In theory, it’s a novel and noble idea: The community comes together to revive and maintain a now discontinued Sonic mobile game forgotten from just four years ago.
But Monday’s beta release of Sonic Runners Revival promised a restoration of the endless runner with extra features. Some of those features, like leaderboards and the roulette function, were never intended for the beta. What features existed in the launch were hampered by the server used for players getting hammered right out of the gate. Many players were unable to download the beta, prompting the development team to release this statement:
Hello everyone, we are aware that servers are overloaded and that you are unable to download the game! We don't exactly how long it will take, but we will have the game ready for download as soon as we can. Please hold out while we fix the issue.
— Sonic Runners Revival Project (@RevivalSonic) July 15, 2019
Problems compounded when some community leaders advised their social media followers not to download the beta outright, over concerns about possible security exploits with the download files, including the possibility your IP may be exposed to the development team. There have also been concerns raised about the project lead, YPwn, and his less than stellar reputation among senior officials at Sonic Fan Games HQ. One person on Twitter has flagged to TSSZ that their security software flagged the Revival download as riskware, but TSSZ has not fully verified the authenticity of these claims.
After TSSZ asked the team to respond to the allegations Monday evening, a statement was later released:
There have been a lot of rumors and speculation on how safe the APK/IPA files are and how safe it is to use the application to connect to the server. This message is to clear up the potential security risks and keep everyone informed on the situation.
First off, the app itself: The original speculation and questions about security came from the app permissions, which required access to GPS location. The Revival app does not use this as it was just a carryover from the offical app where Sega needed it to connect you to the closest server to you. Since the Revival project runs off of one single server, (from not being run by a company and just being dedicated fans) it doesn’t need this and doesn’t use it since you’re always going to connect to the same server. This is why they added a build on Discord that completely removes it, to put people’s minds at ease. The other permissions are just to access and change the game data and to automatically pause the game whenever you get a call.
Second off is the server the app connects to: Because of the nature of the game being server based, it does access your IP. That is not inherently bad and all websites do this, but can be misused. There has been a Twitter thread posted that I recommend you read here–it talks about the maturity of some higher-ups and how they might not be the best people to trust with the data. An easy way to protect yourself from any possible misuse of this would be a VPN.
Finally, a PSA on downloading the app: As with all apps that need to be sideloaded, (not downloaded directly from the app store) unofficial downloads could spread around that are injected with malware. You can be safe from this by making sure you always download the app from the official sources, being the Discord’s #downloads channel and the website listed in the announcements. The #downloads channel even has the SHA256 hashes if you are really paranoid and want to 100% verify your download is identical as to what the team put out.