Embed Size (px)
Citation preview
– Observations on Controlling Access to Mobile APIs Using the Pokemon Go Example
Block
KEY PRESENTATION MESSAGE• Your next app or API service may be a brilliant idea!
• Why not?
• Consider success:• MAU (monthly active users) numbers from your dreams• Traffic beyond your scale tests• Revenue to die for
• Will you capitalize on it?
BOTs AND MOBILE APIs• What is a bot?
• We’re talking about bad bots here• Definition: Automated software using your API against your desires• What: Extraction, degradation, cheating• Why: Make money or mischief
• And why should you care?• Increased client functionality & API richness• Traffic migrating from web to mobile• No mobile protection solutions
POKEMON GO: THE LAUNCH• Mobile game first released 6th July 2016
• Staggered geo release over 3 months• After 8 weeks:
• >100 countries• >500M downloads• >4.6B miles walked (7.3B km)
• Not bad, eh?• (First mistake: No GPS spoofing protection) Image: Reddit user Inkblob
POKEMON GO: REVERSING THE API • Action -
• Simple man-in-the-middle approach revealed API protocol• First game release used (unpinned)TLS secured communication to prevent people
looking at traffic• Enthusiasts were keen to know what they could do through automation,e.g. geolocation spoofing
• Reaction - • Niantic implemented certificate pinning• However a lot of useful information had already been extracted• Pokemon proximity functionality disabled
POKEMON GO: DISABLING CERTIFICATE PINNING • Action -
• Enthusiasts disabled certificate pinning• For example using a Xposed module• Recovered Pokemon proximity functionality
• Reaction - • Niantic enables the
‘unknown6’ pre-built checksum mechanism
• Effect is to block IP addresses of mobile API abusers
POKEMON: UNRAVELLING CHECKSUMS• Action -
• The community mobilized itself and cracked ‘unknown6’ in 4 days• This circumvents the checksum protection in the app• This effectively returns API access to
to the enthusiasts
• Reaction - • Legal action• Root checks• CAPTCHAs
POKEMON GO: THE IMPACT• Brand image• Unhappy players• Significant unplanned engineering effort• Revenue
• Would the chart have been different if the engineering resources focused on new feature development instead?
CRITICALBLUE?• Dynamic Insight Technology
www.approov.io
KEY TAKEAWAYS• When it’s easy to do, it pays to plan for success
• Control use of your server resources and APIs• Keep your development focused on delivering your roadmap• Software authentication delivers this peace of mind
• Consumers are fickle and easily spooked
• Is it worth the risk?
• Prepare for the bot onslaught when you win!
(28.3g)
(454 g)
