The future of mobile security, or what Pokemon can teach us
Since the advent of Pokemon Go, I have been following with great curiosity everything related to this toy. Oddly enough, it gives an insane amount of interesting information - primarily regarding the development of mobile applications. It would seem that you are engaged in the development of banking applications - what is the connection here? But no, you will also find something to learn from Pokemon.
Today I would like to dwell only on one of the interesting observations - namely, on the security of a mobile application. Not that Niantic was an icon for all global developers, but let's assume that their level of development is quite high, and their mistakes and shortcomings will be true for most other mobile applications. I will try to present it in such a way that it would be interesting and understandable to all developers, and not just to those who played or read something about a toy.
The first versions of the application were very poorly protected from reverse engineering, and geeks-developers appeared at a tremendous speed, sorting out the mechanics of the game or adding additional features or hacks. When I wondered how many developers were involved in this fun, I opened the github and I got a little poplo:
Yes, your eyes are not deceived. 1644 repository. It is probably worth clarifying that there:
It should be noted that many applications owe their appearance to the fact that many moments are very poorly implemented or explained in the game - it is quite natural that the resourceful developers decided to whip up some crutches.
')
At some point, the application abruptly stopped showing the remoteness of Pokemon (three degrees of remoteness were previously shown). What do you think, what is the reason? Think a couple of minutes. Your worst guess would be true - the distance was calculated in the client application, which transmitted the coordinates of nearby Pokemon - which significantly increased the detection radius for frolicking bots. It is not entirely clear why Niantic decided to completely remove this feature instead of transferring the calculation to the server side ... Well, okay, we hardly ever know. Perhaps they decided not to add additional load on the already cracking server. This article does not include the question of how a subsidiary of Google so screwed up with scaling a game with so little data connectivity, but still ...
A little later, the time of detecting Pokemon after the appearance of the player in the location doubled - as I recall, from 5 to 10 seconds. It looks like some kind of panic protection measures, which, of course, could not bring clear results - bots just doubled the timeout.
Finally, the day came when bots and scanners stopped working at once. Honest players breathed a sigh of relief - to compete with bots, many of which scored 30+ levels inaccessible to the player, was very tiring, and just sad. But what ... Relief lasted only three days. Reddite enthusiasts during this time disassembled the native C ++ library included in the application, gathered the necessary data and encryption, and again rolled out the working version of the API, which was picked up by bots and scanners during the day.
For the sake of fairness, it is worth noting that the fifth and fourth acts went in parallel, but I wanted to logically separate them.
In this act, Google began to ban indiscriminately any applications on Google Play that had anything to do with pokemon. Banhammer worked without rest and parsing. As an example of unjustly affected applications,
It is difficult to call this act otherwise. After the popular apps were removed from google play, the developers together put them into open source on github. In general, the infrastructure of mobile applications on github is quite interesting - 2016 allows you to do an automatic update from a githab, send error messages anywhere, and on the whole live pretty well without Google Play. Moreover, the credibility of the application becomes not less, but more than if it were posted on Google Play ...
And what happened? Pretty expected, but no less sad thing. Niantic went to complain about the repository. As a result, most authors deleted their code (I must say, not completely, but simply wiped it with the last commit) with something like this:
Not that the authors were scared of the appeals of Niantic, but their policies simply upset the developers to the depths of their souls. Application code is left on the githab, forks are multiplying, and malicious use is still flourishing. Niantic could neither provide their own adequate tools for working with the game, nor protect the game from outside interference. And just go scribbling complaints. Well ... Not so that it was unexpected in light of the similar fate of the much less popular Ingress, but it is a pity that a company that claims to revolutionize the gaming industry does not learn from its mistakes, and does not even recognize them. Although it pleases that there are guys like Blizzard, who understand how useful it is to give players the opportunity to influence the overall game world and refine it.
UPDATE . In the comments they say that I am not quite right, or even completely wrong. But Blizzard still gives the opportunity to influence at least the user interface. The motive for the closure of alternative servers and clients is quite understandable - this is a direct loss of profits.
What can we learn from this sad story?
Details from reddit about parsing new API
Update . At first he slowed down and did not do a survey with options for what to talk about yet, so the corresponding items appeared in the comments. Now you can just vote.
Update 2. Added translation of hacking history.
Today I would like to dwell only on one of the interesting observations - namely, on the security of a mobile application. Not that Niantic was an icon for all global developers, but let's assume that their level of development is quite high, and their mistakes and shortcomings will be true for most other mobile applications. I will try to present it in such a way that it would be interesting and understandable to all developers, and not just to those who played or read something about a toy.
Act one. Bots for everyone, and no one leaves offended
The first versions of the application were very poorly protected from reverse engineering, and geeks-developers appeared at a tremendous speed, sorting out the mechanics of the game or adding additional features or hacks. When I wondered how many developers were involved in this fun, I opened the github and I got a little poplo:
Yes, your eyes are not deceived. 1644 repository. It is probably worth clarifying that there:
- Bots - where do without them;
- Net API implementations for all languages ​​and platforms;
- Data collections and mechanics drawn out of the application;
- Applications to search for Pokemon around;
- Applications to automate actions like the mass evolution of Pokemon;
- Applications to view the hidden properties of Pokemon (IV);
- Applications for the calculation of optimal fights;
- Just versions of the game with reduced system requirements.
