If you play Pokémon GO you may already be aware, but the game’s API has been under attack, preventing many casual users from accessing their accounts to find the elusive creatures. In this detailed post on the Shape Security Engineering Blog, Yao Zhao gives readers a closer look at what happened.
The issue was caused by bots overwhelming the Pokémon servers with automated traffic from outside the game client, breaching the terms of service and interrupting the game’s launch in Latin America. The bots include the typical type that automates regular gameplay, but Pokémon GO has also inspired the creation of Tracker or Mapper bots that provide the location of Pokémon.
The mobile API bot mimics communication between the app and its servers, telling the servers what actions are taken and consuming the server’s response. Zhao then explains how a mobile app is cracked through reverse engineering, focusing on the Android version, since that was the main vulnerability.
Initially, the game’s developer, Niantic, didn’t use certificate pinning to protect against Man-in-the-Middle attacks. Thanks to this oversight, POGOProtos was able to use an unauthorised server certificate issued from a proxy to reverse-engineer the protocol and publish it online within two weeks of launch.
Attackers exploited Android’s use of the dex format for building APK files by disassembling them into SMALI languages, then further decompiling the dex file into Java, exposing the application’s source code. Then, with fewer than 100 lines of Java code, Pokémon Go Xposed was able to fool the app into accepting a false certificate.
At 1pm PT on 08/03, Niantic rolled out countermeasures to block scraping and saw an immediate drop of well over 50% in spatial query traffic as the bots could no longer find any Pokémon. The hackers had noticed an “Unknown6” field contained in the signature sent in map requests to find targets at a given location, noting that Niantic servers accepted any value Unkown6 was given. After more than three days of targeted efforts by the pokemongodev hackers and a group called Team Unknown6 Crew to crack the field, they claimed victory and released an updated Pokémon Go API that was able to locate nearby Pokémon.
Zhao goes on to explain the challenges of reverse-engineering a binary program, as well as offering several pieces of advice for server-side protection, including rate limiting, IP blocking, and behaviour analysis. This battle between the bot makers and Niantic will surely continue, forcing the company to split developer time between building new features and controlling the external threat.