Inside Pokemon GO - Network connections behind the scenes

As you might have already heard from someone, Pokemon GO was released a few days ago in the US, NZ and Australia. It has gained a huge player base all over the world by now, the region restrictions seem to be not as strictly enforced as they could have been, as Niantic, the company behind Ingress and also the core developer of Pokemon GO, solely rely on restricting the app store distribution of the app, not the game functionality itself, in unreleased regions.

I could not stop myself from taking it apart by watching the network traffic the app creates on iOS and found a few interesting things I would like to share here:

  • Pokemon GO comes with Upsight's framework included to provide Niantic with analytics data. Not exactly a surprise, judging by the partners listed on their site it seems to be a huge player in the stats/analytics game.
    The game sends data like your device type and software version, whether it is jailbroken or not (Never trust this info :) ), the network carrier you use and lots of other meta data to Upsight. Game related data is also sent to them, with your current item, pokemon and pokecoin count, your player level and experience included. While you play, the game constantly sends updates as to what you're doing and what your inventory looks like, for example.
    Funnily enough an opt-out option seems to be available (at least in the JSON data sent), although I have not really looked into whether it's actually possible or not.

  • Apteligent seems to be another metrics framework included, although I have only seen a rudimentary data exchange so far, so I assume this is just used as secondary metrics.

The initial game server related request goes to https://pgorelease.nianticlabs.com/plfe/rpc with a bunch of encoded data included in a POST request, probably for authentication. The response contains the url all further requests should be sent to (for later API changes, I guess). Certificate pinning is utilised, so without patching the certificate checks you won't get any further with a standard trusted certificate. Luckily, on iOS there are several low-level patchers available, so we don't have to patch every application manually.

Currently the main server endpoint address is https://pgorelease.nianticlabs.com/plfe/110/rpc. The first request sent here is the same as above, but the response contains a lot more data this time. and on first sight most of the player info including name, inventory and pokemon(?), too. All further communication happens here in custom data structures embedded in POST requests.

  • Photos of gyms and pokestops are hosted on ggpht.com

  • Fun fact: The app tries to use the Google Maps API from time to time, but someone seems to have forgotten a valid API key here:

There is a lot more to write about, and this was an incredibly simplistic overview of the network behind Pokemon GO (I would especially like to reverse the format the POST data is encoded in), but I have my exams coming up in a few weeks, so Part 2 will have to wait for another time!

Thanks for reading!

UPDATE 07/15: I almost expected the exchanged POST data to be encoded using Google's protobuf format. That has been pretty much confirmed now, and not only that: someone apparently managed to extract the protocols from the app binary (or the included assets, I am still not sure about that). If you ever wondered what's actually being sent back and forth, now is your chance! Part 2 is of course still going to be published and will probably deal with reversing the actual executable file to see what gems it will tell us!

UPDATE 07/17: Even more decoded protocols can be found here.

Inside Pokemon GO - Network connections behind the scenes
Share this

Subscribe to dibas' weblog