It should be noted that many applications owe their appearance to the fact that many moments are very poorly implemented or explained in the game - it is quite natural that the resourceful developers decided to whip up some crutches.
')
Act of the second. Timid defense attempt
At some point, the application abruptly stopped showing the remoteness of Pokemon (three degrees of remoteness were previously shown). What do you think, what is the reason? Think a couple of minutes. Your worst guess would be true - the distance was calculated in the client application, which transmitted the coordinates of nearby Pokemon - which significantly increased the detection radius for frolicking bots. It is not entirely clear why Niantic decided to completely remove this feature instead of transferring the calculation to the server side ... Well, okay, we hardly ever know. Perhaps they decided not to add additional load on the already cracking server. This article does not include the question of how a subsidiary of Google so screwed up with scaling a game with so little data connectivity, but still ...
Act three. Funny defense attempt
A little later, the time of detecting Pokemon after the appearance of the player in the location doubled - as I recall, from 5 to 10 seconds. It looks like some kind of panic protection measures, which, of course, could not bring clear results - bots just doubled the timeout.
Act Four. Protection!
Finally, the day came when bots and scanners stopped working at once. Honest players breathed a sigh of relief - to compete with bots, many of which scored 30+ levels inaccessible to the player, was very tiring, and just sad. But what ... Relief lasted only three days. Reddite enthusiasts during this time disassembled the native C ++ library included in the application, gathered the necessary data and encryption, and again rolled out the working version of the API, which was picked up by bots and scanners during the day.
Act Five. Attack!
For the sake of fairness, it is worth noting that the fifth and fourth acts went in parallel, but I wanted to logically separate them.
In this act, Google began to ban indiscriminately any applications on Google Play that had anything to do with pokemon. Banhammer worked without rest and parsing. As an example of unjustly affected applications,
- Application for calculating the hidden characteristics of Pokemon. Banned for "violating the device and network abuse". What is a frank lie, because the principle of the application - the recognition of images from the game and analysis of indicators. The application does not even have the right to send data to the Internet ...
- A simple calculator for calculating the optimal Pokemon to combat the selected. Banned because “violates the impersonation policy”. What is generally a favorite phrase from Google, since it is impossible to understand and correct the error (believe me, I tried to do this with another application).
Act of the sixth and last. A shame.
It is difficult to call this act otherwise. After the popular apps were removed from google play, the developers together put them into open source on github. In general, the infrastructure of mobile applications on github is quite interesting - 2016 allows you to do an automatic update from a githab, send error messages anywhere, and on the whole live pretty well without Google Play. Moreover, the credibility of the application becomes not less, but more than if it were posted on Google Play ...
And what happened? Pretty expected, but no less sad thing. Niantic went to complain about the repository. As a result, most authors deleted their code (I must say, not completely, but simply wiped it with the last commit) with something like this:
I received a message from the Niantic Labs. I’m not interested in legal concerns. It’s not a problem. I lost interest in both. I couldn’t resume your development, but you could use it.
Not that the authors were scared of the appeals of Niantic, but their policies simply upset the developers to the depths of their souls. Application code is left on the githab, forks are multiplying, and malicious use is still flourishing. Niantic could neither provide their own adequate tools for working with the game, nor protect the game from outside interference. And just go scribbling complaints. Well ... Not so that it was unexpected in light of the similar fate of the much less popular Ingress, but it is a pity that a company that claims to revolutionize the gaming industry does not learn from its mistakes, and does not even recognize them. Although it pleases that there are guys like Blizzard, who understand how useful it is to give players the opportunity to influence the overall game world and refine it.
UPDATE . In the comments they say that I am not quite right, or even completely wrong. But Blizzard still gives the opportunity to influence at least the user interface. The motive for the closure of alternative servers and clients is quite understandable - this is a direct loss of profits.
Findings.
What can we learn from this sad story?
- Mobile application code cannot be protected. At best, you will find yourself simply unnecessary to anyone - then you have nothing to worry about. Otherwise, when laying out an application, it is better to assume that you posted its source code in open source - from this position it is much easier to assess the consequences and possible countermeasures against hacking.
- Mobile applications without Google Play may exist, and, apparently, there will be more and more of them in the future.
- You can get a lot of helpers if you post your application in open source. You are scared? Well, then continue to indulge yourself with the illusion of protection. And your potential helpers will be on the other side of the barricades.
Links
Details from reddit about parsing new API
Still?
Update . At first he slowed down and did not do a survey with options for what to talk about yet, so the corresponding items appeared in the comments. Now you can just vote.
Update 2. Added translation of hacking history.
Source: https://habr.com/ru/post/307974/
All Articles