Android and iOS Design Resources for Mobile Game & App Developers

Digital Innovation Gazette provides useful tips and resources for the design and development of mobile games and mobile apps for Android and iOS platforms. Content articles covering new trends, techniques and standards.

Are Big Gaming Devs Stealing their Game Ideas?

Mobile game giants Voodoo and Ketchapp are having no trouble generating ideas for new games. And now we know why.

As it turns out, Voodoo fields proposals from developers on what gaming ideas to pursue and ultimately execute. And because they are huge and well-funded, they can execute faster than just about anyone, including those who developed the idea to begin with. In a recent story by Jessica Conditt that appeared on Engaget, the author interviews Ben Esposito, a Los Angeles-based independent mobile game developer who details how VooDoo stole his idea about a game called Donut Country, which is suspiciously similar to, Voodoo's wildly successful game. Esposito had this "hole in the ground" idea back in 2012 when he began working on the mechanic, and since then Donut County has evolved into a story-driven game celebrating the sights of Los Angeles in a unique cartoon style. After years of development, Esposito is finally ready to launch Donut County on iOS, PC and Mac later this year. It will a reasonably-priced premium title, not free.

Voodoo is a French publishing company founded by Alexandre Yazdi and Laurent Ritter in 2013 with a focus on bringing iOS and Android titles to as many smartphones as possible. This was a time when the App Store was booming, and a few high-profile developers were raking in the dough. Ridiculous Fishing, Year Walk, The Room Two, Impossible Road and Badland to name just a few that came out in 2013. And it looks as though Voodoo has been capitalizing on the energized mobile market evert since with its own titles, including Snake Vs Block,, Flappy Dunk and Rolly Vortex. In May, Goldman Sachs invested $200 million in the publisher.


"There's clearly a market, and Voodoo has found it. They're starting to dominate it, and that's why people are investing in them."


Ketchapp made a name for itself in 2014 with the release of 2048, a free game that borrowed heavily from Asher Vollmer's Threes, which cost $2 at launch. Ketchapp is also the publisher of Skyward, a game that looks suspiciously like Monument Valley and Run Bird Run, which borrows from the Flappy Bird idea. Ketchapp is owned by Ubisoft.

The idea of stealing other's intellectual property might not sound all that bad on the surface, but when you dig in on the implications you might feel differently. Innovation is at the heart of game development, and if innovators can get the credit and rewards for their hard work, then this innovation will get stifled and the end user will suffer.

The Mobile App Security Mantra: Don’t Trust, But Verify

Although the technological designs of mobile devices have much in common with non-mobile computer systems, there are substantial differences that need to be understood. Here’s what mobile app developers should consider about the threat vectors they need to protect against.

Security on Computer vs. Mobile Ecosystems
Smartphone hardware and software technologies are radically different from that of computers. In terms of communication, on a computer you have one external communication channel -- whereas on a smartphone you have IP connectivity, Bluetooth connectivity, Cellular Data connectivity, NFC connectivity and so on. In terms of an operating system, mobile OSs are substantially more “closed” than desktop, laptop and enterprise OSs.

While at first glance this might make a mobile OS appear more secure, it’s truly a double-edged sword when -- not if -- threats manage to penetrate the OS defenses. As Luis Blando, vice president of engineering at McAfee, explains, “once the mobile OS is penetrated, the products and systems that would otherwise be able to protect the device (such as those made by security ISVs) would be limited in the protective actions they can take within the OS guardrails, and that can prevent quarantining, pre-emption or even detection.”

The mobile ecosystem is also very different from that of regular desktop computing in the number of viable operating systems, the types of application delivery mechanisms, and established policies for application acceptance. In the desktop world, with a simple visit to a URL, a user can download and install a binary which can very well be infected. In the mobile world, application download and installation is done mostly through approved stores that curate the apps.

That said, these app store checks can create a false sense of protection. “When we recently checked the origin of infected mobile software, as reported by the MMS user base, we discovered that the majority had been downloaded directly from major app stores,” Blando notes. “And, in Asia, the use of specialized app stores, which may or may not have any curation or security checks on their catalog, is widespread. Don’t think that just because you’re using GooglePlay or another major app store that it’s a guarantee of safety.”

Possibly even more significantly, there are vast differences in the usage models for mobile and regular computing devices. Mobile devices are with you all the time, record your every move, log your every communication, and are a treasure trove of both personal and corporate information. Smartphones contain much more information than the average computing device; it’s your phone, calendar, address book, camera, music station, remote control, ATM, shopping assistant, and more. The fact that smartphones are incredibly valuable for information theft pretty much guarantees that the supposedly secure “defenses” built in via technology or ecosystems as explained above will sooner or later be overcome. “Smartphones are simply irresistible as targets,” says Blando.

