• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Hackers Reverse Engineer PokemonGo

July 22, 2016 By Marc Laliberte

PokemonGo_750

It sure didn’t take long for hackers to unravel some of PokemonGo’s secrets. If you’ve somehow missed all of the hubbub, PokemonGo is an Android and iOS augmented reality game that uses your phone’s GPS, camera, and screen to display animated creatures called Pokemon in the world around you. The game’s goal is aptly described using its famous catch phrase, “Gotta catch ‘em all!” The game’s popularity has skyrocketed since its launch, quickly making it the biggest mobile game in U.S. history. Unfortunately, as Corey described in his Daily Security Byte last week, some criminal hackers are taking advantage of the game’s popularity to infect mobile devices with malware posing as alternative installation sources. Other hackers though, are using their skills with different goals in mind.

Since the game’s release, users in the PokemonGoDev Subreddit have been hard at work reverse engineering the app-to-server communication channel. Recently, reddit user __Isitin__ published a guide to the game’s communication protocol and then followed up with an organized information dump for every Pokemon and item in the game. Understanding the communication channel allows for interfacing with the PokemonGo servers outside of the app itself.

Soon after the server responses were decoded, a different user created a Python-based API to mimic requests sent by the phone app. Using the API (short for Application Program Interface), users can send queries to the game’s servers and receive detailed information about the game world, including which Pokemon are nearby and how far away they are. This same information is available in the app itself, but presented to the player in a much less detailed way to keep Pokemon hunting more interactive.

A multitude of projects are now using this API and its various revisions for things like mapping Pokemon locations real-time and even automatically catching Pokemon without using the app at all.

As a reverse-engineering enthusiast, I am amazed at all of the projects and the unique tools that different developers are creating. I think the popular interest in learning how the game works is really cool. As a gamer though, I think these tools ruin the experience and I hope Niantic (PokemonGo’s developer) finds a way to identify and stop users that abuse them to gain an advantage. Besides, if players can just use a scripted bot to catch Pokemon automatically from the comfort of their couch, we won’t get to see any more awesome scenes like 500+ people in Bellevue, WA running around a park trying to catch ‘em all. –Marc Laliberte

Share This:

Related

Filed Under: Editorial Articles Tagged With: Hacking

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use