It’s late night hackery here in Philadelphia, PA. I’m here with tonight’s app, Draw Something, brought to you by OMGPOP. OMGPOP’s website says that they’re an online gaming website around since 2006. Good for them. OMGPOP was bought by Farmville maker Zynga. Good for them. Anyway, enough background info. Let’s jump in. (Also, if you’re interested, there’s a part 2 to this article. Click here for that. And now there’s a non-computerese part 3.)

What am I looking for here? Well, great question. I’m looking to see how the developers at OMGPOP did some of the things they did.

Apps need to save information about what you’re up to, so you can continue where you left off. (Ever put a gameboy game through the wash? Yea, that’s what I’m talking about.) How does one store information in an online social game? How do you allow people to log in with either Facebook or an OMGPOP user account?

These are some of the questions I hope to answer. A little knowledge never hurt anybody. There’s an added bonus: If you can get at the information while the game is closed, and change it, you might just be able to, ahem, cheat.

For the record, I’m not doing anything magical or sophisticated, just examining some files on my iPhone. I’m just curious to see what observations I can make here. So, let’s get started by examining our tools:

Tools

Since I haven’t jailbroken any of my iOS devices, I can’t really access the disk that easily. To get at the files that Draw Something leaves on the iPhone, I use an app called iExplorer. iExplorer is available for for free, and runs on both OS X and Windows.

You’re also going to need an app to read some of the database files that Draw Something uses to save data. I’ve found a cool program called Base. Base isn’t free, but the trial limitations don’t prevent us from using it for what we want to accomplish.

Finally, you should grab a shareware app called Charles. No, Charles won’t bring you tea & biscuits on a silver tray. Charles will let you see what Draw Something is connecting to on the internet. (Technical folks, Charles acts as a proxy.)

With these these three tools in hand, let’s dive in.

Diving In

First, lets take a look at Draw Something in iExplorer. Here’s what that looks like:

There are a few directories here. The ones we want are the Documents and Library folders. For the curious, the DrawSomething.app folder is the actual game. The other files are self explanatory. (The tmp folder is empty.)

So, what’s inside of Documents?

There’s a whole lot of information here. Look at the Date Modified column on the right. That should give us a clue to help us find out what files have been changed recently. The file called blobcache.db3 has been changed the most recently. That’s when I made my last move, presumably. We’ll get back to this in just a little bit…

Some of the other files have also been modified since I installed Draw Something. It’s interesting to see that profile pictures are stored in a separate database, called profilepics.db3. The keys in that database are actually Facebook web addresses. Some of those addys allow me to access profile pictures. Not necessarily a security risk, since I’m seeing a security error when I try to access some of them. (OAuth, for those that know what that is.)

Well, interesting… I tried to modify the profilepics.db3 database and send it back to iPhone using Draw Something, but it didn’t work. There’s a fourth column in the database, called blob which might actually be preventing the picture from changing. I can’t know this, since I have no idea what the data inside the fourth column looks like.

The most interesting thing that I’ve found thus far is that display names are stored in a format called JSON, inside of the database. I’ve been playing Draw Something with “Albert Einstein” for 16 hours. It’s not consequential, but it’s cool. Draw Something stores the OMGPOP username as well as the Facebook ID. You can get people’s Facebook ID this way. So if you were creepy enough, you could now access this person’s Facebook page, subject of course, to their privacy settings.

Analytics

Analytics is when app makers track things like what kinds of iPhones and iPods are being used to use their app. Other details being tracked may be how long you’re playing. (I am not exactly certain what they’re collecting, merely speculating.) OMGPOP uses a product called Burstly for analytics. Burstly owns a service called TestFlight, which is used by many iPhone developers to send their apps out to testers before they publish them on the App Store.

Some things being tracked on the device are what colors you use, how often, and what words you’ve played through. This data is stored in the blobcache.db3 file. This is actually visible inside the game, under your stats.

Dictionary and Colors

Interestingly, there list of words is stored on your iPhone. (This makes me wonder if it’s possible to manipulate the words being played…) The dictionary is a CSV (comma separated value) file with a list of words. Also in that list is the “coin value” of each word, and a 0 or 1 indicating if the word has been shown to you already. I’ve tried to manipulate the file, but it seems to stall Draw Something if it can’t find words with all three coin values.

There is a parallel set of data which contains hashes. They look like MD5 hashes. A quick check in Terminal confirms that they are indeed. If you change the contents of the dictionary and modify the corresponding hash file, you *might* be able to do something cool. I haven’t been able to get it to work, but it could be because I’m not very good at running controlled experiments.

After looking into it a little further, I think that Draw Something is actually hitting a server to check the hashes of the files. See, an etag is effectively a hash which is used to validate cached files. (Thanks Jacob for showing me that.) When I generate matching hashes and upload them back to my device, the app must be checking the hashes against a website which in turn says that my hashes are no good. (Even though the file hashes match the originals, they don’t match the server. All three hashes need to match for a file to be used.)

Network Data

I’ve tried to run Draw Something while using my computer as a router, so I can see what websites Draw Something is using, and what information is being sent. It refused to run past splash screen without an untouched connection. I plan to look into that if and when I have time.

The one thing I’ve observed is the first URL that Draw Something tries to access https://ws.tapjoyads.com:443. I’ve also observed some iCloud.com connections, but I couldn’t progress far enough to see what was going on.

Well, it looks like that’s all from Charles.

Notes

It looks like the folks at OMGPOP did a decent job in securing their in game marketplace from amateurs like myself. (Chalk one up for the bad guys.) However, you can probably play around with game data with the right apps on your computer, and manipulate some things locally.

I’d like to note that Draw Something stores a Facebook token. I’m not sure if this is related to the vulnerability that was discovered about a week ago in FaceBook for iOS, or if the token is encoded or not, but I’ve found this:

I’ve censored the token, but you can see how long it is. Anyway, I’ve got better things to do with my time than hack around popular games, and so I’m going to call it quits right about now. This has spanned three states and over 12 hours. I’m done.

If anyone wants to hit me up on Draw Something, my username is moshberm.