Programmer demonstrated that Open-Face Chinese app could be used to cheat
darrendean, SXC Attribution with Notification

When you play on an app such as this one for money, you better know who you’re playing with and that you’re in possible danger of being cheated.

Prominent Team PokerStars Pro Barry Greenstein warned fellow poker players Friday about a security flaw in the design of an iPhone and iPad app being used for live interactive gambling in a relative new poker variant, Open-Faced Chinese.

Greenstein recounts playing an unnamed opponent for $50, then increasing the stakes to $100 a point after accumulating a 100 point lead, all while using the iOS app to deal the cards and keep score. The app is only designed for fun, not real money gaming, so money would have been settled up for points won or lost after the game.

Greenstein became concerned after playing an opponent, who hit a high number of narrow outs during a streak of hands on the 13th and final card to be dealt in each hand of the game, leading him to suspect he was being cheated in some manner.

According to his personal blog at PokerStars, Greenstein then contacted a nephew with programming experience who downloaded the app and confirmed that the app’s unsecured nature rendered it vulnerable to possible abuse.

Greenstein’s nephew demonstrated that by using a proxy server a player using the app could view all 13 of his own cards in advance, and thus receive a significant advantage over players without such knowledge. The core difference between traditional and Open-Faced Chinese Poker is that in Open-Faced Chinese, a player does not receive all 13 cards at once, forcing them to build the hands a card at a time after receiving his first five cards.

Greenstein declined to name the specific iOS app in his blog post, though comparison of a single screen grab served up in his PokerStars blog confirms that the app in question is the Chinese Open Face Poker app by ChPkApp, LLC, the most popular iPhone app for the game.

He also chose not to name the person he suspected had cheated him.

“I began calling around to people who were playing a lot,” Greenstein writes. “Pretty much anybody who has won big at this game at this point is under suspicion, because it’s so easy to cheat.”

The security flaw is not necessarily an error by the app’s developers; but is instead more a tale of the risk in using a play-money app for real-money gambling: a purpose for which it was never designed.

“There are two broader morals to the story,” Greenstein writes. “One is that when you play on an app such as this one for money, you better know who you’re playing with and that you’re in possible danger of being cheated.”

“Secondly, as a general gambling premise, if you go somewhere and you lose and you don’t understand why you’re losing—especially if you seem to be losing in ways that don’t seem right to you—you have to quit,” he adds. “That’s just a general rule of gambling that you need to use to protect yourself.”