After using Android for four years and six flagship phones, I finally made the switch to the iPhone Six Plus this last weekend. One of the first things I did, after activating my phone, was ask friends for recommendations on what apps to get. Trivia Crack was among the apps suggested to me the most. If you haven’t played it, or heard of it, Techcrunch has a good write up on it.

Without going too deep into the rules of the game, the main objective is to answer trivia questions (correctly). Each question is randomly selected from one of six categories (Art, Entertainment, Geography, History, Science, and Sports), and the player is given 30 seconds to select an answer from a list that’s presented to them. If the timer runs out, or the player selects an incorrect answer, it becomes the opponent’s turn. However, if the correct answer was chosen before time runs out, the player gets to go again and continue this process.

Using one of my favorite tools, mitmproxy, I am able to see the HTTP(S) requests and responses my phone is seeing. So after doing some trivial setup work, I was ready to see what the app was doing on the network.

When you first open the app, or pull down to refresh on the main game screen, your games are refreshed by sending an HTTP request like the following:

Note that it is using HTTP, not HTTPS which means we don’t even have to install a root certificate on our devices to inspect or modify these API requests!

The response from server is a large JSON Object that describes all your games: current, pending, or from the past.

Let’s skip to some of the more interesting information towards the middle of the response. The following is an excerpt from the “list” key in the main JSON Object which is a list of all the games you have or are participating in. Inside of this object, we can see the questions array which contains the question along with the answers that will be used when I open the game in the app.

Line numbers are irrelevant

Inside the question object, we can see an array of “answers” to display, along with the question “text”, and “category”.

I don’t know how intelligent you are, reader, but I think you can make a guess as to what “correct_answer” is in this context. If you’re not a programmer/technical person, you might be wondering why the value is 2, if the location of “Hockey” in the questions array is in slot #3. Well, in programming we like to go with zero-based indexing which is a fancy way of saying instead of counting with 1 as the first number, we use 0. So in this case, 2 really means the 3rd slot: 0 (Basketball), 1 (Baseball), 2 (Hockey), 3 (Swimming).

Using this knowledge, we can utilize mitmproxy’s inline scripts to modify the request on the fly and show us only the correct answer!

This code sets all the answers to “BAD” and then replaces the correct answer’s slot with the correct answer.

It’s not all that pretty, but it works! Best of all, Trivia Crack has no way to detect you using this

Here are some other questions from when I discovered this on Monday: