Pokemon Go API Security Updates: When Will Pokemon Scanners Work Again?

Posted: Oct 12 2016, 8:09am CDT | by , Updated: Oct 14 2016, 4:53am CDT, in News | Technology News


Pokemon Go API Security Update: When do Pokemon Scanner Work Again?
Credit: FastPokeMap

Niantic released a new security update blocking all real-time Pokemon maps, tracker, finder and bots. Read the latest daily updates at the end of the story.

New Progress Updates: Scroll down to the end of the article to read the latest day-by-day updates on the progress of breaking the new Pokemon Go Security.

The administrators at the Niantic data center have the most quite weekend since a long time. Traffic has probably hit an all time low as no Pokemon scanner or bot is able to access the Pokemon Go servers. To give you an idea of the scale of 3rd party scrapers, the creator of FastPokeMap revealed that his service runs on 500,000 accounts. He has now even increased that number because of captcha.

Niantic has broken all 3rd party apps with the release of a new security update that has been rolled out already with Pokemon Go app versions 0.37.0 (1.7.0 iOS) weeks ago.

All real-time Pokemon maps and bots are based on the hacked Pokemon Go API based on the release 0.35.0. The new encryption rolled out on Friday October 7.

There is an effort underway from developers to break the new security by reengineering the new code. This has been done before in early August. Niantic released its first encryption ("Unknown6") of the Pokemon Go communication. It took the 3rd party hackers about 5 days to gain access again to the Pokemon Go servers. The proliferation of Pokemon Go scanners and bots continued with full steam. 

This time around it might take much longer as the hype around Pokemon Go has slowed and many developers lost interest. The creator of FastPokeMap tweeted on Sunday that there is a lack of interest in reverse engineering the new encryption.

"The lack of interest from the reversing community is troubling. Oh well. Basically there's no one trying to reverse the 0.39 api, everyone gave up. Niantic's constant lock down just tired everyone, " he said. The developer, known as whitelist_ip on reddit, has now put out a job offer to engineers with reverse engineering experience: "Hiring people with reverse engineering experience, big bounty reward. All of it legalized, experience with GDB & ARM are a minimum."

This means that he will likely not share the Pokemon Go API for 0.39.0 solution with any other 3rd party app as he is footing the paying the bill. He appears to be still very confident that the new encryption can be broken. He was part of the team that broke the reverse engineered the encryption the first time around. He has the experience to assess the new situation.

Last week Niantic rolled out Captcha as a first measure to stifle bots and scanners. It became quickly clear that Captchas are a manageable burden for 3rd party developers of Pokemon Go apps. Google's reCaptcha can be solved with either a Captcha solving service or by redirecting the Captcha to users of the service.

The encryption of the current Pokemon Go app 0.39.0 (1.9.0 iOS) is what really stopped the real-time Pokemon Go apps. The new security is again creating some sort of unique signature that tells the Pokemon Go servers that a request comes from a legit Pokemon Go app.

Related to all this is the blocking of the Pokemon Go app on rooted or jailbroken devices. Niantic leverages Google's SafetyNet to check if Pokemon Go is installed on a rooted Android device. There are now already procedures and tool combinations available that make it possible to run the latest Pokemon Go app on rooted Android devices. One of the solutions to run Pokemon Go despite the new SafetyNet involves SuperSU, Magisk, Xposed and suhide. The blocking was again short-lived, but annoying for fans of rooted phones. 

There are also still Pokemon Go hacks that work including GPS spoofing as these do not require a rooted Android. So you can still go anywhere, but you do not know where to go as no Pokemon map service is working.

The only option available are crowd-sourced Pokemon Go tracker and maps like Poke Radar and Go Radar. We have listed all working Pokemon Go Tracker that can help you find Pokemon.

Niantic has broken Pokemon tracker before their in-app tracker is finished. This is situation upsets many in the Pokemon Go community that have used Pokemon maps in the past. They feel that they are playing now blind. Purist Pokemon Go trainers like Nick from Trainer Tips are against the use of any maps or tracker. It's not part of the game, so don't use it.

At this stage Pokemon Go is incomplete as tracking was part of the original release and Niantic is testing nearby tracking functionality in San Francisco since a while now. It is time that they roll the in-app tracker out to all now.

Pokemon Go API Status Updates

Update: 10/14: The creator of FastPokeMap lashed on Niantic in a lengthy post slamming them for hurting trainers with the security measures they put in place. The encryption in the Pokemon Go app increased the CPU load and causes the battery to drain faster. The time frame when FastPokeMap is back online is ranging from today until Sunday now.

Update: 10/13: The FastPokeMap Pokemon map will work again latest Saturday. The team around the creator of FastPokeMap as cracked the new encryption that blocks all 3rd party apps from accessing the Pokemon Go servers. The new encryption is supposed to be based on pseudorandom number generator (PRNG). whitelist_ip posted on Twitter: "So apparently the used algo is actually the prng algo used in old Pokémon games."

Update: 10/12: FastPokeMap developer shares the current status of the reverse engineering efforts on reddit. The FPM team has narrowed down the problem to a heavily obfuscated code section. Niantic implemented several obfuscation methods including code flow obfuscation, argument obfuscation in stack and anti tempering for each function. This has the effect that no software break points can be set. Niantic madet the reverse engineering of the encryption very tidious. At this point it is not clear how long it will take to figure out how the Pokemon Go app is generating the encryption signature.

Update 10/11: The timeframe of when the new security of Pokemon Go gets broken has been moved up the developer behind FastPokeMap. According to him some efforts are underway that have picked up where he left it on Sunday. "The api might be reversed  sooner than expected," he said in a tweet. Now the Pokemon Go 3rd party scanners could be back in 1 to 2 weeks. Initially he estimated at least 2 weeks. 

FastPokeMap called out a $10,000 bounty for breaking the new security and develop a portable code as a result. The efforts are picking up to make 3rd party Pokemon Go apps work again until the next Niantic security update. Niantic has today released new Pokemon Go app updates, but again did not release an in-app tracker.

Update 10/10: The creator of FastPokeMap will not share the solution if he is the only one working on it. This will not be an open source initiative. He says that he got a lot done on Sunday. If he manages to hack the new encryption, FastPokeMap will be the only working real-time Pokemon scanner. There are now a few developers in the FastPokeMap effort to reverse engineer the new security update.

Update 10/9: The creator of FastPokeMap estimates that it will take two weeks to hack the new security. No other developer has so far revealed reverse engineering efforts or results.

Update 10/7: Access to Pokemon Go Servers blocked.

We will update this report with the latest developments around the Pokemon Go API for the October security update as new information becomes available. If you have updates, please feel free to email us.

Read more Pokemon Go News and find out where to buy the Pokemon Go Plus.

You May Like


The Author

<a href="/latest_stories/all/all/2" rel="author">Luigi Lugmayr</a>
Luigi Lugmayr () is the founding chief Editor of I4U News and brings over 15 years experience in the technology field to the ever evolving and exciting world of gadgets. He started I4U News back in 2000 and evolved it into vibrant technology magazine.
Luigi can be contacted directly at ml@i4u.com.




Leave a Comment

Share this Story

Follow Us
Follow I4U News on Twitter
Follow I4U News on Facebook

You Also Like


Read the Latest from I4U News