How do people hack iPhone games so easily?

I have seen high scores of 999,999 on Flappy Bird as well as many other impossible high scores on games such as Temple Run, etc., on iPhone and iPad.

How do people hack these games so easily when they cannot see the source code? It seems like they know the source code of the game, which makes them able to manipulate the game file so easily. I don't understand how this happens given that the Apple iPhone is sandboxed, unlike Android.


Solution 1:

iOS applications store their data in files that are available from a computer in two easily-accessible ways:

  • Inside an iTunes backup

  • Via a MobileDevice-framework-based tool such as iExplorer

In my experience, game save data is stored in a fairly ordinary property list file that is manipulable via the plutil tool. The data can be restored and replaced without any code knowledge. From there it's a simple matter of how much the app trusts its save data.

For an example of how this can be used not just for high scores, but to cheat at a game, see the Nimble Quest iOS Trainer, which is itself MobileDevice-framework-based.

(The MobileDevice framework is an Apple private framework created for iOS device access, which has been reverse-engineered to enable the creation of iOS device tools not available from Apple.)

Solution 2:

Some games communicate with their backend server un-encrypted, in plain text. If you route the traffic through a proxy like OWASP ZAP or Burp Suite you can see and manipulate the traffic.

I have seen games that send the answers with the question to the iPhone. In this scenario I could highlight the correct answers. As a result you can always score 100%. Other games send the scores to the server. In that case you can just add a few zero's to your score when submitting it.

Then there are games that store your scores on the phone as zigg describes. These scores are stored in a user readable and writable area and can therefore be manipulated. This is of course only stored on the phone, but you can show off to your friends by flashing your phone.