Application Security , Mobility , Technology
How to Win Pokémon Go (By Cheating) What RASP Can Do For Your AppThe hottest game in the market today is the new release Pokémon Go, developed by Niantic. The game forces you to go outside and interact with the real world (in a safe manner, hopefully). As you walk around, Pokémon appear and allow you to toss Pokéballs at them in an attempt to catch them all. The more you walk the more you can attempt to catch and the stronger your Pokémon become. The key mechanic in the game is to be able to use GPS to track your movement and combine that with mobile data points.
See Also: The Inconvenient Truth About API Security
Only 3 days after the release, reports of hacks started to roll in. This is common for the gaming industry. In the world of PC games, the most popular games usually are hacked the same day they release. In the mobile world, there is a false sense of security. The PC platform has been around for years, and developers and consumers are well aware of all the attacks out there. On the mobile platform, people still are not fully aware of what attackers can do, but they are learning quickly.
On a mobile platform, the most damaging attack is Jailbreaking or Rooting. This is the holy grail of attacking a mobile phone. Once the attacker has access to this, they control your device. This means that they can view any applications secret inner workings and have access to all your encrypted data. This also means they can modify how any application works and perform hacks that are even more nefarious.
With Pokémon Go, the attackers did just that, they Jailbroke their phones and analyzed the Pokémon Go application. If the key mechanism is to use GPS to track your location, then this is the first thing the attackers were aiming for. The attackers built a special library that injected itself into the Pokémon Go app that manipulated the GPS data that the Pokémon Go app tracked. This allowed the hacker (now cheater) to appear to be in places that they never were, and walk to areas they had never been.
The developers at Niantic tried to remediate this problem. They patched their code and added checks for jailbreak detection. Unfortunately, the damage had already occurred, and the hackers were able to quickly apply their own patches that disabled the applications jailbreak detection.
When it comes to Jailbreaking and Root detection, it is always better to start early and not share what you are doing. In the case of Pokémon Go, it was obvious that the application now included a jailbreak detection mechanism because the data that was being used stopped being allowed. In most applications, it is better to use a Runtime Application Self Protection (RASP) that checks for Jailbreaking and Rooting every time the application launches or becomes the front running application on the phone. When RASP checks for this, then it is best to simply exit the application gracefully and not let on to the hacker that something was found.
Even if jailbreak and root detection is compromised, and the attacker is able to patch the application, RASP can offer further technologies to help prevent the types of attacks that Pokémon Go experienced. The next attack used on the Pokémon Go application is a Library Injection attack. This is where the hacker was able to manipulate the GPS library and inject his own. By leveraging a RASP solution, the application will be able to detect these rouge libraries and will be able to prevent the application from loading them.
No solution is ever failsafe and no platform is ever free from attack. Every day new attacks are being rolled out, and every day a new solution is being developed. Technology like RASP will help the new mobile application ecosystem protect itself and make things easier in the life of an application developer.
Will LaSala is a Director of Services at VASCO, and a security industry veteran with a passion for gaming and ethical hacking.
For more information on Mobile Application Security solutions including RASP, visit https://www.vasco.com/products/application-security/digipass-for-apps.html.