
Pokemon Go API - fmax30
https://github.com/Grover-c13/PokeGOAPI-Java/
======
ndarilek
Haven't delved deeply into this, but does it let you do everything
programatically, including track/catch pokeymon?

I'm blind and would be interested in there being an accessible version, but
it's just not ever going to get made. Seems like pokestops or whatever they're
called could be represented as a plain native list, with Maps integration for
voice guidance to the point if you don't already know where to go.

And it looks like the in-game action is fairly simple. Could probably render
it with positional audio, which has been done in accessible games for at least
a decade [1]. I wear a bone conduction headset, so I could listen to the audio
cues overlaying my actual environment. It may be hard to model the catch
mechanics, but I assume they aren't too much more complex than "center one
thing on another and throw," which again audio games have pretty much figured
out.

Seems like a fun project. Might give it a shot if I can stomach the risk of
getting randomly shut down one day.

Edit: Speeling

1\. [http://audiogames.net](http://audiogames.net) Kind of an annoyingly bad
site in some respects, but useful info all the same.

~~~
Tenoke
I believe you can do pretty much everything, but sadly people are already
using it for buildings bots, so there is a chance that Niantic might change
it.

On the other hand, this does sound like a fun project.

~~~
TkTech
Doesn't matter how they change it. As long as the app works, there's
absolutely nothing they can do to stop someone from using the "API".

------
2bitencryption
So let me get this straight -- for these "unnofficial" APIs, someone just
scraped a bunch of packets from their phone while letting Pokemon Go run on
it? Then investigated to see what the communication from client to server
looks like, then implemented an API that mimicks that communication?

If that's all so, could the PoGo devs simply enforce some type of device
authentication to 'shut down' these APIs, or otherwise take different steps to
make unofficial APIs less compatible/more difficult/effectively impossible?

~~~
evook
> If that's all so, could the PoGo devs simply enforce some type of device
> authentication to 'shut down' these APIs, or otherwise take different steps
> to make unofficial APIs less compatible/more difficult/effectively
> impossible?

That's impossible. If you try this you'll either have a bunch of false
positives or even more likely a patched api around 12 hours later. Never
underestimate the dedication of botters. There are multiple headless WoW Apis
around for 10 years now and Blizzard isn't able to close them out.

~~~
FungalRaincloud
The best way to handle this is with account-specific API keys. Even that would
just mean creating an account, and the only real benefit to that is that you
could track the API key, and if it did "bot-like" things, ban it. That's not
really a fix, just a barrier for entry, preventing poorly thought out bots
from working.

~~~
danielrmay
I'm pretty sure this already exists. These APIs have been in development for a
couple of weeks now and as far as I can tell (from watching the
/r/pokemongodev subreddit) there haven't been any bans. Niantic, at present,
don't appear to have any automated system attempting to catch bot-like
behavior.

~~~
flashman
Botters aren't as big a threat to Niantic's business as the shortcomings of
their own technical infrastructure.

When that changes, watch out.

------
spdy
[https://github.com/tejado/pgoapi](https://github.com/tejado/pgoapi) \- Python
version

------
bargl
There are quite a few Pokemon Go APIs in different languages. This is the Java
Pokemon Go api. There is a C# api, and a python api.

If you want to learn more this subreddit is great for news.

[https://www.reddit.com/r/pokemongodev/](https://www.reddit.com/r/pokemongodev/)

------
kveykva
Instead of implementing bots and trackers, someone could implement:

    
    
      *  Just a working 3 step tracker
      *  Gym high scores
      *  Display nicknames of gym pokemon

~~~
jms18
> Display nicknames of gym pokemon

That's rife for abuse. It would require a "reporting" function; a moderation
team; resolution practices; human intervention; a "scoring" system to judge
repeat offenders... on and on and on.

Please don't ask for that. I don't need to see that the gym located at a
church being championed by the Pokeman nicknamed "Gaylord."

~~~
ry_ry
You can already do it via player name.

The notorious Westboro Baptist Church was being held by an apparently LGBT
friendly account called LOVEISLOVE recently, which I thought was quite sweet
tbh.

------
tfm
Probably good to regard these first few weeks (months?) of Pokémadness as an
"open beta" period, before the security measures get turned on. We can look at
Niantic's previous project, Ingress, for a roadmap.

The two major categories of cheatifying in Ingress are falsifying one's
location and multi-accounting. There's precious little that can be done about
the latter, so Niantic focus on banning players that appear to be "spoofing"
their location.

Given the wealth of different devices and playing scenarios, immediate
detection of GPS spoofing is infeasible. Things like WiFi router locationing
idiocy (or even just dodgy GPS antennae) play havoc with the utopian dream of
perfect positioning every time. If a player performs actions seconds apart
that are separated by thousands of miles then the game temporarily ignores
them, but after some time in the naughty corner they can resume play.

Hardy spoofing detection instead depends on longer-term profiling. Ingress has
a similar API to Pokémon Go – JSON chunks (rather than protobuf) over HTTPS,
most fields out in the open – but each request from the app includes a
monolithic "clientBlob" containing device characterisation. The format of this
has been (presumably) reverse-engineered by a few hardy souls but it is
certainly closely-protected Niantic knowledge. We could safely assume that
it's a proprietary blend of signal strengths, gyroscope readings, touch events
and timings, secret herbs and spices etc.

