Cracking Trivia Crack.
Disclosure: I have not “hacked” Trivia Crack’s app, nor their servers. I simply inspected the HTTP (not even HTTPS) traffic going between my phone and their servers.
After using Android for four years and six flagship phones, I finally made the switch to the iPhone Six Plus this last weekend. One of the first things I did, after activating my phone, was ask friends for recommendations on what apps to get. Trivia Crack was among the apps suggested to me the most. If you haven’t played it, or heard of it, Techcrunch has a good write up on it.
Without going too deep into the rules of the game, the main objective is to answer trivia questions (correctly). Each question is randomly selected from one of six categories (Art, Entertainment, Geography, History, Science, and Sports), and the player is given 30 seconds to select an answer from a list that’s presented to them. If the timer runs out, or the player selects an incorrect answer, it becomes the opponent’s turn. However, if the correct answer was chosen before time runs out, the player gets to go again and continue this process.
Using one of my favorite tools, mitmproxy, I am able to see the HTTP(S) requests and responses my phone is seeing. So after doing some trivial setup work, I was ready to see what the app was doing on the network.
When you first open the app, or pull down to refresh on the main game screen, your games are refreshed by sending an HTTP request like the following:
The response from server is a large JSON Object that describes all your games: current, pending, or from the past.
Let’s skip to some of the more interesting information towards the middle of the response. The following is an excerpt from the “list” key in the main JSON Object which is a list of all the games you have or are participating in. Inside of this object, we can see the questions array which contains the question along with the answers that will be used when I open the game in the app.
Inside the question object, we can see an array of “answers” to display, along with the question “text”, and “category”.
I don’t know how intelligent you are, reader, but I think you can make a guess as to what “correct_answer” is in this context. If you’re not a programmer/technical person, you might be wondering why the value is 2, if the location of “Hockey” in the questions array is in slot #3. Well, in programming we like to go with zero-based indexing which is a fancy way of saying instead of counting with 1 as the first number, we use 0. So in this case, 2 really means the 3rd slot: 0 (Basketball), 1 (Baseball), 2 (Hockey), 3 (Swimming).
Using this knowledge, we can utilize mitmproxy’s inline scripts to modify the request on the fly and show us only the correct answer!
It’s not all that pretty, but it works! Best of all, Trivia Crack has no way to detect you using this
Here are some other questions from when I discovered this on Monday:
Believe it or not, cheating gets old quite quickly. It was fun to be able to beat everyone, but then it’s not really a game anymore, it’s just an app where I tap a button with no risk of losing.
So why do they send the answer, anyway?
While I don’t know the exact reason that Trivia Crack sends the correct answer to the user’s device before they have selected an answer, my educated guess is that they do it so the user has instant feedback when they select an answer. If the app had to make a web request when you tapped one of the answers, there would be a very noticeable delay between letting your finger up, and when the result is displayed to the user. There is server side validation that you selected the correct answer, so at least they didn’t mess that up! ☺
That doesn’t, however, release the developers of Trivia Crack/Preguntados from responsibility for not using https. The data sent and received for this app contains my social information as well my friends’ information, that’s typically information that many apps care enough about their users to send it over an encrypted channel. Anyone on the same networks (that guy in a trench coat sitting in the corner of Starbucks on his laptop, or, if I lived with technical people, they would be able to sniff my traffic) as my phone or in the pipeline (phone carrier if I’m not at home; my Internet Service Provider when I am home; the NSA) can see, in plain text, my name, Facebook ID, picture, email, gender, nationality, and age.
This is clearly unacceptable when you are “boasting 100 million users and 800,000 daily downloads” — and that was three months ago!
In addition, TLS is fast, api.preguntados.com (the endpoint Trivia Crack talks to) already requires https for some routes, such as saving your password, so why not make it the default for all requests?