Decoding Chess.com


Chess.com is one of the largest online Chess platforms. Their Android application, com.chess, ranks in the top 10 for many countries within Northern America and Northern Europe.

Stats from appbrain.com

App Features

Account

Users of the chess.com can record their username, first name, last name and location on their profile.

Friends

Users can find and invite friends.

Friends list

Messages

Users can send messages to any other user, friend or not.

Games

The main feature from the user’s perspective is Chess gameplay.

Gameplay

Chat

Users can begin a chat during a game, separate to messages.

Data

Chess.com data can be found at the following file path.

/data/data/com.chess

Account

The user’s email address and password can be found in plaintext within shared_prefs/com.chess.app.login_credentials.xml.

The username can be found in a few files, but most notably shared_prefs/com.chess.app.session_preferences.xml, along with the timestamp of account creation and last login.

Friends

Lots of intersting data can be found with the main database, databases/chess-database (no file extension). The friends list included.

SELECT
    friends.id AS "ID",
    friends.username AS "Username",
    friends.first_name AS "First Name",
    friends.last_name AS "Last Name",
    datetime(friends.last_login_date, 'unixepoch') AS "Last Login"
FROM
    friends

Messages

Messages are also found within the chess-database. The timestamp stored in the created_at column was consistent with the time the message was sent. Un/read status was not recorded.

SELECT
    datetime(messages.created_at, 'unixepoch') AS Sent,
    messages.conversation_id AS Conversation,
    messages.sender_username AS Sender,
    messages.content AS Message
FROM
    messages
ORDER BY
    messages.created_at

Games

The app appears to store a lot of data about games, not just games the user has played, but games the user has viewed too. game_start_time was consistent with the time of the first move, and timestamp was consistent with the time of the last move. The is_opponent_friend column appeared to update – games played before friend connection are shown as with a friend.

SELECT
    datetime(daily_games.game_start_time, 'unixepoch') AS "First Move",
        datetime(daily_games.timestamp, 'unixepoch') AS "Last Move",
    daily_games.game_id AS "Game ID",
    daily_games.white_username AS "White",
    daily_games.black_username AS "Black",
    CASE daily_games.is_opponent_friend
        WHEN 1 THEN "Friend"
        WHEN 0 THEN "User"
        ELSE "ERROR"
    END AS "Friend Status",
    daily_games.result_message AS "Result"
FROM
    daily_games
WHERE
    daily_games.white_username = "<< username >>"
OR
    daily_games.black_username = "<< username >>"
ORDER BY
    daily_games.timestamp

Chat

Users can message during a game. This chat is seperate to the main Messages view, and starts blank each game. These messages do not appear to be stored on the device.

Evaluation

The account information includes username, email address and plaintext password. Friends may also include first names, last names and location if input by the user.

Storing passwords in plaintext is…not great. Their bug bounty initiative did not consider this as ‘within policy’. Their loss is our gain.

There was no coverage of in-game chat, suggesting it is server-side.

As always, this research has been submitted to ALEAPP!


2 responses to “Decoding Chess.com”

Leave a Reply to Week 14 – 2022 – This Week In 4n6 Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: