Software development is an arms race, fought between developers and the various hackers, crackers, exploiters, and cheaters who see any brick wall as an invitation to grab a sledgehammer. It’s not a matter of why someone would want to cheat at Pokemon Go; it exists, so someone is going to.
Last Wednesday, Niantic rolled out changes to its app with the intention to block third-party services like Pokevision from accessing its API, citing stress on the game’s servers. The company noted that while some of these third-party services were benign, many opened the door for bots and other cheats, and ultimately, “the negative impact on game resources is the same.”
To block these hacks and cheats, Niantic’s update required the game to start providing a specific string of global positioning data when requesting information from its servers. Ars Technica notes that this check actually existed in Pokemon Go‘s code already, but hadn’t previously been switched on. An intrepid group of hackers — organized through the subreddit PokemonGoDev and related communities — was able to identify what this check was doing relatively quickly, but it took several days to comb through the game’s code to find the right string of data to feed back to the API. Once they did, it was easy for the hackers to falsify this information, and from there update the many third-party apps, sites, cheat tools, and bots Niantic’s update had previously disabled.
“Niantic’s anti-cheat is very sad compared to some others. Everything they have been adding in, has been easy to thwart,” says Jake, community manager for Pokemon Go botting service MyGoBot, in an interview with Ars Technica. It should be noted that “It took us three days to crack [Niantic’s encryption]. This is just a neverending game.”
For its part, Niantic seems to have fully anticipated its anti-cheat update would fail, and would appear undeterred. “We don’t expect these attempts to stop,” the developer wrote in its update last week, following the update. “We will continue to take steps to maintain the stability and integrity of the game.”
As of this writing, the most popular of Pokemon Go‘s third-party services, Pokevision, remains offline. Meanwhile, Twitch has called upon viewers to start reporting Pokemon Go streamers who appear to be using cheats, including software which spoofs the player’s GPS data.
UPDATE 8/9/2016: It should be clarified that the MyGoBot representative quoted here speaks only for that service and not for the greater team responsible for the API crack, Team Unknown6, which says it does “not directly condone botting, and intend for their decryption efforts to primarily aid in other types of third-party applications.” (via Ars Technica.)
