Hacking the Game Rules
by ~Me
I belong to an organization for pilots: The Aircraft Owners and Pilots Association (AOPA). For their 80th anniversary, they created an app to promote visiting airports.
The idea seemed to have been to get people out flying to these airports and spending money. Ideally, this would support the vendors at those airports, increase activity (showing a need for the local area to support the airport), and get others involved with aviation.
You could collect points and badges for each airport visited, additional points/badges for special airports (like the one near the Wright Brothers' first flight in North Carolina), collecting unique airports in a state, unique airports in a region, each type of airspace, and even less common airports (seaplane and grass fields for instance). There were some really nice prizes given to the top 80 participants (depending on your position on the leaderboard). There were also monthly prizes like the "January Winter Getaway Challenge" which awarded printed guides about flying to the islands to the top three participants based on the number of airport check-ins from certain states.
I'm not going to disclose the prize(s) I received because that could give away my identity. You can read about them at: www.aopa.org/news-and-media/all-news/2019/october/02/eightieth-anniversary-includes-pilot-passport-prizes
If you want to read more about the program, visit their web page at: www.aopa.org/news-and-media/all-news/2019/april/01/aopa-app-launches-pilot-passport
The app was GPS enabled. It would detect when you were within three miles of an airport and allow you to click "check-in" for that airport once per day. Because airports can occupy several square miles and there is only one official longitude/latitude survey point, this proximity was necessary because it is rare even for pilots to get close to this point at the larger airports.
But it also meant that you did not actually have to go to an airport - let alone land there - to get credit. Many airport survey points are within three miles of the local highway. And on a transcontinental flight, the jetliner will pass within three miles of numerous airports - fitting many of the special categories.
To me, as a participant, the biggest flaw with the program (not just the app) was the refusal to recognize non-public airports and airports outside the United States (and territories). Actually, there was one exception for Windsor Airport in Canada - just outside Detroit. I had reason (and authorization) to fly into airports controlled by the U.S. military. But I couldn't get credit for them.
That really annoyed me since that special authorization was available only to a limited population. I wanted credit for being part of it!
Of course, I found this out after I landed at one of those airports and was unable to check-in. The app refused to recognize the airport - not in the scrollable list and not via the name/airport code search. This was even though the airport appeared on the AOPA official airport information web page. That's when I started looking at how to hack the app and the rules the software implemented.
I noticed that the three mile proximity worked from the road. That's when I noticed the proximity worked from the air. That's also when I started investigating whether I could get away with faking the current longitude/latitude via GPS location simulation through an Android app like "Fake GPS." Some apps are "smart"- like Ingress (reference my article, "Gaming Ingress" published in the Summer 2016 issue) - that detects running apps like "Fake GPS" and refuses to accept the location. This app was not smart. It didn't realize that the longitude and latitude it was receiving could be set in software. So that's what I did.
Even if the app was "smart," as mentioned in my article about Ingress, I could've simulated location data as received by the device GPS through the use of a Software-Defined Radio (SDR) as mentioned in hackaday.com/2016/07/19/pokemon-go-cheat-fools-gps-with-software-defined-radio or simulating the GPS chip as I mentioned in the "Gaming Ingress" article. But those approaches involved a lot more work.
I pulled the official FAA airport location database (CSV) and created JSON to feed Fake GPS. Since I'd rather be spending my money on beer, I stuck with the free mode - limited to five sets of coordinates in each of the "favorites" files. But I could have an unlimited number of those files. Along the way, I calculated a reasonable travel time between the airports.
The process was rather simple:
First Airport: Start Fake GPS, open first file, select first airport, start AOPA app, let it determine "current location," perform the "check-in" step, and then shut down the AOPA app. Shutting down the app while in the air is totally normal...
Subsequent Airports: After the appropriate time had expired, select the next airport in Fake GPS, start AOPA app, let it determine "current location," perform the "check-in" step, and then shut down the AOPA app. This was repeated periodically throughout the day and over the weeks. And I got to watch my score increase and my number of badges increase (along with their quality: bronze, silver, and finally gold), and the resulting rise in leaderboard position.
I did have two complications to deal with. There were events at specific airports on specific dates and there were times I was physically traveling to (or by or over) airports that I wanted to claim. Before those, I had to pause my Fake GPS events to appear to allow sufficient real-life time to travel to those locations. I certainly could have used Fake GPS to simulate me going to those airports - but since I would be at those locations with other pilots, I didn't want to give away my activities.
Nowhere in the rules did it say that you had to land a plane at these airports, but I wanted to be sure I didn't catch the eye of a smart data scientist running analytics on their data. I didn't want to score ten times higher than the next person. I didn't want to end up in an article for seeming to set some record like "visiting all airports in Idaho in the shortest time" or "visiting every seaplane base in the Southeast region."
In other words, I wanted to remain below the radar. Keeping your social engineering undetected is a key part of the process. That is something to consider when hacking any system (in the general sense, not just computer systems).
Shout out to the folks who service my plane so I can go places safely. You know who you are.