It sure didn’t take long for hackers to unravel some of PokemonGo’s secrets. If you’ve somehow missed all of the hubbub, PokemonGo is an Android and iOS augmented reality game that uses your phone’s GPS, camera, and screen to display animated creatures called Pokemon in the world around you. The game’s goal is aptly described using its famous catch phrase, “Gotta catch ‘em all!” The game’s popularity has skyrocketed since its launch, quickly making it the biggest mobile game in U.S. history. Unfortunately, as Corey described in his Daily Security Byte last week, some criminal hackers are taking advantage of the game’s popularity to infect mobile devices with malware posing as alternative installation sources. Other hackers though, are using their skills with different goals in mind.
Since the game’s release, users in the PokemonGoDev Subreddit have been hard at work reverse engineering the app-to-server communication channel. Recently, reddit user __Isitin__ published a guide to the game’s communication protocol and then followed up with an organized information dump for every Pokemon and item in the game. Understanding the communication channel allows for interfacing with the PokemonGo servers outside of the app itself.
Soon after the server responses were decoded, a different user created a Python-based API to mimic requests sent by the phone app. Using the API (short for Application Program Interface), users can send queries to the game’s servers and receive detailed information about the game world, including which Pokemon are nearby and how far away they are. This same information is available in the app itself, but presented to the player in a much less detailed way to keep Pokemon hunting more interactive.
As a reverse-engineering enthusiast, I am amazed at all of the projects and the unique tools that different developers are creating. I think the popular interest in learning how the game works is really cool. As a gamer though, I think these tools ruin the experience and I hope Niantic (PokemonGo’s developer) finds a way to identify and stop users that abuse them to gain an advantage. Besides, if players can just use a scripted bot to catch Pokemon automatically from the comfort of their couch, we won’t get to see any more awesome scenes like 500+ people in Bellevue, WA running around a park trying to catch ‘em all. –Marc Laliberte