Our Responsibility as Developers

Developers have a responsibility to users. At no point in human history have so few people been able to reach so many with so little oversight. Yes, we have had mass publishing for more than 500 years. But to reach an audience of millions there would have been dozens of reviewers, fact checkers, editors, and investigators. Now, a very small group, or even a solo developer, can reach their hands into the private lives of millions of people in a matter of days. Most of the time this great power is for the benefit of everyone. But more and more often we are seeing developers take the low road. Users, for the most part, don’t have the technical knowledge to know when they are being taken for a ride. Even the technically minded ones often don’t do the required legwork.

I have contacted the developer of QuizUp, Plain Vanilla, before posting this article to inform them of the security concerns that I had found. I have offered to assist them in any way possible. As of publishing they have not requested any details nor have I heard back from them in anyway after several days. See the update at the end of this post for more info.

There has recently been a new breakout iOS app with download numbers far exceeding the early adoption rates of Instagram and Snapchat. Those of you that follow the App Store may have already noticed this new game QuizUp which has seemingly taken the mobile world by storm. I came across QuizUp when I noticed that they were using a search keyword with the name of my popular iOS trivia game Trivium. I downloaded and tried the game, it was very good, but something just felt off with the science of it. As a developer I have a natural curiosity, especially in regards to technology, which prompted me to begin digging. What I found was at first surprising; then shocking.

QuizUp pitches itself as a socially networked trivia game. Upon launching you are required to register an account either with email or through Facebook. You are matched with another user and play short 7 question rounds in real time against each other in over 250 categories. Having written a very popular trivia app used by hundreds of thousands of users, I was surprised that they could offer real time gaming in 250 categories. From a technical and engagement perspective it was an amazing feat. As it turned out, it was mostly a ruse. In uncovering the inner workings of QuizUp however, I came upon something much more shockingly than misleading advertising.

There have been several notable cases of iOS privacy violations since the launch of the App Store, from Path being fined $800,000 by the federal government to California suing Delta Airlines over privacy concerns with their mobile apps. You would think at this point developers would be concerned about the privacy of users’ personal data. It certainly looks like QuizUp is on top of privacy, at least according to the privacy policies on their website. In most circumstances, in a breach of privacy situation a company stores sensitive information in plain text on a server somewhere, someone comes along and figures out how to access that data. However in the case of QuizUp they actually send you other users’ personal information via plain-text(un-hashed); right to your iPhone or iPod touch. This information includes but isn’t limited to: full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is. I have been able to access the personal information of hundreds of people who I have never met, and had no interaction with other than we both used QuizUp. These people likewise had access to my personal information. It is important to keep in mind these were not people who added me as friends inside of the app, these were complete strangers in every sense.

In an effort to avoid writing a how-to about accessing the personal information of over a million iOS users, I will not be writing instructions on how to view this data. However it took less than 15 minutes and can be done by even a novice tech-savvy computer user. The information provided on other users is more than enough to be able to track a person down in the outside world.

Those who have been following the online culture certainly know that this type of “stalking” event is not a rarity but in fact has become rather common. I have provided a small snippet of actual user data, which has been censored to protect privacy (censoring is mine) below. This information is from a real user of QuizUp and was sent to my device by QuizUp’s servers as part of the normal gameplay cycle. I would like to make it clear that if you have ever used QuizUp your information is currently be shared with other users of the app.

"player": {
            "banner_slugs": [],
            "banners": [],
            "bio": null,
            "birthday": null,
            "coordinates": null,
            "email": "p***********@aol.com",
            "followers": [],
            "following": [],
            "gender": "male",
            "has_email_login": false,
            "id": "2****************6",
            "is_ghost": false,
            "location": {
              "city_name": null,
              "country_code": "US",
              "country_name": "United States",
              "region_code": "FL",
              "region_name": "Florida"
            },
            "name": "Matt P*******",
            "picture_urls": {
              [*EDITOR NOTE: EXIF intact avatars which may show GPS location where they were taken*]
              "large": "http://cdn.players.production.quizup.com/players/*********/large.jpg",
              "mini": "http://cdn.players.production.quizup.com/players/**********/mini.jpg",
              "original": "https://fbcdn-profile-a.akamaihd.net/*******988956887_n.jpg",
              "square": "http://cdn.players.production.quizup.com/players/*******/square.jpg",
              "wallpaper/large": "http://cdn.players.production.quizup.com/players/********/large.jpg",
              "wallpaper/original": "https://fbcdn-sphotos-b-a.akamaihd.net/*******629378032_n.jpg"
            },
            "platform": "ios",
            "team_member": false,
            "title": "Golden",
            "twitter": null
          }

