Trainers, we have some unsettling news to report today. A member of the XDA Developers forum has discovered that Pokemon GO is abusing its read permissions to read Android’s internal storage and search for possible hints that your device is rooted.
Rooting is the process of obtaining root privileges on an Android device and, although being a completely legitimate thing for power users to do, it is usually required for a majority of high class cheating devices employed in Pokemon GO. For more information about rooting in general, check this article by Android Basics.
In an effort to curb cheating in Pokemon GO, Niantic has frequently updated their methods of detecting rooted devices, but the latest method introduced in 0.115.2 (see our APK tear down) crosses the line for some.
Allegedly, the new security allows Pokemon GO to read your device’s file and folder names well outside it’s intended storage level, and to identify anything that can be associated with rooting procedures. As the XDA member lays it out, anything that’s either a flashable-looking zip, APKs of root-related apps, log files, Titanium Backup, any folder with “root”, “magisk” or “xposed” in its name can be used to trigger the now dreaded unauthorized device error.
Several other reddit and XDA users have confirmed that this is indeed the case. Detecting rooted devices is difficult in technical terms, but to go as far as to read personal file and folder names is quite alarming. Moreover, players have been able reproduce this by simply creating folders with root-looking-names on their external SD cards!
We’re not sure if Niantic should be doing this, despite their best intentions to prevent cheating on rooted Android devices. Pokemon GO is after all just a game, and such a hidden mechanism can’t be expected from a game.
It would be fine, if it was an antivirus or a different type of security software, and if you willingly gave access and accepted this behavior as an user.
No response was given by Niantic yet.