The extraordinary success of Pokémon Go has been surprising, even in the rapidly changing paradigm of the mobile application space. The game, which allows users to hunt down and capture virtual monsters, uses Augmented Reality (AR) technology to display the creatures in real world locations such as parks, homes, and offices.
Pokémon Go has already broken five Guinness World Records, including most revenue grossed by a mobile game in its first month: $206.5 million. There’s no denying that the game has set a new benchmark that the next generation of games will aim to surpass. However, businesses looking to model their strategy after the success of Pokémon Go need to also be aware of what the game’s developer Niantic missed – especially when it comes to security.
There were privacy concerns around the game’s initial launch due to over-requesting of permissions for a user’s Google account. The application asked for access to full account privileges, although Niantic maintains that the game never used any of the extended permissions. There were also reports of users downloading and installing fake pre-release versions of the software, which were found to contain malware.
Since addressing the initial issues, the ongoing battle between the developer and groups of hackers has focused on accessing and unlocking upcoming aspects of the game code. The current attacks have been relatively benign, with groups simply wishing to discover spoilers in the information coded into the game and its resources and graphics. Helper apps and websites also emerged to assist players in tracking down creatures using server data surreptitiously– frequently overwhelming the backend in the process.
Attack of the bots
More directly harmful to the ecosystem are those accessing APIs to facilitate cheating. Despite Niantic’s best efforts, Pokémon Go has been plagued by “botting” – the use of scripting and tools to automatically play the game at levels impossible for a human user. Botting is a common plague for many popular online games,particularly the multiplayer role-playing games, which contain in-game currency, and first-person shooters, which competitively rank their players. These bots can ruin the economy for honest users by making competitive play impossible – either by currency or skill level.
In Pokémon Go’s case, these bots spoof the communication between a legitimate client and the server APIs, and can find and capture creatures by sending spoofed GPS data. They can also perform other actions such as collecting items and fighting monsters without direct user input. The impact on legitimate players has been a major point of contention within player communities – not to mention it creates a server load nightmare.
Niantic has rolled out incremental updates intended to block unauthorized access to its servers, but the hacking groups have managed to overcome the controls that have been implemented quickly after their release. A group known as Team Unknown was able to identify and reverse a new hash function within four days after it was released.
Cryptographic keys are one of the most important prizes for hackers looking to break into an app, as they enable encrypted data to be deciphered. Keys are used for everything from binding devices to accounts to proving user identity, so breaking them gives hackers a clear window for wider malicious activity as well. These keys and signatures are also intended to ensure that only the legitimate clients are able to utilize the game server APIs. Access is usually regulated with a cryptographic challenge-response protocol, which usually requires the mobile client to maintain a public and private key material for any asymmetric cipher.
Both Niantic and the players are fortunate that malicious activity has been limited to hunting for secrets or facilitating bots. Those able to break into the app’s code and root out the keys could potentially do far more damage - going on to extract user data from the server or take the game offline completely.
Protecting the keys
Cryptographic key protection and binary code obfuscation are reasonable steps all developers should be taking to keep the code and the keys safe and trusted. This transforms code to prevent prying eyes from easily understanding and extracting information, making it even more difficult to identify and defeat the application’s other defenses. Limiting information leakage in clear text strings, removing unused program code from application binaries, as well as changing easy-to-understand program symbol names also makes the code more difficult to crack.
One of the most effective ways to keep keys safe on untrusted devices is a technique called white-box cryptography. This approach combines a mathematical algorithm with data and code obfuscation techniques to transform the key and related operations, making it impossible for hackers to locate and extract them in the code. Applications using white-box cryptography have repeatedly safeguarded cryptographic keys from direct intrusion testing from leading red-teams.
Additionally, multi-layered “Guards” can also be injected into the binary of the app to enable Runtime Application Self-Protection (RASP), effectively creating a self-aware app that is able to identify threats and take immediate to protect itself in real time. Meanwhile, these Guards can integrate into threat modelling and reporting technologies so that attacks can be tracked and reacted to in real time.
Although the security risks around Pokémon Go have been in the spotlight lately, the truth is that most applications, especially those in healthcare and finance, are vulnerable. The halting difference here is the scope and cost of a potential breach, as the vast number of users means that any security vulnerability could have an enormous impact. If you are a developer who’s sitting on an idea for the next breakthrough application, make sure you learn from the missteps of Pokémon Go… and protect your assets from the beginning.