Despite these huge challenges, “mobile applications are often not tested at all for security, or are not tested in as much detail as traditional web applications,” notes Brian Shura, Vice President at AppSec Consulting. “The security testing toolset that is available for mobile applications is not that mature. A thorough assessment involves a large amount of manual testing combined with some automated tools. Large financial companies have the resources to perform detailed mobile application security assessments, but the majority of applications available from the App Store most likely have never undergone a thorough security assessment.”

Mobile Developers Have to “Think Differently” About Security
Mobile developers need to adopt a mobile security mindset. Although, in many ways, mobile devices are computers and developers need to treat them as such, nothing on a mobile device eliminates the need for secure coding practices. All programs should sanitize input, only request the permissions that are absolutely necessary, and never store passwords or user data in clear text.

That said, mobile software does present new security challenges both from the point of view of secure software but also of protecting the user. Any mobile developer’s first priority should always be to protect the user. One key is to never let the illusion of security or safety suggested by either a closed OS or a single-user device fool you.

Mobile software developers need to keep in mind some new challenges on mobile devices:

•      Network mobility: Mobile devices connect to many networks. Most users will connect to any open WiFi hotspot they can find as a method of reducing cellular data usage. This means that mobile software, even more than desktop software, must never trust that the network is secure. In addition to eavesdropping, mobile software developers should be wary of hostile networks that may attempt to impersonate servers or services. Apps should encrypt all network data and verify servers and services before sending authentication credentials.

•      Device usage: Mobile devices are, well, mobile. Smartphones and other mobile devices go everywhere with their owners. They are also often taken out, used for a short time, and then set down. This means that they are also quite often lost or temporarily available to strangers. This frequent and on-the-go usage means that most mobile devices are not password protected. This is in contrast to laptops that are much more often password protected and are used less often and for longer stretches of time.

Mobile software that handles sensitive data should offer users the ability to separately lock the application or access to the data. Shura explains that’s why “developers need to take this into account and build their applications in a way that a stolen mobile device doesn’t lead to an application user account compromise. For the most part, this means ensuring that sensitive information, such as passwords, are not stored on the mobile device.”

•      Screen size: Smaller screens display less data. Screen size needs to be factored in when presenting the user with secure data or data they need to verify. One example is the URL input and display field in a browser. Most desktop browsers partially rely on the fact that a user can see the entire URL in this field. This is one line of defense against phishing attacks. The URL field on a mobile browser is so small, though, that only a fraction of the URL can be shown. This hides relevant data from the user and creates a new vulnerability. Keep in mind the size of the screen so that verification data displays are short or the most important data are displayed first.

How Can App Developers Help Users Keep Private Data Safe?
While “in the past, developers of mobile applications did not have many resources to turn to for security guidance, that’s definitely starting to change,” says Shura. “OWASP (Open Web Application Security Project) now has a Mobile Security Project, which includes an OWASP Mobile Top 10 List of common vulnerabilities to avoid, Mobile Cheat Sheets for developers, and lots of testing guidance for people that are performing mobile application security assessments. I encourage mobile application developers to become familiar with the resources that are available on the OWASP website.”

Blando notes that, depending on the OS, there are also some specific issues to be wary of:

On Android:

•      Be careful creating services, as any application on the device may have access to it.

•      Treat incoming intents as hostile input -- sanitize and check the data they provide before acting on it.

•      Make sure files stored on the device are protected both with file system permissions as well as other data protection techniques like obfuscation or encryption.

•      Assume the user already has root access to the device.

On iOS

•      Assume the phone is jail-broken. That's not to rely on jail-broken behaviors, but to write your software as if the user already has full access to the device instead of relying on the OS to provide sandboxing to isolate your data from the user's view.

The Bottom Line: Don’t assume anything. Don’t trust. Verify.

Additional developer guidelines can be found at the U.S. Federal Trade Commission website: Mobile App Developers: Start with Security.

New Unity Features for App Makers

Unity, the widely used multi-platform game engine, continues to expand, offering new features and targeting additional platforms.

The past few weeks have seen considerable activity. In March, Unity Technologies released Unity 4.1, which includes support for Apple’s AirPlay wireless streaming technology and an updated memory usage tracking tool. Also last month, Unity Technologies entered an alliance with Sony Computer Entertainment Inc. that will make Unity tools available for the upcoming PlayStation 4, PlayStation Vita and PlayStation Mobile platforms.

In another alliance, Unity Technologies is partnering with Oculus VR Inc., which is developing the Oculus Rift virtual reality headset. Under that arrangement, Unity will offer Rift developers an extended Unity Pro trial license at no charge. The Unity tool comes in free and professional versions, with the latter, Unity Pro, priced at $1,500.

What’s New in Unity 4.1
Yury Yarmolovich, Unity developer at Elinext Group, a custom software developer based in Minsk, Belarus, says his company uses Unity to create augmented reality apps, among other things. He’s happy about the new features of Unity 4.1. “What is really good is the new Memory Profiler with a detailed overview of the resources used,” Yarmolovich says. “Also, shader improvements deserve recognition.”

The Memory Profiler update, available on Unity Pro, provides a greater level of detail as it breaks down non-managed memory usage. According to Unity Technologies, the feature lets developers track consumption “right down to the level of individual objects, assets, textures, meshes,” among other elements.

Unity 4.1, meanwhile, also offers multi-screen AirPlay support, which lets developers press iPads and iPhones into service as game controllers. Users control games on the handheld devices as the action is streamed to an HDTV. “I have not used much of AirPlay, but I think it’s a cool thing,” Yarmolovich says.

Chris Skaggs, founder and chief technology officer of Code-Monkeys, an application and web development company based in Newberg, Ore., cites Unity 4’s animation capability as a standout component. “Our favorite new feature is the new animation tool -- being able to set those things up inside the IDE is a big time saver and helps tremendously with animation prototyping,” Skaggs says.

Support for Additional Platforms
In general, Yarmolovich cites Unity’s cross-platform capability as an advantage, noting support for Android, iOS, Windows, Mac OS, Linux, PS3, and Xbox360, with upcoming support for Wii U, Windows Phone 8, BlackBerry 10, as well as current and next-gen PlayStation systems. He also lists other pluses, including support for C#, JavaScript and Boo; a comfortable MonoDevelop editor with a debugger; Asset Server for sharing code from the development environment; Asset Store for downloading additional applications and scripts; and support for various multimedia formats, including 3ds Max images.

Looking forward, Unity Technologies is moving to extend its platform reach. In late March, the company announced a Unity 4 open beta program for Windows Phone 8 apps. A spokesman for Unity Technologies says the company has yet to announce a release date for Windows Phone 8 support. “We just entered a more public beta period at [Game Developers Conference] and are inviting a much larger group of developers in to test,” he says.

In addition, Unity Technologies plans to let developers create games for PCs or tablets running Windows 8 and Windows RT and publish them to Microsoft’s Windows Store, according to Unity’s blog. That support will start with Unity 4.2.

Skaggs is also very interested in support for Windows 8. “As a matter of fact, Win8 with multi-touch support for things like the new Ultrabooks is something we bug Unity about on a weekly basis,” he notes.

“Whether or not it becomes a real player in the game space again will partly depend on how much developers are supported and then can deploy quality titles,” Skaggs continues. “For us, we live and die on the ‘multi-platform’ proposition and Win8 is just another platform that we want to be available on. Unity is so good with multi-deployment already...we want more.”

Developers can also anticipate Unity support for BlackBerry 10 smartphones. In February, Unity announced plans to build a development add-on for BlackBerry 10. At press time, a free beta version was expected to shortly debut. The final release is expected this summer, according to the company.

How Will DevOps Impact Mobile App Development?

The fast-paced world of mobile apps may benefit from a software development method that aims to boost efficiency and flexibility: DevOps.

DevOps, which borrows concepts from the Agile software movement, seeks to pull together the development and IT operations sides of an organization. That can prove difficult, since developers tend to favor change while operations personnel strive for stability. The DevOps approach tries to get everyone to meet in the middle and, at the same time, eliminate the awkward handoffs that can occur as software passes from coders to implementers and, ultimately, to customers. The objective: Shrink cycle time and meet changing customer needs.

Cultural change is an important aspect of DevOps, but so too is automation. An emerging set of tools aims to help bridge development and operations. As the industry changes, experts say the tenets and tools of DevOps are starting to impact mobile development. One key driver is the pace of development.

“Mobile development moves more quickly than most enterprises are accustomed to,” says Eric Minick, lead consultant at UrbanCode Inc., a Cleveland-based company that provides DevOps release and deployment tools. “It’s complicated by apps often targeting multiple platforms such as iOS, Android and generalized HTML5 offerings. Mobile teams can benefit from taking a few pages out of the DevOps playbook.”