The friends tab of QuizUp allows you to send an SMS to a contact letting them know you would like them to download and play the game; this is a great feature. In order to use this feature, QuizUp needs to request access to your contact list (as required by Apple). When access is granted, all of your contact’s emails are sent, once again in plain text, to QuizUp’s servers. This is done under the deception that you are hand inviting your friends on a one by one basis via SMS, while in the background it is copying and transmitting their contact data. This is done in violation of federal privacy laws and is virtually the same issue the US Congress got involved to fine Path over.

There are hundreds of “minor” issues that were uncovered as I continued to investigate, with the assistance of some security researchers who had now taken an interest in the issue. Issues were found from sending your password when completing an email signup out as plain text, to mishandling Twitter contacts. In effort to keep this post somewhat concise I will hold off pointing out every single problem I have uncovered and move onto another topic of concern.

I like to think of myself as an ethical developer, my company is frequently hired to build iOS apps and accompanying server setups. When we do this client work we always voice our concerns about privacy and security, occasionally we are ignored. We have and will continue to refuse to assist in generating fake reviews or scraping private data from our users. Most of the developers I know hold these same ethical guidelines and I would like to think that most I do not know, do so too.

Through my research into the way the app functioned it became apparent that they weren’t just exposing private information but were actively breaking numerous rules, policies, security best practices, and actively deceiving their users. QuizUp is being marketed as a real time social gaming experience, “play against your friends in real time”, or so their website states. Their website and every press release they’ve issued, indicates that the game takes place in real time. Sadly, this appears to be a pretty bent state of reality.

Upon beginning a new game the answers from the other player already appear to have been generated with the time in which they are answered. From what I can tell it appears that you’re playing, at least in a certain circumstances, against a player’s previous solo games. In addition it would seem that they have created “ghost” users to pad the matchmaking when no one else is available. While it is very difficult to determine exactly how this network situation plays out, it certainly appears that there have been some efforts to make it seem like a non-real time game is being played in real time.

"234092424316998311": {
          "answers": {
            "129970": {
              "answer_id": "520575",
              "answer_time": 0.39787783333332527
            },
            "130141": {
              "answer_id": "521261",
              "answer_time": 2.3160219166666707
            },
            "130145": {
              "answer_id": "521277",
              "answer_time": 2.704801374999988
            },
            "130210": {
              "answer_id": "521538",
              "answer_time": 1.2145604166667
            },
            "130234": {
              "answer_id": "521631",
              "answer_time": 1.4425444999999968
            },
            "130315": {
              "answer_id": "521955",
              "answer_time": 3.067427958333326
            },
            "130332": {
              "answer_id": "522026",
              "answer_time": 0.4041142916667013
            }
          }

Due to several other security lapses I am able to see the number of people playing in any trivia category at any moment. Requesting a match in a reportedly empty room has always returned me a player in a few seconds. This lends to my belief that the real time, real people aspect is in at least part smoke and mirrors. As it stands I cannot test this assertion with absolute certainly.

Although not a concern for security or privacy, cheating in QuizUp is trivial. The answers to all questions are provided before the beginning of each game round. It is easy to modify the time you answered questions in and the answers you provided. A simple test allowed the revision of incorrect answers to the correct ones and modifications of scores and rankings. With a couple of hours of effort it would be easy to game the system and become the top player in every category.

Not surprisingly, the app uses Flurry for analytics, as do many thousands of apps, and all the data sent to and from Flurry is sent securely and properly. The developers do have the Flurry token available in the open; but that’s not really a concern for me or the users. The only thing that can be done with this token is to play hell on the analytics system. A larger concern is that the Facebook token, seen below (censoring is once again mine), is accessible in plain text, and with some additional knowledge it may be used (depending on permissions granted) to post to timelines without express authorization of the user. However my knowledge of Facebook networking is rather limited and that is an area for someone else to explore.

