Industry Insights with Will LaSala

Application Security , Enterprise Mobility Management / BYOD , Next-Generation Technologies & Secure Development

How to Win Pokémon Go (By Cheating)

What RASP Can Do For Your App
How to Win Pokémon Go (By Cheating)

The hottest game in the market today is the new release Pokémon Go, developed by Niantic. The game forces you to go outside and interact with the real world (in a safe manner, hopefully). As you walk around, Pokémon appear and allow you to toss Pokéballs at them in an attempt to catch them all. The more you walk the more you can attempt to catch and the stronger your Pokémon become. The key mechanic in the game is to be able to use GPS to track your movement and combine that with mobile data points.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

Only 3 days after the release, reports of hacks started to roll in. This is common for the gaming industry. In the world of PC games, the most popular games usually are hacked the same day they release. In the mobile world, there is a false sense of security. The PC platform has been around for years, and developers and consumers are well aware of all the attacks out there. On the mobile platform, people still are not fully aware of what attackers can do, but they are learning quickly.

When it comes to Jailbreaking and Root detection, it is always better to start early and not share what you are doing. 

On a mobile platform, the most damaging attack is Jailbreaking or Rooting. This is the holy grail of attacking a mobile phone. Once the attacker has access to this, they control your device. This means that they can view any applications secret inner workings and have access to all your encrypted data. This also means they can modify how any application works and perform hacks that are even more nefarious.

With Pokémon Go, the attackers did just that, they Jailbroke their phones and analyzed the Pokémon Go application. If the key mechanism is to use GPS to track your location, then this is the first thing the attackers were aiming for. The attackers built a special library that injected itself into the Pokémon Go app that manipulated the GPS data that the Pokémon Go app tracked. This allowed the hacker (now cheater) to appear to be in places that they never were, and walk to areas they had never been.

The developers at Niantic tried to remediate this problem. They patched their code and added checks for jailbreak detection. Unfortunately, the damage had already occurred, and the hackers were able to quickly apply their own patches that disabled the applications jailbreak detection.

When it comes to Jailbreaking and Root detection, it is always better to start early and not share what you are doing. In the case of Pokémon Go, it was obvious that the application now included a jailbreak detection mechanism because the data that was being used stopped being allowed. In most applications, it is better to use a Runtime Application Self Protection (RASP) that checks for Jailbreaking and Rooting every time the application launches or becomes the front running application on the phone. When RASP checks for this, then it is best to simply exit the application gracefully and not let on to the hacker that something was found.

Even if jailbreak and root detection is compromised, and the attacker is able to patch the application, RASP can offer further technologies to help prevent the types of attacks that Pokémon Go experienced. The next attack used on the Pokémon Go application is a Library Injection attack. This is where the hacker was able to manipulate the GPS library and inject his own. By leveraging a RASP solution, the application will be able to detect these rouge libraries and will be able to prevent the application from loading them.

No solution is ever failsafe and no platform is ever free from attack. Every day new attacks are being rolled out, and every day a new solution is being developed. Technology like RASP will help the new mobile application ecosystem protect itself and make things easier in the life of an application developer.

Will LaSala is a Director of Services at VASCO, and a security industry veteran with a passion for gaming and ethical hacking.

For more information on Mobile Application Security solutions including RASP, visit https://www.vasco.com/products/application-security/digipass-for-apps.html.



About the Author

Will LaSala

Will LaSala

Director Security Solutions, OneSpan

Will LaSala is the Director of Security Solutions at OneSpan. He joined VASCO in 2001 and brings over 25 years of software and cybersecurity experience. Since joining OneSpan, LaSala has been involved in all aspects of product implementation and market direction within financial institutions as well as top Fortune 500 organizations for enterprise security, healthcare, U.S. government, online gaming and mobile application development. He currently empowers the markets and OneSpan's largest clients with direct communication of new products and features and security changes. Prior to joining OneSpan, LaSala worked as a Sr. Systems Engineer and Developer for a consulting firm in New England. Before that, he spent eight years as CTO at a prominent Internet Service Provider in New England. A security evangelist on mobile application development and authentication, LaSala is frequently quoted in the media and a frequent speaker at industry events.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.