Pokemon Go Hackers - Gotta Catch 'Em All

July 15, 2016 1189 Views Sebastian Holst

Pokefan Alert - augmented reality apps like Pokemon Go are rooted in the REAL WORLD (not a virtual one) – a real world with a host of very real dangers.

Pokemon Go players are walking into traffic, being lured into remote locations to be robbed, and last (but in no way least) they’re being duped into using counterfeit (tampered) Pokemon Go apps.

What’s the harm? The “Gucci” handbag I bought off the street doesn’t seem like much of a threat.

Given the central role of mobile devices in every aspect of our lives, counterfeit apps now pose as great a threat to public and personal safety as counterfeit medications or car parts. A mobile app with malware can take over your phone, your credentials, and your identity (way more toxic than a handbag with a fake fashion logo) – and, when considering something as wildly popular as Pokemon Go, mobile apps are also at least as lucrative a target for cut-throat criminals as well.

This is not a hypothetical - Researchers at proofpoint have already found hacked versions of Pokemon Go on Android – and there’s no reason to believe that there’s not an all-out race within the criminal hacker community to exploit the tremendous popularity of this (and any other) wildly popular app.

Consumers

It’s actually not too difficult to avoid counterfeits. Do not be tempted to side load Pokemon Go directly from a download; do not be tempted to go to a secondary app marketplace (other than Google Play or the iStore) – even if you’re in a region where Pokemon Go hasn’t been officially released. It’s simply not worth it.

Development Groups

You cannot passively ignore the responsibility that comes with any success that may come your way – the more popular (or mission critical from a business perspective) your work becomes, the more attractive your code becomes to attackers. If Willie Sutton were alive today, he wouldn’t rob banks – he’d be a hacker “because that’s where the money is.”

Application security and risk management (being a part of the “real world”) is not much different than any other flavor of security and risk management – to be effective, security controls need to be proportionate, layered, and consistently applied.

For consumer apps like Pokemon Go (and line of business apps too) this means understanding how hackers attack and setting up material obstacles at every turn – impeding (if not deterring) exploits and (when attacks succeed as they will from time-to-time) enhancing prosecution and punishment.

I have no personal knowledge of the precautions the authors of Pokemon Go have taken as a part of their development process – but let’s hope that they have implemented a layered approach designed to halt, delay, or at least discourage a would-be hacker at every step in their journey.

The following graphic outlines a typical Android hacker’s journey; the steps they are likely to take on one side and the traps and controls that can trip them up on the other such as Android obfuscation and anti-tamper technologies.

The Development Team’s Responsibility

Whether for selfish reasons (you don’t want to be the guys whose app screwed everything up), or ethical obligations (you know that you owe it to your user community), or legal risk (the courts are far from settling what kind of liability comes with deploying unsafe software ripe for exploitation) – there can be no doubt; app owners must bake effective risk management and security controls (devsecops) into every facet of their application’s lifecycle; from design through deployment and deprecation.

For more information on how to best manage application risk and secure intellectual property across mobile, on-premises and cloud-based development investments, contact solutions@preemptive.com or check out more information on DashO.

Using Dotfuscator Community Edition with Xamarin

We've previously blogged about Using Dotfuscator Professional with Xamarin Applications. We've also blogged about the recently added command line support for Dotfuscator Community Edition. Now it is time to put these two concepts together, and show how to make reverse-engineering your Xamarin application more difficult by integrating Dotfuscator Community Edition (CE) into your Visual Studio build process.

Trade Secrets and Software: don’t give one up for the other

The true value of trade secrets – as with any class of intellectual property – is directly proportional to the owner’s ability to enforce their rights through criminal and civil actions.

Your apps may be getting hacked – Why should you care? What can you do?

Today more than ever, applications are mobile and can be run worldwide. And many useful apps access sensitive data and have value-added functionality within them (such as trade secrets). Because traditional firewall type attacks are much more difficult today, hackers are increasingly targeting both consumer and enterprise mobile and desktop apps as a newer attack vector. So, those apps may be at risk from theft of IP/underlying sensitive data, malware injection and more advanced targeted threats.

Harden applications against hostile and compromised environments – not just simple attacks.

Once a mobile device or an on-premises server or a PC… is known to be compromised or in hostile hands (detected, for example, when someone attaches a debugger to an app in what is a strictly production setting), doesn’t it make sense to be able to alter your app’s runtime behavior in real time? …and not just at the time of discovery – but also into the future – and for as long as the runtime environment remains suspect?