Niantic deployment of Google's reCaptcha is not stopping 3rd party developers from scraping Pokemon Go servers. Update: Niantic deployed new encryption blocking all Pokemon scanners and bots.
Pokemon Go is putting the spotlight on how weak widely used security technology really is. Niantic has enlisted Google security technology to block 3rd party developers from accessing Pokemon Go servers and extract the valuable location of spawning Pokemon. In addition to that, Niantic also relies on Google's SafetyNet to block the Pokemon Go app from running on rooted devices.
Update: Niantic has released a new encryption of the protocol blocking all scrapers. It is not just Captcha now the 3rd party developers such as the creator of FastPokeMap have to deal with now. It is another reverse engineering job. They need to find out how the new encryption works before any Pokemon Go scanner or bot is going to work again. This can take days.
Both security technologies can be circumvented. Running apps on rooted devices that require SafetyNet verification as been possible before Pokemon Go. Before solutions that hide rooted have been known by relatively small group, now millions more use these techniques so they can run Pokemon on their rooted smartphone.
This attention and wide spread forces Google to improve their security technology. This happened earlier this week with SafetyNet. Solutions like Magisk stopped working. This changed has not just affected Pokemon Go trainers, but anyone who was running Magisk for instance to use Android Pay on rooted phone.
There are already methods to circumvent the new improved SafetyNet and Magisk is getting an update that will deal with the changes. This means there will be another round of SafetyNet changes coming soon. Google can't give up the fight. Business partners including banks will come down on them. They already will have increased the pressure on Google.
The situation with reCaptcha is no different. Yesterday we reported that FastPokeMap, the largest Pokemon scanner, is going to fold, but things already changed. The creator of FastPokeMap found a viable solution to deal with the Captcha. First he increased the number of worker accounts significantly from the 500,000 the service used. This reduces the number of captchas FPM triggers. Yesterday they still had 10,000 captchas per second. Secondly, they made a deal with a Captcha solving service to solve the captchas they hit. The end solution is to redirect the captchas to the 15 million daily users of FastPokeMap. This is not trivial and will take some hacking.
Captcha solver and captcha solving services have been around since a long time, but now they get a lot of attention becaues of Pokemon Go. Not just large scale scanners have to deal with captchas. Anybody who is running a personal scanner or bot needs to deal with them and they do with similar methods as FPM. The fact that you can circumvent Google's reCaptcha with a "earn money online" service scheme makes Google look bad.
Pokemon Go is going to make the web more secure by forcing Google to make its security solutions better. Banking and online payment services should lead that charge and not a game. More Pokemon Go News.