MITM Attacking Game Center

Learning to use Fiddler 4 to modify Game Center leaderboard scores.

Finding a target

Fidget Widget is a simple iOS app that contains 6 mini games for people to brainlessly fidget. It contains a game called Scroll Masters with an infinite scroll wheel. Scroll Masters also has a Game Center leaderboard to compete against other users of this app.

After toying with the app I found a button to sync your progress with iOS Game Center. This gave me the idea to try modifying this score to appear higher on the leaderboard.

Setup for analyzing of web traffic with Fiddler

In order to monitor HTTPS traffic on iOS we need to use Fiddler.

Fiddler:

  1. Enable Capture HTTPS CONNECTs.
  2. Enable Decrypt HTTPS traffic.
  3. Enable Allow remote computers to connect.
  4. Set Fiddler listens on port to 8888

iOS:

  1. Connect to the same network as the computer running Fiddler.
  2. Configure Proxy in Wi-Fi settings and set the server to be the IP of the computer on the network with port 8888.
  3. Goto ipv4.fiddler:8888 in your browser and install the profile.
  4. Trust the profile in settings.
  5. Goto About -> Certificate Trust Settings and enable trust for the DO_NOT_TRUST_FiddlerRoot certificate.

Request analysis and modification

Opening the app and heading the left-most game mode will let you play Scroll Masters. On this page, there are 2 very important buttons: leaderboards and sync.

As previously mentioned, there is another important button which will allow you to achieve the same result. The game has functionality for syncing scores with the cloud. Scroll Masters makes a request to Game Center to retrieve the saved score.

Opening up the response in XML format reveals that game center sends you back details about your score along with other information

This should immediately set off a lightbulb in your head. This request can easily be breakpointed, and modified to send the client any score. Fiddler has an AutoResponder feature. To auto respond to this request, head over to the AutoResponder tab and drag the request from the list on the left to the empty space.

Right click the item and select Edit Response. This should create a window similar to the request inspector window seen previously. Open TextView to modify the response.

<array>
	<dict>
		<key>formatted-score-value</key><string>3,910,101,010</string>
		<key>score-value</key><integer>3910101010</integer>
		<key>context</key><integer>0</integer>
		<key>rank</key><integer>1</integer>
		<key>player-id</key><string> - </string>
		<key>timestamp</key><integer>1624907170952</integer>
	</dict>
</array>
After saving changes, sync your leaderboards and on your phone you should see a screen prompting you to allow the app to sync your Game Center leaderboards. The next time the game uploads your scores, you will have a new position in Game Center.

Easier way?

Yes there is. To maintain the leaderboards the app sends a POST request to https://stats.gc.apple.com/WebObjects/GKGameStatsService.woa/wa/submitScores which submits ALL of the current game statistics.

<array>
	<dict>
		<key>category</key>
		<string>com.score.bulb</string>
		<key>context</key>
		<integer>0</integer>
		<key>score-value</key>
		<integer>0</integer>
		<key>timestamp</key>
		<integer>1632256936386</integer>
	</dict>
	<dict>
		<key>category</key>
		<string>com.score.scroll</string>
		<key>context</key>
		<integer>0</integer>
		<key>score-value</key>
		<integer>3910101010</integer>
		<key>timestamp</key>
		<integer>1632256936386</integer>
	</dict>
	<dict>
		<key>category</key>
		<string>com.score.scroll</string>
		<key>context</key>
		<integer>0</integer>
		<key>score-value</key>
		<integer>3910101013</integer>
		<key>timestamp</key>
		<integer>1632256936724</integer>
	</dict>
	<dict>
		<key>category</key>
		<string>com.score.bulb</string>
		<key>context</key>
		<integer>0</integer>
		<key>score-value</key>
		<integer>0</integer>
		<key>timestamp</key>
		<integer>1632256936724</integer>
	</dict>
</array>

This request can easily be breakpointed and modified to change all game statistics.

Other applications

Although it is easy perform MITM with Fidget Widget, this is not always as simple for other games. However, understanding the basics of this technique and how scores for Game Center are updated, you can easily forge requests for other games that use a similar technique of syncing scores and game data.

Conclusion

Using this simple technique it is possible to execute similar attacks against games that use Game Center to sync their leaderboards making the app vulnerable to cheaters.