You are viewing a single comment's thread from:

RE: CIA and PokemonGO: Welcome to a New ERA of Covert Surveillance!

in #security8 years ago (edited)

I'm going to copy my previous comment again, adding some new points.

First of all, i would like to mention that implementing malware in videogames is a risky thing. Here's why: Pokemon Go is still not supported in many countries, so those Android users who want to play Pokemon Go, need to download APK instead of searching it in Google Play. It appears that one of the most popular APK files contained some malware in it. That was exposed by some users on Reddit and other forums just days after the release. It's very easy to loose users trust in 2016, remember how Windows 10 and data mining was exposed?
If there really was a backdoor in Pokemon GO code, that would allow the potential "bad person" to spy on users, using this app, then, it would have been already found. Thousands of coders, game hackers (the people that use their skills to obtain boosts in games), developers that want to make another game clone - they would share this with the people, as it would be a potential app destroyer, so they would be able to make their own clones and have all the profits possible.

Also, it's silly. Why would people from spy agencies develop a game, based on a setting, that costs billions of USD, instead of negotiating the possible backdoor in the OS. People don't catch Pokemons 24/7. People don't use the app 24/7 Yeah, i know about youth and kids, but if we are talking about some Gov people...

You can also play without using the camera. AR is just an option.

In my opinion, these kind of theories (about applications) should be always backed with code/data control logs that prove the statements.

And if there was an idea of forcing you to be in needed locations in-game, developers wouldn't have made Lure Modules and Incense :) These items attract Pokémon to you.

Terms of Service clearly say: We may also consult and cooperate with law enforcement authorities to prosecute users who violate the law. Are you going to violate the law using Pokemon GO? It's fucking hilarious. And i advise you to check the Terms of Service of websites or apps you're using, because any company which goes by the word of law has something like this in their ToS. There is no "HOLY SHIT DUDES WE ARE WATCHING YOU" or something in that kind.

Pokemon GO has been recently unbundled. I'm too lazy to edit, here is the Steemit post:
https://steemit.com/pokemongo/@miohtama/reverse-engineering-pokemon-go-on-android
Here's the article:
https://applidium.com/en/news/unbundling_pokemon_go/
Now the main question: if you make an app which is a spying app, would you let the possibility of RE exist? Of course no.
That's the thing i told you in my previous comment - if any data leaks or hidden spying tools existed in Pokemon GO - they would have been already found.

Sort:  

The concern is not about "malware," per se, embedded in the app, but that the app is harvesting valuable data and shipping it off to Google for who knows what. The point is that the user would never notice malicious behavior because, to most users, it wouldn't be considered malicious at all. So the app took some pictures and sent them to Google; big deal! Most likely that code is in there somewhere, and your average person will know exactly what it's doing and not think twice about it.

And Google isn't stupid; if they want to hide something (which again, they probably don't), the dumbest thing they could possibly do is obfuscate the bytecode. That sets off red flags and alarms everywhere, and suddenly there's thousands of skilled RE's analyzing the app (a lot of them just for the challenge, which is far more compelling with a big name like Google involved), whereas right now all we have is the occasional tech blog doing a cursory overview (which is all your link is, btw). Also, there's far better ways to hide code than blanket obfuscation. Like I said, that's probably the worst way to do it. And no, there's no way to prevent reverse engineering of an app. It's impossible in practice, and I've actually worked on the theoretical side of that, and while I don't have a formal proof that it's impossible, I'm pretty darn sure it is.

The point of the OP isn't that it might be malicious in the traditional sense; it's that the CIA may be involved, and if they are, they'll be scooping up massive swaths of data (and again, the code involved here will be completely ignored by most any reverse engineer because it's completely mundane: uploading a picture) and we have no idea what they'll use that data for.

Thanks, @modprobe. That's exactly what I wanted to say.
Massive volumes of data are sent to servers and nobody can find out and check how the data are really used. Whether it's used by CIA or just for app analytics. And even if it's not used by CIA at the moment nobody can guarantee that it won't be used by them futher!

It's still not what everybody are talking about (photo/video recording). The amount of data which can probably be sent to somebody is not bigger as it would be if you used your Google or Apple maps.

The code is there somewhere is not actually an answer. It should be there or all the theories are just attempts to gather some attention. And there are not only thousands of REs, as I've mentioned, the code was explored by the game hackers and clone makers too.
And yes, you can check the amount of data that the game sends. It will require an android device, some services disabled, some tools installed.