How to win Pokémon Go (by cheating)

What RASP can do for your app

The hottest game in the market today is the new release Pokémon Go, developed by Niantic.  The game forces you to go outside and interact with the real world (in a safe manner, hopefully).  As you walk around, Pokémon appear and allow you to toss Pokéballs at them in an attempt to catch them all.  The more you walk the more you can attempt to catch and the stronger your Pokémon become.  The key mechanic in the game is to be able to use GPS to track your movement and combine that with mobile data points.

Only 3 days after the release, reports of hacks started to roll in.  This is common for the gaming industry.  In the world of PC games, the most popular games usually are hacked the same day they release.  In the mobile world, there is a false sense of security.  The PC platform has been around for years, and developers and consumers are well aware of all the attacks out there.  On the mobile platform, people still are not fully aware of what attackers can do, but they are learning quickly.

How to win Pokémon Go (by cheating)

On a mobile platform, the most damaging attack is Jailbreaking or Rooting.  This is the holy grail of attacking a mobile phone.  Once the attacker has access to this, they control your device.  This means that they can view any applications secret inner workings and have access to all your encrypted data.  This also means they can modify how any application works and perform hacks that are even more nefarious.
With Pokémon Go, the attackers did just that, they Jailbroke their phones and analyzed the Pokémon Go application.  If the key mechanism is to use GPS to track your location, then this is the first thing the attackers were aiming for.  The attackers built a special library that injected itself into the Pokémon Go app that manipulated the GPS data that the Pokémon Go app tracked.  This allowed the hacker (now cheater) to appear to be in places that they never were, and walk to areas they had never been.

The developers at Niantic tried to remediate this problem.  They patched their code and added checks for jailbreak detection.  Unfortunately, the damage had already occurred, and the hackers were able to quickly apply their own patches that disabled the applications jailbreak detection.

Jailbreaking or RootingWhen it comes to Jailbreaking and Root detection, it is always better to start early and not share what you are doing.  In the case of Pokémon Go, it was obvious that the application now included a jailbreak detection mechanism because the data that was being used stopped being allowed.  In most applications, it is better to use a Runtime Application Self Protection (RASP) that checks for Jailbreaking and Rooting every time the application launches or becomes the front running application on the phone.  When RASP checks for this, then it is best to simply exit the application gracefully and not let on to the hacker that something was found.

Even if jailbreak and root detection is compromised, and the attacker is able to patch the application, RASP can offer further technologies to help prevent the types of attacks that Pokémon Go experienced.  The next attack used on the Pokémon Go application is a Library Injection attack.  This is where the hacker was able to manipulate the GPS library and inject his own.  By leveraging a RASP solution, the application will be able to detect these rouge libraries and will be able to prevent the application from loading them.

No solution is ever failsafe and no platform is ever free from attack.  Every day new attacks are being rolled out, and every day a new solution is being developed.  Technology like RASP will help the new mobile application ecosystem protect itself and make things easier in the life of an application developer.

Will LaSala is a Director of Services @ VASCO, and security industry veteran with a passion for gaming and ethical hacking.

For more information on Mobile Application Security solutions including RASP, visit https://www.vasco.com/products/application-security/digipass-for-apps.html


2 Responses to How to win Pokémon Go (by cheating)
  1. None of the protection mentioned here will work as the PokemonGo requests to their servers were easy to forge. Simply proxying the requests through a PC allows an attacker to reverse engineer the API. Several bots have appeared that call this API to play the game automatically without user intervention and without a smartphone in sight. They started to improve the protection on their API but it kept being broken until they sent cease and desist letters to everyone and people lost interest in the game. The only solution is to detect patterns in these API requests and block the accounts using bots. Combine this with an API that is secured via digital signatures and you might stand a chance.

  2. Many games make use of clear text server API’s, perhaps this is the same in this particular game. There are technologies that can be put in place to resolve web services encryption problems. Recently, there have been a number of instances where developers have overlooked the way in which they were handling the data between the client and the server. Leveraging mutual encryption technologies will help ensure those messages are protected by the application and unable to be manipulated. Still, most of the easiest hacks lie with modifying the included libraries of an application and simply replacing them with hacked versions that allow an attacker control of the data. These rouge libraries are painful for developers to deal with, and perhaps harder for developers to deal with than the web services API’s. A proper audit of the security technologies being used before an application is launched should be in place to help point out any of these potential openings.

Leave a Comment