Ahoy! Thar be pirates ahead.

Recently I shipped a free to play (F2P) game for iPhone titled "Jurojin: Immortal Ninja". I spent the better part of 2 years building it as a labor of love. And, while it hasn't reached its ultimate form, it's well on it's way to becoming a game I can be proud to say I made. Like many iOS games, Jurojin's release schedule started with what's called a soft-launch. It's a limited release to a few countries where (the plan goes) we gather critical UX data, quash bugs, and prepare for a brighter and bigger worldwide release. User acquisition, marketing, and initial data from the soft-launch went pretty much as we expected. We were getting few to no users without putting dollars into marketing and we were learning what we needed to learn. Then things started picking up.

The biggest gaming news site to pickup our soft-launch was the excellent TouchArcade. With the favorable review and large community, our organic user installs went from about a dozen per day to almost eighty per day while the article was on the front page (the game was only available in Canada mind you). This saved me some marketing budget and boosted my spirits. It also started a nice media snowball. Buzz started to pick up for Jurojin and I decided to release in a few more countries to take advantage of that fact. Vietnam still shows the most external coverage for the game on various vietnamese gaming sites. Various sites and blogs started posting blurbs and adding Jurojin to a bunch of listings and trackers. It was nice.

I didn't know it, but the pirates came. They charged in like a 6-year old at the Lego store. Jurojin was still in the glow of new media coverage and I did not know what to expect. When I woke up, I checked my server dashboard, and then I started to dance on the bed. 90 installs in the last half hour! What's the new user count? 4.13K since last night?!? Check iTC. iTC says there's only 20 installs yesterday, they're probably lagging. 4.8K users! Server usage climbing! It keeps going! 24 hours later, we were sitting at almost 6K new users. The next morning, iTC confirmed the worst.

Of the 6K new users, only 35 had come from the AppStore. Jurojin was being pirated. I think the worst feeling was that these pirates made me feel stupid. A consistent creamy stupid, like a fine cheese. Why would someone steal something that's already free?! How absurd! But price is not the motivating factor for these pirates. Apps are just hamburger meat for the big hungry beast that is the pirate appstores. This soft-launch decided to let me learn much more than I thought I would.

If these pirates weren't so irritating, they'd be downright fascinating. They're using automated cracking tools (duh) and have sophisticated distribution infrastructures in place. We (miraculously) released a new build of Jurojin just 2 days after the pirate influx. Within 24 hours the new build was already cracked and being distributed. Jurojin has some startup code that disallows old clients from playing and points those players to the App Store to upgrade. During the transition, our new users reverted to legit downloads until the new binary was cracked. Because of the endless stream of Chinese display names, I think I correctly assumed that the pirates were Chinese. So, I released Jurojin in the Chinese App Store. There's a lot of Chinese people (if you didn't know) and we got a lot of downloads. More than 300 legit downloads in the first day with zero advertising and no ranking. Was it because of the pirates? I don't know, but it did give me an opportunity to compare the users.

The pirates are people. Or, at least they seem to be. Jurojin uses the latest authentication services from Apple and we try to authenticate users' GameCenter logins in order to provide a seamless account creation. The crypto is pretty standard and I'm assuming unbroken. So when I see about 30% of pirates with legit GameCenter logins, I trust that they're real. Real users, by the way, are about 90% logged into GameCenter. Pirates also seem to see apps as completely disposable. The churn is huge. The fall out rate for our tutorial is over 80% for pirates, with many not even making it more than a few steps past account creation. Some of them do seem to like the game though.

One of my hobbies (now that the game is live) is to watch the live logs and look at what players are doing.

New User. Haha, this guy died to the low level minion. Somebody opened the store and didn't buy anything. New User. Core user is training some scrolls. New User. Attempted IAP!! Wait a second...

So, the pirates, their tools are pretty good. The automated cracking tools seem to be sophisticated enough to attempt IAP circumvention. Seems pretty obvious: if you don't have a legit binary you can't make legit IAP transactions. But, I was a good boy and I studied instead of played. Like I said: Jurojin uses the latest auth services from Apple. And since the game is server-authoritative, all transactions must pass validation from our server code. Server code which validates receipts via a direct connection to Apple. Even if you've cracked the Jurojin binary, you're not getting the content without also reimplementing our fairly sophisticated server infrastructure. But that doesn't stop the pirates from trying.

From what I can tell, the jailbroken pirate OS does its best to generate legit-looking receipts in order to try and fool app servers. The receipts are far from perfect but superficially, they look pretty good. I'm guessing that the little bits of bad mojo in the pirate receipt are somehow related to tracking. I imagine that it's very possible that some poor Chinese pirate paid actual RMB into his pirate OS iPhone to initiate an in-app-purchase. An IAP that our server quickly and correctly denied. Great, but not really.

This whole piracy situation sucks. It's sucking costly server bandwidth. It's sucking my morale. And I don't know if it will topple my already fragile efforts. I think the thing that gets me down the most is that these pirates are actually trying to use the IAP in our game. Maybe they don't pay any real money for it. Maybe they pay real money and get nothing in exchange. But they genuinely want to use the features we've built... and can't. I've talked about it with other developers and there's plenty of things I could do to reduce the suck. I could show an avalanche of adwalls to pirates. I could do even tighter restrictions and validation at the server to prevent them from playing. I could do a bunch of clever stuff. But it wouldn't change the fact that I set out to share an experience with people and that experience is being denied.

I feel it's akin to setting up that little table in the supermarket with the free sample weenies. And then somebody hijacks the truck delivering the packaged weenies to the store and drives it off a cliff. On your birthday.