Pokémon No? Security lessons from a mobile game

Aaron Lint, VP of Research, Arxan Technologies, discusses the security risks highlighted by the mobile AR phenomenon.

Even in the rapidly changing paradigm of the mobile application space, the success of Pokémon Go has been truly remarkable. The game allows users to hunt down and capture virtual monsters with ties to real world locations, using augmented reality (AR) technology to display the creatures in parks, homes, and offices around the world.

The game has already broken five Guinness World Records, including most revenue grossed by a mobile game in its first month: US$206.5 million. It is truly the new benchmark that the next generation of games will be looking to surpass. However, anyone hoping to model their strategy after the success of Niantic should also pay attention to what they missed – especially when it comes to security.

The initial launch was dogged by privacy concerns due to over-requesting of permissions for a user’s Google account. The application asked for access to full account privileges, although Niantic maintains that the game never used any of the extended permissions. There were also reports of users downloading and installing fake pre-release versions of the software which were found to contain malware.

After addressing the initial issues, the ongoing battle between the developer and groups of hackers has focused on accessing and unlocking upcoming aspects of the game code. The current attacks have been relatively benign, with groups merely wishing to discover spoilers in the information coded into the game and its resources and graphics. Additionally, helper apps and websites also sprang up to assist players in tracking down creatures using server data surreptitiously – frequently overwhelming the backend in the process.

Attack of the bots

More directly harmful to the ecosystem are those accessing APIs to facilitate cheating. Despite Niantic’s best efforts, Pokémon Go has been plagued by ‘botting’ – the use of scripting and tools to automatically play the game at levels impossible for a human user. Botting is a common plague for many popular online games, particularly the massively-multiplayer role-playing games which contain in-game currency and first-person shooters which competitively rank their players. These bots can ruin the economy for honest users by making competitive play impossible – either by currency or skill level.

In Pokémon Go’s case, these bots spoof the communication between a legitimate client and the server APIs, and can find and capture creatures by sending spoofed GPS data, as well performing other actions such as collecting items and fighting monsters without direct user input. The impact on legitimate players has been a major bone of contention in player communities, and creates a server load nightmare.

Niantic has rolled out incremental updates intended to stem the tide of unauthorised access to its servers, but the hacking groups have managed to overcome the controls that have been implemented quickly after their release. A group known as Team Unknown6 was able to identify and reverse a new hash function within four days after it was released.

Cryptographic keys are one of the most important prizes for hackers looking to break into an app, as they enable encrypted data to be deciphered. Keys are used for everything from binding devices to accounts to proving user identity, so breaking them gives hackers a clear window for wider malicious activity as well. These keys and signatures are also intended to ensure that only the legitimate clients are able to utilize the game server APIs. Access is usually regulated with a cryptographic challenge-response protocol, which usually requires the mobile client to maintain a public and private key material for any asymmetric cipher.

Both Niantic and the players are fortunate that malicious activity has been limited to hunting for secrets or facilitating bots. Anyone able to break into the app’s code and root out the keys could potentially do far more damage – going on to extract user data from the server or take the game offline completely.

Protecting the keys

Cryptographic key protection and binary code obfuscation are reasonable steps all developers should be taking to keep the code and the keys safe and trusted. This transforms code to prevent prying eyes from easily understanding and extracting information, making it even more difficult to identify and defeat the application’s other defences. Limiting information leakage in clear text strings, removing unused program code from application binaries, as well as changing easy-to-understand program symbol names also makes the code more difficult to crack.

One of the most effective way to keep keys safe on untrusted devices is a technique called white-box cryptography. This approach combines a mathematical algorithm with data and code obfuscation techniques to transform the key and related operations, making it impossible for hackers to locate and extract them in the code. Applications using white-box cryptography have repeatedly safeguarded cryptographic keys from direct intrusion testing from leading red-teams.

Additionally, multi-layered ‘guards’ can also be injected into the binary of the app to enable runtime application self-protection (RASP), effectively creating a self-aware app that is able to identify threats and take immediate to protect itself in real time. Meanwhile, these guards can integrate into threat modelling and reporting technologies so that attacks can be tracked and reacted to in real time.

While Pokémon Go has received a lot of attention around security, the truth is that most applications, especially those in healthcare and finance, are vulnerable. The halting difference here is the scope and cost of a potential breach – the vast number of users means that any security vulnerability could have an enormous impact. And to those developers who are sitting on the idea for the next breakthrough application, make sure that you learn from the missteps of Pokémon Go…and protect your assets from the beginning.


Edited for web by Cecilia Rehn.