Cybersecurity Researcher's Journey to Create a Pokémon Go Scanner

This video, presented at the DEF CON conference, tells the fascinating story of a security researcher, Tal, who attempted to create a Pokémon Go scanner in 2016, shortly after the game's release. At the time, Pokémon Go was a global phenomenon, but for those living in rural areas like Tal, the game was almost unplayable due to the lack of nearby Pokémon. Frustrated by the game's built-in scanner, which only showed the nine closest Pokémon with a vague indication of their distance, Tal decided to reverse-engineer the communication protocol between the app and Niantic's servers to create his own tool.

The initial goal was simple: understand how the app retrieved Pokémon data around a player and replicate this mechanism to scan a larger area. Tal began by analyzing the network traffic between the app and the servers using an HTTP proxy like Fiddler. He quickly discovered that the communications used Protocol Buffers (protobuf), a serialization format developed by Google for exchanging structured data between a client and a server. However, Tal did not have the original definitions of the protobuf messages used by Pokémon Go. He had to deduce them by observing the raw data and using techniques such as partial decoding with the protoc tool and analyzing field values to guess their meaning. For example, by noticing that certain fields contained GPS coordinates, he was able to identify fields related to the player's location.

Once the protocol was understood, Tal identified the key request, called "get_map_object" (type 106), which allowed retrieving information about Pokémon, gyms, and Pokéstops in a specific cell. Pokémon Go uses a system of dividing the Earth into S2 cells, a framework developed by Google to divide the Earth's surface into geometric zones of varying sizes. By converting his GPS coordinates into S2 cell identifiers, Tal was able to send requests to scan specific areas and display Pokémon on a map. His scanner worked perfectly, allowing him to locate rare Pokémon and brag to his friends. However, this victory was short-lived.

A few weeks later, Niantic updated the app, making Tal's scanner unusable. By analyzing the problem, Tal discovered that Niantic had implemented a certificate pinning mechanism to prevent traffic interception by HTTP proxies. Certificate pinning is a security technique that involves "pinning" (hardcoding) the server's public key certificate in the client application. Thus, if a proxy attempts to intercept the communication by presenting a self-signed certificate, the application detects the deception and blocks the connection. To bypass this protection, Tal and a community of hackers, including the PogDev group, used dynamic reverse engineering techniques with tools like Frida and Xposed. These tools allow intervening in the running code to modify its behavior. For example, using Frida, they were able to replace the certificate presented by the proxy with the one expected by the application, thus bypassing the certificate pinning.

Once the traffic was visible again, Tal and his team noticed that Niantic had added a new mandatory field in the requests, called "unknown6." This field seemed to contain a cryptographic signature validating the integrity of the requests sent by the application. To understand how this signature was generated, they combined several reverse engineering techniques. First, they used passive analysis by generating a large number of valid requests to observe variations in the unknown6 field. They noticed that the size of this field was always a multiple of 256 plus 32 bytes, and that the first 32 bytes depended only on the time. Then, using static analysis with tools like IDA and Jadx, they located the function responsible for generating this field in the app's native code. This function used CBC (Cipher Block Chaining) encryption mode with a key derived from a random seed based on the time. By reproducing this function in C, they were able to generate valid signatures for their own requests.

However, the unknown6 field also contained a complex protobuf signature, including information about the device, GPS location, and even sensor data like the accelerometer. Niantic seemed to use this data to detect unofficial requests, making the task even more difficult. Using active analysis techniques, such as gradually removing fields in the signature, the team discovered that only a few fields were actually necessary for the request to be accepted by the server. Among these fields, some were hashes (like xxHash) of data such as player authentication or sent requests. After three days of intense effort, the team finally succeeded in sending a valid request, marking the end of a memorable hackathon.

This adventure illustrates several key concepts in cybersecurity and reverse engineering. First, it shows how communication protocols between a mobile app and a server can be analyzed and reproduced, even when they use complex serialization techniques like protobuf. Second, it highlights the defenses commonly used by developers to protect their applications, such as certificate pinning and cryptographic signatures, as well as methods to bypass them. Finally, it underscores the importance of community in the field of hacking, where collaboration and knowledge sharing enable overcoming seemingly insurmountable technical challenges.

On a practical level, this research has important implications. For developers, it shows the importance of securing communication protocols and not relying solely on mechanisms like certificate pinning, which can be bypassed. For security researchers, it provides insight into dynamic and static reverse engineering techniques, as well as methods for analyzing unknown protocols. Finally, for players and Pokémon Go enthusiasts, this story reminds us that unofficial tools can offer advantages but also carry risks, including being banned by the game's developers.

In conclusion, Tal's presentation is an excellent example of how curiosity and perseverance can lead to fascinating discoveries in the field of cybersecurity. It also shows that, even in the face of sophisticated defenses, a motivated community can find creative solutions to bypass them. Whether for creating useful tools, understanding security mechanisms, or simply satisfying curiosity, reverse engineering remains a valuable and exciting skill.