{
    "app_version":"1.0.2",
    "device_token":"prod-production:6b650a251a6b29bcb0b5ae66f028e2c75da1b43e466cbe****************",
    "install_uuid":"7901450C-C2DA-4C42-97EA-*************",
    "app_id":"quizup",
    "device_type":"iPod Touch Fifth Generation",
    "platform":"ios",
    "access_token":"CAAD2XpLDyg8BACHXXCveTWfhU7wh1fX4oZCMqraR2s6UfFfQ3wVcSnRqZCTWrUz5yTb1B6NZAcX83Be8wjIPAI9EDJbD0BNPW5rCfYIZB44cAAZAGT6rJvIKrh5d6IzB8S9wFgc8wQIhPH95kwUxktJBK1A8NzgajIONrr7pjrtK87hZAh4P*****************************"
}

I have received and confirmed at least two reports of QuizUp saving friend’s Facebook information, even those not currently using the app, to NSUserDefaults using plain text. I do not actively use Facebook so I am a poor test candidate for these types of issues.

While QuizUp does use HTTPS for all of the network calls, the data that is being handed back to the device is in a readable (non-hashed) state and is very sensitive in nature. A good deal of the data that is being sent should never be needed. For example, there is no reason my device should need to know the email address of another player.

What is perhaps the most shocking is QuizUp is backed by several venture capital firms, including some very large and well known ones. The question I have is: did they not do their due diligence when vetting this software or did they not care. I am not sure which one is more alarming to me, and it doesn’t really matter either way. Is this a sign of a bubble when a company can raise millions of dollars with so little care put into its technology or development?

QuizUp also breaks a handful of Apple’s review guidelines and probably should have been rejected to begin with. Namely sections 6.2 and 6.3 which deal with the privacy of Game Center IDs, which is treated with the same lack of care as the remainder of the user’s data. The violations on privacy also fall into the rules imposed by Apple, who almost certainly wouldn’t condone this type of behavior, notably sections 17.1, 17.2, and possibly 17.4. It is very hard for Apple to monitor this type of privacy issue with the number of apps it has going through the system each day, and they can’t really be faulted for these oversights. They can however enforce strict punishment on developers who try to slide this stuff under everyone’s noses. The question though is would punishment be a deterrent for future developers?

Users trust developers to do the right thing and they are often unaware of issues such as those seen here. My company and the developers who we employ take considerable efforts to make sure we are on the user’s side, cutting corners to reduce cost or ship faster does nothing but damage the reputation of all developers. I am very disappointed in a growing number of app developers who give up their spot on the ethical high ground in search of a quick buck in the trenches. The ethical high ground is expensive real estate, but you will sleep better at night knowing you are doing a small part to make the world a better place.

In writing this article I conferred with mobile security expert Nick Arnott, to verify my findings and assist in my investigation and research. I have attempted to verify all of my claims, however not having direct access to the source code I cannot make all of these statements absolutely, especially those around real time matches and gameplay mechanics. I hope that the security community at large will take an interest in this issue and do the research that it deserves.

Update Nov 25th: QuizUp has issued a reply to these issues to Tech Crunch. I stand behind my assertions and I once again encourage third party security researchers to investigate. My research will not be posted publicly to protect the users of QuizUp but I will make it available to any media outlets or researchers that contact me. In addition I will happily share the full headers intact email that was sent to QuizUp last week offering to assist with fixing these security issues, which they claim was never received.

They have also reported that they have fixed several of the security issues via server patches, attempts to replicate my results may vary depending on the nature of these fixes.

Update Nov 25th #2: Claimed QuizUp Developer “Jokull” states via Hacker News ” In the off chance we cannot find an opponent (which is becoming very rare due to our popularity) you may be pitted against a bot as a fallback strategy. Matchmaking is a hard technical problem, and we have chosen to maximize gameplay experience and consistency”. Which confirms one of the few things I was not positive about when writing the original piece. For those readers who have asked, the developers still have not reached out for information on the issues I found or recommendations on how to fix them.

Update Nov 26th: Senior leadership at Plain Vanilla has been in touch with me. They seem very eager to understand and correct the issues and I truly feel they are committed to correcting the problems. It will take time and effort but I foresee a happy ending, I will keep readers abreast of progress as it develops. In the immediate time frame they have corrected the information disclosure vulnerability from a server standpoint and client app is no longer sent sensitive information about other players. I hope this serves as a valuable lesson for other startups and companies out there to consider user privacy during the rush to market.

If you enjoyed this article consider sharing it:

Kyle Richter

Kyle Richter is the Co-Founder and CEO of MartianCraft an iOS and Mac consulting studio. He has previously founded and run Empirical Development and Dragon Forged Software. He has been developing indie Mac software since 2004. Kyle is available for speaking and birthday parties.

Latest posts by Kyle Richter (see all)

Have something to add?

Loading Facebook Comments ...