HQ Trivia is an app that has recently gained a lot of popularity. It’s a live trivia game where ~1 million players attempt to answer all 12 questions correctly. The game is single elimination, so if you get one question wrong, you’re disqualified for the rest of that round. If you get all 12 questions correctly, you then split a cash prize with all the other winners. The prize is typically $5,000, and when split among all winners it usually comes out to $10-$20 per person, but occasionally larger total prizes are offered, the largest I’ve seen being $300,000. As a fan of trivia, I enjoy playing it regularly, even though I’ve never won any money, and never really expect to. I recommend it, if only as something to break up your day.
Work at my current client involves designing automated testing for their app on web and mobile platforms. Instead of having humans go about the long and laborious task of testing every aspect of their app, we design a program to do so for us. While working a few days ago, I realized the tools we use to build our testing framework could easily enable me, and anyone else with the proper knowledge, to build a program that would cheat at HQ trivia.
Uh, maybe because I was curious? Perhaps I was bored and had no other weekend plans. Whatever my initial reasons for starting this, I’ve settled on my reasoning for writing about it: I want to make the folks at HQ Trivia aware of my process so they can try to prevent what I did, because I enjoy playing the game, and allowing swarms of bots to take over would ruin it.
Well, ever inquisitive reader, my best friend for the mobile side of my project is Appium, a framework for designing automated testing programs for mobile devices. My first step was to utilize the inspector to take a look under the hood of an ongoing game.
This was turning out to be easier than I thought. My job is typically made more difficult when elements in an app have no unique selectors like IDs, and I need to find creative ways to uniquely identify them. But the devs at HQ made my job a lot easier by providing sensible and comprehensive IDs Thank you HQ devs.
From here it was relatively simple to feed the question into a natural language processing system. Watson from IBM has a lot of [helpful libraries][https://www.ibm.com/watson/services/natural-language-understanding/] that allow me to pull out key words of the question so I can run a quick Google search. From here it’s a little more language processing on the Google results to find in what context the possible answers for the question pop up. Using that analysis, on a sample of about 200 previous HQ Trivia questions, I was able to get 78% of questions right.
This is a naive solution, and I am able to achieve a high success rate. With a little more natural language processing, and implementing some machine learning strategies (like Microsoft’s R-NET system) I could easily see that percentage move into the high ninties. But I do actually have other hobbies to attend to this weekend, come to think of it. So I’ll leave that improvement for another time.
How (again) To Stop Me?
I’d be remiss if I didn’t mention I’m not exactly being original here. There already exist a few bots and websites that, through slightly different methods, accomplish the same thing. Most focus on grabbing screenshots of the text and utilizing libraries like openCV to read the screen for its information, I only simplified that step. I also made some of the most commonly suggested solutions to this problem, making the text hard for computers to read, obsolete. If HQ insists on allowing assistive programs, like those used by blind players, to still be utilized, my method will always be viable. With the current technologies and libraries that any developer can easily implement, I don’t think obfuscating the text of questions and answers will ever do more than mildly annoy a cheater.
One good solution is to vary the questions and answers. A primary reason this cheating program was easy to put together quickly is that most HQ trivia questions follow a prescribed formula for how they’re worded, making natural language processing on the questions relatively easy. Rather than make the questions harder for the computer to read, the HQ team should focus on making the questions harder for the computer to understand. This is often as simple as throwing in negative questions, like “Which of these is NOT …”. This will confuse most naive strategies into giving an incorrect answer. Other questions like fill in the blank questions can go a long way into confusing programs as to what the correct answer is.
While I believe changing the questions around will do well in the short term, it’s only a matter of time before developers are able to take these questions into account and continue to beat the system. I think the only real way to go about this is to track user behavior on the app. Suspiciously high success rates, while failing at questions specifically worded to confuse cheating programs, should be major tip offs that a user is cheating. This can help reduce cheating on the app and keep the game fun for normal players.
Never you mind.