Also, when it comes to piracy there are a lot of people who download a lot of
pirated content and then never look at it or they might try it once. Just
getting the pirated content itself becomes a game;

3\. How expensive is it to maintain a server on a per user or per user hour
basis anyway? It seems quite likely a single machine can serve thousands if
not tens of thousands of users as a conservative estimate; and

4\. Are they shuttering the game or just overhauling the authentication model?
If they plan on rereleasing it then the publicity of (1) becomes even more
likely.

Like I said, I've seen a number of one-sided stories now where I've known
something about the other side and as sympathetic as someone can make their
case, believe me--generally speaking--there is a lot they don't tell you.

Also, don't discount the possibility of internal politics. It's a lot easier
for a product lead to say "we had to pull this because of piracy" to his or
her boss or board than it is to say "we made a game that no one bought".

I'm just saying.

~~~
bmeckel
The other huge thing to note here is how few current users are jailbroken. The
current jailbreak is a version behind the current OS, so the number of people
running it is waaaay lower than it could be. If this was posted while a
jailbreak was easily available for the current os, then I could totally
believe that the number of pirated copies was an actual issue (as its happened
in the past.) but right now? I highly doubt it, especially since those who
pirate apps are a smaller subsection of jailbreakers, and with fewer
jailbreakers it's just too unlikely.

~~~
lessnonymous
I'm not an iOS developer, but your comment leads me to believe that I can
solve their problem:

if( iOS.version < 6 ) quit;

------
lucian1900
The game could have an in-app payment, whose receipt is checked server-side.
Then access to your game is as secure as your server (and its interaction with
your app). Still hackable, but not trivially.

------
sspiff
> and if this story serves to scare off would-be iOS devs, then we’re all
> poorer for the actions of a few.

According to these numbers, the few seem to outnumber the many 9-to-1. As a
software developer and someone who doesn't mind paying for good games, the
state of affairs saddens me a great deal, but it would be hypocritical to
blame this on the fringe "one-per-centers".

------
sprash
The great fallacy here is the notion that you would sell more without piracy.

Piracy at least brings you publicity. Even if you would somehow be able to ban
all piracy, in the best case you still would only have that one sale out of
10.

Pulling the game from the store was a pretty stupid move. If I really wanted
to play that game now I have no other choice but to - you guessed it - pirate
it.

~~~
pkolaczk
It is not the problem of lower sales, but of higher costs caused by those 9
additional pirated copies.

~~~
mnicole
Even if those additional copies weren't pirated, would the revenue from those
users have been enough to sustain them?

