How can we protect our game against this kind of stuff?
Put a kill-switch? If yes, what value can we send to make sure the game is ours? The package name? Ideally the app signature but how?
Anyways sorry it’s happening to you, good luck for the resolution.
Figure out how they wrapped it and detect that!
I am so sorry hearing that. Let google play taken down the stolen account
Wow, that really sucks. I don’t want to install the game myself on a phone to encourage the thieves.
How are they monetising the game? Did they replace the Poki ad calls with something else? Or are they running an ad only when the game starts?
I’m guessing they are loading the game from a webview? I wonder if it’s possible to detect this and prevent the game from loading?
And what about the Poki site/domain lock? Have they disabled it?
@AGulev do you have any experience with any of this? Perhaps this is something we can bring up with Poki?
@BunBunBun the only consolation is that they are only doing this because it is a damn good game!
it’s good idea, probably need to remove the link above to avoid 
Yes, they remove the site-lock code and wrap the game into an apk and use the webview to run it.
I’m in touch with google support, we regularly do this (removal of our other web-games games from the market) there are a lot of games from the Poki can be found were uploaded with same way.
I think that if there is a possibility to detect the using of a webview (and as well as the inability to remove this check) will solve this issue.
no, not really. it’s always about long conversations with platform support
Finally, the “clone” is removed from Google Play! Google support responds for a very long time (still haven’t received a reply), but I contacted the owner of this account by mail (found it in the profile). After a hour correspondence, he eventually deleted the game.
You actually got an answer from the person behind the account? What did they say?
Were you using Poki’s domain lock solution?
I wonder if they can actually modify a bundled Defold game in such a way or have the wrapper somehow trick the game into thinking it’s running from the intended location.
I’ve had site-locked games stolen and put on other websites - and these were small games not really worth a lot of effort to steal. It must be straight-forward to do.
Can you describe methods you used to domain lock in those games?
in index.html (yeah, it’s a mistake) but when i tried to call via html5.run(POKI_SITE_LOCK_CODE) I got an error. but anyway as @benjames171 said this code also possible to cut off. but it will be more complicated than just removing the code from index.html.
We actually have direct contact with the Admob team. I’d be happy to reach out to them on your behalf if you could provide me with as much details as possible. Account IDs for Google Play, AdMob etc. A copy of your communication etc
I wonder if it’s possible to obfuscate this site lock call in a native extension and calling the code using EM_JS from C with the code b64 encoded or something like that. It would at least make it quite a bit harder to disable. But as always not impossible…
I’ll provide you the information by mail! Thanks!
we decided to delete the correspondence (there was a message above), due to the fact that other bad people can use the scheme. in a nutshell, the “rogue” provided compromising evidence on himself, that he used AdMob in other people’s games to earn money.
A very simple method using html5.run("location.hostname") then checking the result against a list of acceptable domains.
None of the games I have been involved with protecting have been ripped yet so idk. There are some complicated ways you can protect your game that make it very difficult to rip as people doing the ripping would need much more advanced knowledge than would be worth using to rip games. You have to make sure that your live versions don’t allow localhost either.
Say you did use my methods only way it would make sense to me is if the wrapper spoofed one of the whitelisted domains somehow. That kind of thing harder to deal with, but it still can be prevented by also including checks that the server is actually who it says it is / checks with server to see that the server is live and is responding with correct data.
That might not be enough check this code here
If you can please find one of the rips of your games and see if they actually modified your game files / actually rehosted it or just link to it in an iframe? If they do figure out how to unbundled / rebundle it’s game over scripting wise but native extension wise you can still do things. You can also include some obfuscated timebombs that are not obvious to find when looking at an unbundled project / add extra checks that are not easy to modify / give a false sense of the game being properly ripped.