
Pokemon Go: Reverse Engineering of the Android App - acq
https://applidium.com/en/news/unbundling_pokemon_go/
======
pingec
While unobfuscated code is really nice to have from a hacker's perspective,
isn't this a rookie mistake on niantic's part?

Or perhaps was this a conscious decision, not do to it for some reason?

~~~
acq
Imho, it was more of a "why bother?".

Most of the code is inside Unity, which is harder to access, but they ended up
putting more code in the Android part (for the Pokémon Go Plus for example),
and probably forgot about it.

They can still obfuscate later releases, but the lack of certificate pinning
is going to be harder to fix.

~~~
hh2222
Sincere question, is Unity part of the reason the app is unusable (slow and
crashes constantly) on my iPhone 4s? Lots of other similar apps work fine.

------
acq
TL;DR:

\- the code is not obfuscated, which makes attempts at reverse engineering
much easier.

\- possible to rebuild a functional project

\- dependencies could be better managed

\- no hint to future VR or Cardboard versions

\- it may be possible to downgrade the minimum requirements (below Android
4.4)

\- we can get access to quite a few things: code for location/network/sensors
and communication with Pokémon Go Plus

\- the requests can be easily intercepted because of the lack of certificate
pinning

