Decrypted authentication hash again opens up unauthorized apps.
When we first wrote about the world of automated Pokémon Go-playing "bot" programs a few weeks ago, we predicted a brewing technological war. Developer Niantic was inevitably going to deploy cheat-detection technology, and hackers would subsequently work to break through that detection. Last week, we saw the first battle in that war, and so far it seems like the hackers are winning handily.
After largely ignoring the growing issues of bots (and related mapping hacks) for weeks, Pokémon Go developer Niantic rolled out a mandatory game update last Wednesday focused on cutting off server access for such unofficial apps. In a blog post last Thursday, Niantic cited "aggressive efforts by third parties to access our servers outside of the Pokémon Go game client and our terms of service." The developer argued these hacks were overloading its servers and its employees, slowing efforts to improve the game and bring it to new markets.

"Developers have to spend time controlling this problem vs. building new features," Niantic wrote. "It’s worth noting that some of the tools used to access servers to scrape data have also served as platforms for bots and cheating which negatively impact all Trainers. There is a range of motives here from blatant commercial ventures to enthusiastic fans but the negative impact on game resources is the same."

"We don’t expect these attempts to stop," Niantic continued. "But we do want you to understand why we have taken the steps we have and why we will continue to take steps to maintain the stability and integrity of the game."

Getting to know "Unknown6"

In examining the updated game, hackers quickly focused their efforts on a bit of hidden data called Unknown6 (or U6) in the code. After the update, API requests that didn't send valid U6 data returned a useless empty response (previously, the field could be left blank with no issue, suggesting this anti-cheat protection was present but not activated in the game as it launched).
The U6 data itself seems to be a hashed encryption of data collected from the current state of the actual game client, which changes with each tick of the game's internal "heartbeat" timer. Theoretically, only a valid game client would have that information and know how to use it to generate that U6 hash, leaving bots and other hacks in the cold.

What followed was a multi-day, multi-person effort to decrypt the U6 generation algorithm, organized through the PokemonGoDev subreddit (and livechat) as well as associated discord chat, Wiki, and Github repository. Together, the community traced through hundreds of thousands of lines of compiler-optimized assembly code, looking for the bits responsible for creating that crucial U6 hash.
"The process for finding that function was something like 'Ooh, this looks interesting, lemme set a breakpoint in the debugger,' while watching for network traffic," wchill, one of the pseudonymous coders who worked as part of 'Team Unknown6' on the problem, told Ars. "Then we could change some of the stuff passed into the function and see how the network traffic changed." While the function code itself was found in about a day, it took three more for the team to trace back through the app's execution to figure out precisely what data was being fed into it, a painstaking and intricate process.

After four days of tinkering, by Sunday the hackers had apparently managed to untangle and replicate the U6 encryption function (here's an incomplete technical breakdown captured from the Wiki if you want to dive deep into the code). This led to the creation of a new unofficial API, which can generate valid U6 hashes and receive game data from Niantic's servers. That newly working API has been quickly reintegrated into the various bots, hacks, and other third-party applications that had been disabled since Wednesday.

The cat and mouse game

While the API is currently working, it seems hackers haven't fully unlocked U6's inner workings. "They still don't fully understand it [even though it's] making valid requests," said MyGoBot developer Explicit (who goes by his handle rather than his real name online) in an interview with Ars. "There are many fields which they think are used to identify things like the user's device, current accelerometer data, etc., which Niantic could then use to detect bots (or other unauthorized applications)."

Even though unauthorized apps are working again, that kind of detection remains a major worry. Though Niantic hasn't issued permanent (or even long-term) player bans yet, many assume such efforts are coming. Some players have noticed a Niantic job posting for a Machine Learning Engineer and presumed that the position will focus on detection algorithms to sniff out and ban suspicious bot behavior. "You risk becoming too predictable depending on what kind of values are sent [to the server]," Explicit said. "Pokémon Go is big enough that I'm sure they have enough data to cross reference account actions and find similarities."

There are other ways that Niantic could try to detect unauthorized hacks in the future. "We discovered that there was some information on GPS satellites being passed to Niantic on Android like which satellites were in view, their angle, and elevation to the phone, etc." wchill said. "So if you take that to its logical conclusion, Niantic could ban GPS spoofers with that." While such data would be hard to fake, it might actually be easier to pretend to be an iPhone, which does not provide direct access to this nitty gritty GPS satellite data. ("The one time I've ever thought of Apple's restrictive policies to be a good thing," wchill said)

Regardless, the team behind MyGoBot seem relatively confident in their ability to thwart any anti-cheat methods Niantic may lay down in the future. "We have been in the botting industry for a while now, and we have thwarted anti-cheat for years," said Jake. After working on bots for Runescape and Clash of Clans over the past two years, Jake believes that, so far, "Niantic's anti-cheat is very sad compared to some others. Everything they have been adding in, has been easy to thwart (with the help of the community)."

(Update: To be clear, the MyGoBot developers are only speaking for themselves here. For their part, Team Unknown 6 say they do not directly condone botting, and intend for their decryption efforts to primarily aid in other types of third-party applications)

"It probably took [Niantic] hours, if not days, to write the encryption for Unknown6," Jake continued. "It took us three days to crack. This is just a never-ending game." (Niantic has not responded to a request for comment from Ars about its cheat-detection and prevention technologies).

"Assuming your product is undetectable would be a surefire way to run into issues down the line," Explicit added. That said, despite the recent down time, Explicit seemed to stand behind MyGoBot's front-page assurance that "it’s safe to say MyGoBot will continue being stable with consistent functionality for the foreseeable future."

"Basically, in this game of cat and mouse, it just goes back and forth without any clear winner," he said. "Game developer steps up to combat an issue. [Hack] developers work around it. Rinse and repeat."

Editor's Note: Thanks to Cheesy Noob, Keyphact, globeriz, HatchingEgg, MMM, Tal, Unni, Waryas, wchill, xssc, and the rest of Team Unknown6 for assistance on the technical bits in this article. Thanks also to reader Joseph Chapman for frequent tips on the state of the Pokémon Go hacking scene.