The success of Pokémon Go has been a truly remarkable milestone for mobile gaming. The game allows users to hunt down and capture virtual monsters with ties to real world locations, using Augmented Reality (AR) technology to display the creatures in parks, homes, and offices around the world.
Although it’s popularity has waned with the end of summer, the game nevertheless broke five Guinness World Records, including most revenue grossed by a mobile game in its first month at $206.5 million, and the shortest amount of time to gross $100 million dollars – just 20 days. However, anyone hoping to model their strategy after the success of Niantic should also pay attention to what they missed – especially when it comes to security.
Bots and cheats
One of the biggest problems encountered by the game has been hackers accessing APIs to facilitate cheating. Pokémon Go has been plagued by “botting” – the use of scripting and tools to automatically play the game at levels impossible for a human user. Botting is a common issue for many popular online games and can ruin the economy for honest users by making competitive play impossible—either by currency or skill level.
Despite the best efforts of the developer, bots continued to spoof the communication between a legitimate client and the server APIs. This means they can find and capture creatures by sending spoofed GPS data, as well performing other actions such as collecting items and fighting monsters without direct user input. This extra traffic puts more strain on the game’s servers; and also spoils the fun of legitimate players who cannot keep up the competitive aspect of the game.
Cryptographic keys are one of the most important prizes for hackers looking to break into an app and access the server to facilitate botting, as they enable encrypted data to be deciphered. Keys are used for everything from binding devices to accounts to proving user identity, so breaking them gives hackers a clear window for wider malicious activity as well. These keys and signatures are also intended to ensure that only the legitimate clients are able to utilize the game server APIs. Access is usually regulated with a cryptographic challenge-response protocol, which usually requires the mobile client to maintain a public and private key material for any asymmetric cipher.
Beating the cheats
Both Pokémon Go’s developer and its players have been fortunate that hackers have been content with facilitating bots or discovering game secrets hidden in the code, rather than launching harmful attacks.
In order to see off anyone attempting this kind of access, cryptographic key protection and binary code obfuscation are important tools to keep the code and the keys safe and trusted. This transforms code to prevent prying eyes from easily understanding and extracting information, making it even more difficult to identify and defeat the application’s other defences. Limiting information leakage in clear text strings, removing unused program code from application binaries, as well as changing easy-to-understand program symbol names also makes the code more difficult to crack.
Injecting multi-layered “Guards” into the binary of the app will enable Runtime Application Self-Protection (RASP), creating a self-aware app that is able to identify threats and take immediate action to protect itself in real time. Meanwhile, these Guards can integrate into threat modeling and reporting technologies so that attacks can be tracked and reacted to in real time.
Finally, one of the strongest defences for keys on untrusted devices is white-box cryptography. This approach combines a mathematical algorithm with data and code obfuscation techniques to transform the key and related operations, making it impossible for hackers to locate and extract them in the code. Applications using white-box cryptography have repeatedly safeguarded cryptographic keys from direct intrusion testing from leading red-teams.
The immense popularity of Pokémon Go has highlighted the issue of hackers accessing code and spoofing authorisation to facilitate cheating, but these are actually incredibly common problems. We have found the vast majority of apps, including healthcare and finance apps full of confidential data, lack vital protection to keep code safe. All of the developers who are sitting on the idea for the next breakthrough application should learn from the missteps of Pokémon Go and protect their assets from the beginning.