In Minick’s view, approaches such as continuous delivery may be applied to mobile applications. In doing so, development teams “would rebuild our apps with every code change, ‘deploy’ them into simulators, and run functional test suites for each target device or platform. This can help the team catch regressions more quickly,” he says.

Enterprise Markets, Mobile Infrastructure

Many mobile apps are geared toward consumers. But adherence to DevOps could help developers extend their reach to include business accounts. “It would open up their applications and their market to enterprises,” says Jesus Garcia, alliance marketing manager for Intel’s software and solutions group. [Disclosure: Intel is the sponsor of this content.]

However, enterprises are often wary of taking on applications that don’t meet their needs in terms of maintainability, security and control, among other variables. DevOps provides insight into the operational side, which is important when it comes to application maintenance and management.

“Consumers aren’t necessarily concerned with security, manageability and maintaining applications -- but enterprises are,” Garcia says. “If a DevOps approach is going to facilitate integration into an enterprise environment, that’s a win-win for both the enterprise and app developers.”

DevOps can also help IT teams coordinate mobile apps and the enterprise back-end applications that support them.

“More and more, the mobile applications are not just building on top of existing back-end applications within the enterprise, but are driving changes to those systems,” Minick says. “That requires increased collaboration between the mobile development teams, traditional development teams and the traditional operations groups. The coordination required, and the pace being driven by mobile, is a big factor driving DevOps in the enterprise.”

Steve Hazel, vice president of product at Sauce Labs Inc., a company that lets developers test web and mobile apps in the cloud, also cites back-end applications as a fit for DevOps. He says the vast majority of mobile apps have a component in the cloud -- a website that presents an API that the app uses, for example. While a mobile app a consumer uses isn’t part of an enterprise’s operations, the back-end application falls into that category. “All of the DevOps methodologies apply to these mobile back-end sites,” Hazel says.

Hazel notes that many mobile back-end apps are being developed from scratch, so people want to adopt the newer methodologies. In his opinion, mobile developers as on the cutting edge of DevOps and Agile adoption. He suggests that the percentage of mobile developers that has adopted DevOps may be higher than the percentage of web developers that uses that method. 

Michael Prichard, founder and chief technology officer of WillowTree Apps Inc., a mobile app design and development company in Charlottesville, Va., says his company has a 12-person DevOps team, out of more than 45 employees overall. WillowTree started building native apps in 2008, but eventually the company found that those apps needed to talk to something. The DevOps group focuses on creating APIs and back-end integration.

In one recent example, WillowTree developed the NBA’s All Star Weekend 2013 iPhone and Android apps. The company, Prichard explains, created the entire back-end system, building a Django content management system instance and employing Amazon Web Services to build a scalable system. “There are no more standalone apps,” Prichard says.

New software release approaches and shorter maintenance timeframes may also contribute to DevOps adoption. Jacob Ukelson, director of product strategy at Nolio, an application release operations software company, says maintenance windows have shrunk drastically with always-on computing, and he notes that mobile will cause them to shrink further or disappear entirely. As a consequence, companies will need to manage feature upgrade deployment and bug fixes so they have minimum impact on application availability, but still ensure application stability, he says.

Companies hoping to make that happen will begin to adopt new deployment methodologies such as dark launching and blue-green deployments, which can help meet those needs, Ukelson says. DevOps can smooth that adoption path. “DevOps will give companies the agility they need for these new release paradigms,” Ukelson says.

Tool Adoption

Automation vendors find that mobile developers have started to purchase their DevOps supporting tools.

“We expect more adoption this year as mobile development matures and the DevOps approach becomes more widely understood,” Minick says. “We definitely see some customers using our tools for mobile development, and to make sure all the back-end systems have updated code in place before the apps are pushed out to customers.”

Ukelson says a few customers use Nolio for mobile app delivery. Still, mobile isn’t the main driver for adoption of Nolio’s Release Operations Suite, Ukelson says, noting that continuous delivery has become a key reason to deploy the product. Mobile, however, provides another driver for the move to continuous delivery.

The time appears ripe for DevOps and greater tool use in the still-young mobile development arena.

“In many ways, it’s still in the early days for mobile development and while the velocity is there, the discipline is lacking,” Ukelson says. “My bank’s chronically broken mobile app makes that abundantly clear. The resulting two-star ratings with a comment of, ‘Might be good if it worked’ hurt adoption over a long period of time. Adopting a DevOps mindset, and more mature tooling, should help these mobile development teams keep moving quickly while raising quality.”