Pokemon GO and the importance of certificate pinning

Time and again, I have come across mobile apps that are easily susceptible to reverse engineering. Pokemon GO fell victim to this attack and that paved the way to its current bot problem. These bots emulate GPS coordinates and play the game for the user by directly interfacing with Pokemon GO's private API. It gives the bot users a leg up and effectively ruins the social game for everyone else.

What is certificate pinning?

Certificate pinning ensures nobody is silently swapping a legit certificate with a forged one.

Typically, server side certificates are validated by checking the signature hierarchy; MyCert is signed by IntermediateCert which is signed by RootCert, and RootCert is listed in the phone's "certificates to trust" store. So, the cert is legit.

Certificate Pinning is where you ignore the whole thing, and say trust only "this" certificate or perhaps trust only "certificates signed by this certificate".

The Pokemon GO app trusts its API's certificate if it's signed by Verisign, Digicert or any valid certificate authority. However, it does not check to make sure the the certificate is in fact a legitimate Pokemon GO server certificate. This makes Pokemon Go susceptible to a man in the middle attack where a reverse engineer can hijack Pokemon GO's API requests and snoop into their payload - thereby exposing Pokemon GO's private API.

Had Pokemon GO implemented certificate pinning, the app would have rejected the fake cert and not exposed its private API - making it harder for reverse engineers to crack the app.

How can we pin a cert?

Based on concepts derived from Android's developer guide, we can teach HttpsURLConnection to trust a specific set of certificate authorities - ones that an attacker has no access to.

The aftermath

Pokemon GO has now implemented certificate pinning, but, the damage had been done. Pokemon GO is in a constant battle against bot users - banning players who exhibit unusual activity, taking down open source bots on GitHub, and implementing server side throttling logic on their API. The rise of bots have contributed to the decline of Pokemon GO's appeal and has cost the company millions.

This simple security tip will help future app developers secure their private APIs. In addition to certificate pinning, I cannot understate the importance of obfuscating all Android apps to prevent easy decompilation.