Pokemon Go: Reverse Engineering of the Android App (opens in new tab)

(applidium.com)

13 pointsacq9y ago4 comments

4 comments

4 comments · 2 top-level

pingec9y ago· 2 in thread

While unobfuscated code is really nice to have from a hacker's perspective, isn't this a rookie mistake on niantic's part?

Or perhaps was this a conscious decision, not do to it for some reason?

acqOP9y ago

Imho, it was more of a "why bother?".

Most of the code is inside Unity, which is harder to access, but they ended up putting more code in the Android part (for the Pokémon Go Plus for example), and probably forgot about it.

They can still obfuscate later releases, but the lack of certificate pinning is going to be harder to fix.

hh22229y ago

Sincere question, is Unity part of the reason the app is unusable (slow and crashes constantly) on my iPhone 4s? Lots of other similar apps work fine.

acqOP9y ago

TL;DR:

- the code is not obfuscated, which makes attempts at reverse engineering much easier.

- possible to rebuild a functional project

- dependencies could be better managed

- no hint to future VR or Cardboard versions

- it may be possible to downgrade the minimum requirements (below Android 4.4)

- we can get access to quite a few things: code for location/network/sensors and communication with Pokémon Go Plus

- the requests can be easily intercepted because of the lack of certificate pinning

j / k navigate · click thread line to collapse