Gamed Center: who’s hacking iOS game leaderboards, and why do they do it?

The scenario that opens this piece won’t come as news to anyone. One person on the Internet is flaming another person on the Internet. The web contains enough of this churning vitriol to burn with sun-like intensity forever. The difference from your typical flamewar, however, is that this person will never get a reply from the antagonist he’s bending over his virtual knee: “DarkGamingLord, you are a pitiful human/human-mimicking vomit slug, and your desperate attempt at validating yourself is not only laughable, but also hilariously pathetic. It’s nice that you killed another ten minutes of your obviously worthless time by figuring out how to max out the score on your games on Game Center.”

This barrage of invective comes courtesy of a blog post entitled ‘I’m Tired Of Cheating On Game Center’, written last October by a fan of iOS gaming who blogs under the name Jesper. He’d been competing for high scores in Fruit Ninja and was frustrated that a whole crowd of people at the top of the game’s leaderboard had registered identical scores of just over 9.2 quintillion (it’s not a coincidence: that’s the largest signed integer that can be stored within 64 bits of data). He picked out DarkGamingLord as the focus of his tirade because this particular player had crashed the party at the top of a number of high-profile leaderboards, including an assortment of Angry Birds titles.

Score hacking isn’t a brand new phenomenon in iOS gaming. Rules and digital security measures, just like sporting records, are made to be broken after all. But, increasingly, leaderboards aren’t just about bragging rights any more. Real-world eSport tournaments are pre-qualifying entrants at the top of online leaderboards, and the likes of Virgin Gaming are even looking to incentivise the top slots on games’ high score tables. Yet the problem of regulating the leaderboards of iOS’s biggest titles often falls to independent developers, whose talents lie in game design, not in building high-tech security architecture. We decided it was time to talk to both developers and the hacking community to see where things stand today.

DarkGamingLord is part of a community of hackers, called the CrackLords, who specialise in cracking iOS apps and making them available for free on jailbroken devices. Populating leaderboards with hacked scores is just part of the same hacking pastime, but with the additional lure of having your name displayed in lights for all Game Center users to see. The aim doesn’t seem to be as much about cheating for these players as erecting a monument to their hacking exploits. Like a graffiti artist trying to find a lofty perch on which to tag her nickname for maximum visibility.

If you eavesdrop on the Twitter feed of Cosmicalninja, ringleader of the CrackLords, you’ll find a conversation from early April between him and another hacker named Genitikfreak. The latter individual has received a threatening letter from a game developer who was less than happy to have their iOS game hacked and claimed to be holding an arrest warrant. “I once had an email from the FBI asking me to hand myself in,” boasts Cosmicalninja. “That’s why they invented a trash folder.” “Seriously?” Genitikfreak replies. “Yes seriously,” Cosmicalninja assures him, “about 18 months back. Just ignore an email. An email means they can’t find you. Wait for a subpoena.”

No universal score leaderboard on Apple’s Game Center is immune to the problem. Each and every one resembles an inbox with a hypothetical sort function that prioritises spam messages, raising them to the very top of the pile. But not every game developer is as peeved by the intrusion as the one who threatened to take legal action against Genitikfreak.

Super Hexagon, the popular reflex-testing action title by Terry Cavanagh, has its own share of bogus scores at the top of the leaderboard, but the game’s creator can’t understand why people would derive any satisfaction from doing so. He opted to forgo building in security measures, which means submitting a fake score is as easy as editing the save file and picking a number, any number.

“If it was really quite difficult to hack, then I could understand it,” says Cavanagh. “But it is so easy that a kid could do it. Maybe [the person] wants to pose as an elite hacker, saying, ‘Oh look what I was able to do,’ but even to hackers that must look pretty pathetic, because there is no protection in the game… If somebody wants to set a fake score on the leaderboard, it’s just kind of an embarrassing thing for them, really. It’s just so shameful; I feel like by deleting it I’m covering up just how awful they are.”

Of course, when Cavanagh mentions deleting hacked scores, he isn’t referring to Game Center, since Apple’s service doesn’t currently provide developers that functionality. Once a score is posted to a Game Center leaderboard, it’s on there for good. Steam, on the other hand, does allow developers to remove scores, but Cavanagh points out that each one has to be removed individually and there might be 100 obviously hacked scores. Even if he did spend the time deleting them, people can just submit another fake score immediately, so what’s the point?

Noodlecake Studios, the developer behind Super Stickman Golf 2, believes in the primacy of the friend leaderboard, but it took things one step further and created a custom one inside the game, which appears before each course. Unless you exit the game and open up the Game Center app itself, you’ll never see zkauth’s cumulative score of 27,055 strokes under par for the easy difficulty course tier. The other consideration is the limited staff sizes of most iOS developers and the resources that can reasonably be allocated to bolstering security. Even an established studio like Noodlecake is a pretty lean operation.

“We did implement some security,” says Ryan Holowaty, Noodlecake’s head of business development and marketing, “but in the end some of the encryption stuff didn’t pan out as well as we wanted it to and then kids just hacked the crap out of the game. Unless you hire those kids to do your security for you, there’s really not much you can do about it.”

Holowaty’s not being flippant when he says kids, either. There’s an informal poll on the iOS hacking forum iNinjas asking community members how old they are. Out of 63 respondents, 32.8 per cent claimed to be between 11 and 14 years of age.

We approached a host of prominent individuals in the iOS hacking community – including DarkGamingLord – to request comments for this piece, and we grew accustomed to being ignored. Persistence paid off and we finally made contact with a user who had posted a prominent hacked score on one of the Super Hexagon leaderboards. He asked not to be identified by name or Internet handle, so we’ll just call him Rob.

Rob is a 14-year-old high-school student living in Canada. “I’ve been doing programming for about one-and-a-half years now,” he tells us. Rob doesn’t own a developer account. He has, however, released some tweaks in Cydia, the underground App Store for jailbroken iOS devices. One of the tweaks he developed but chose not to release is an altered version of Apple’s GameKit.framework, which enables games to submit scores to Game Center. His tweaked version reviews the submitted score information and replaces the score with the one you’ve previously established in the settings. Rob stresses that he simply developed it to see if it was possible, then removed it and “tossed the code in a corner of my hard drive”.

One of the things that becomes clear in our interview with Rob is that he views hacking as a playground in which to test his programming expertise. “I don’t cheat,” he says. “All I do is research, really. One could compare it to fixing bugs in your program. When you’ve been trying to find a fix for an issue for days, it is extremely satisfying to be able to repair it.”

It’s not hard to figure out why the hacking impulse exists. Since their inception, games have been teaching players to study rulesets and look for exploits. It’s not surprising, then, when a kid with an interest in programming takes this to a metagame level.

“Gamers who play Skyrim will occasionally do weird wall jumping up the side of a mountain where there’s not a path and somehow get to the top,” Noodlecake’s Holowaty gives as a point of comparison. “It’s that feeling of accomplishment, like, ‘Oh, I don’t think I’m supposed to be here’, and they’re all happy about it. I totally get that feeling.”

Rob assures us that his Super Hexagon leaderboard entry is the only hacked score he’s (accidentally) submitted, and he’s not concerned about the prospect of being banned from Game Center. “I don’t know if one could get banned for it,” he shrugs. “I don’t even think Apple cares, to be honest.”

sssss