In a surprising turn of events, the latest Pokemon GO update introduced a new method of fighting bots, MitM abusers and trackers – good ol’ captcha. As soon as the game detects abnormal player behaviour, the player is prompted with a simple captcha screen. Read on for more details

Pokemon GO Bots and Trackers are going offline for good

The update change log notes only one relevant line, in typical Niantic fashion: “minor bot fixes”. Taunting at bot authors, this single line denotes a complex detection mechanism hidden inside the game and prompting the players with captcha screens whenever it detects possible abuse.

A reddit user hinted that the decompiled source code shows references of the new mechanism. The decompiled source code showed the following names:

  • CaptchaService
  • CaptchaGuiController
  • CheckChallengeProto
Decompiled source shows hints of new Captcha mechanism
Decompiled source shows hints of new Captcha mechanism

Captcha mechanism is frequently used to prevent spam and bot attacks on websites and it is yet to be seen how effective is it inside Pokemon GO.

As observed, a growing number of players reported problems with bots on various botting forums. Unsurprisingly, the third party development community is not moved by this change and by the looks of it a solution is already in the works.

But the bad news for bot authors and users doesn’t stop there. The official API encryption called “unknown6” changed once again. Last time Niantic attempted this kind of
protection for the API, it took the third party community two days to decode and circumvent the encryption.

Pokemon GO Captcha in action
Pokemon GO Captcha in action

The FastPokeMap developer used a “man in the middle” abuse method to get a snap of the Captcha, and as expected it is Google’s reCaptcha behind the scenes. The challenge of fighting Captcha is enormous: it tracks user actions before, during and after clicking “I’m not a robot” checkmark. If it detects unusual patterns, the user is denied access. Even in the case it does not detect direct botting attempt, the Captcha switches from a checkbox to a fuzzy letter image, making it even more difficult to circumvent.

The most significant tweet from FastPokeMap warns of the upcoming demise of bots and trackers:

“Enjoy it while it’s up, can’t guarantee it’ll come back once the new security measure are activated.” – FastPokeMap Official

It is expected that all 3rd party apps will stop working as soon as the app update rolls out worldwide, meaning the worst is yet to come for 3rd party development community. It is highly unlikely that the 3rd party developer community on GitHub can once again find a fix to the new Pokemon Go security measures.

The new Android version 0.35.0 is out in the Google Play store, and the iOS Pokemon Go app update 1.5.0 has not been released yet. What happens when the update rolls out worldwide remains to be seen, but we are expecting huge outcry from the bot community.

Developing…