The clientBlobs lend themselves to offline processing. There are conceivably
servers continuously trawling through a backlog looking for tell-tale patterns
of bad behaviour, but it also provides an audit trail if a particular player
is suspected of spoofing. Occasionally Niantic indulges in mass purges, which
presumably follow from a new cheat detection heuristic being run on all the
collected data for some period. These "ban waves" have a reputation for
penalising unusual device configurations (the most recent major wave appeared
to target, amongst other things, players with modified Android variants that
might mask GPS falsifying code, including cheaper Chinese knock-offs, and
Jolla phones running Sailboat).

Occasionally during major Ingress gaming events – so called "XM anomalies" –
there is some level of human supervision to quickly identify and remedy
clearly-fraudulent player behaviour, but for day-to-day operations it seems
that account termination, so-called "hard bans" and shorter-lived "soft bans"
are entirely automated, and based on offline player data analysis.

Getting back to the New Cruelty: the clientBlob was not part of Ingress's
initial implementation; for a while after it was introduced was ignored, and
then it became mandatory. A similar opaque chunk of data is included in the
Pokémon Go requests, so we should look forward to its imminent deployment when
Niantic scrape together enough Pokécoins to buy a few new servers for batch
processing. At that time these convenient APIs won't have long to live.

~~~
pbhjpbhj
>If a player performs actions seconds apart that are separated by thousands of
miles then the game temporarily ignores them, but after some time in the
naughty corner they can resume play. //

I'm curious how the financial side works with the gameplay side - the people
doing spoofing might also be those that are motivated enough to spend money on
the game; you don't want to ban your whales [best spenders] just because they
tried to cheat. Would be really interested to see how much of that weighs in
to business decisions on crack-downs on unauthorised "play".

~~~
tfm
I'd certainly agree that someone who went to the effort of setting up a system
for spoofing (even if it was just downloading an extra app) is, in some sense,
more motivated than a very casual player.

I don't think though that Niantic have much of a moral hazard to consider
here. Looking at what's purchasable in the Pokémon store, there's nothing that
would be attractive to anyone who was able to virtually wander the world at
all hours from the comfort of their couch, especially since anything that can
be bought with cash money could be obtained using coins earned in-game. If a
player's motivation in spoofing was to "catch 'em all" by whatever means
necessary, it seems unlikely that they'd draw the line at restocking from
Pokéstops along the way.

Comparing with the dark side of Ingress, there is a ludicrously well-organised
black market economy offering purchases for every in-game commodity – all, of
course, completely against the T&Cs, all completely abhorred by legitimate
players, but all offered with consummate professionalism (think of the slick
ransomware scammers offering a support number). Niantic don't see any of that
cash. It is likely to have had a major impact on their design decisions for
the PoGo store, and the game in general. If, for instance, there is no way to
trade items between players, then it severely limits the options for a
parallel economy.

------
yelnatz
Pokemon Go _Java_ API.

The Python version has been out for weeks now and I thought this was the
Golang version.

------
prayerslayer
I am just happy to see that the API has "trading" as a concept, looking
forward to that feature.

Overall it's sad that most game mechanics of the original games didn't make it
into Pokemon Go. Does anyone know how much time they had to implement it?

~~~
_asummers
My understanding is that the beta for the game got out to a larger audience
than they intended and they pushed up the release date, though I can't
immediately find anything on Google to corroborate.

------
atoko
All these services contribute to the unstable server situation

~~~
Normal_gaussian
Primarily a bad architecture does, but you are right - the moral case for this
being exposed is incredibly iffy.

------
airplane
I saw in the examples you can catch Pokemon with this API, does that method
give you an automatic excellent throw every time then?

Also, does this API depend on running on Android?

~~~
2bitencryption
Interesting point.

Most of the important stuff is certainly done server-side, like determining
whether a Pokemon appears at coordinates x,y or not (though my guess is the
client is tasked with this, and then says "Hey server, I'm showing there
should be a Pidgey at x,y, I'm gonna try to catch it." The server confirms by
running the exact same deterministic check on x,y, then says "Yep, I see it
too," or "No, you're a filthy liar, Joey.")

But for the actual "I caught it" or "I missed it," unless the exact user input
is sent to the server, and then the server simulates the projected path of the
throw, the client seems like it gets to say that. So perhaps the client could
actually say "I hit it perfectly," and the server just says "Well if you say
so."

~~~
uryga
I've seen the app load something (and hang up while doing that) between
pokeball throws. That seems like evidence that it's asking the server about
something after each throw / once every n throws.

Checking if a throw resulted in a capture server-side would be weird, I don't
see why it couldn't be done on the client. It could be querying for the
players inventory, to see if they have enough pokeballs? It'd still be better
to just sync that once before the fight...

My best guess is, the conditions for a Pokemon running away involve something
only the server knows. A weak example: maybe it considers other players in the
area - pokemon might be more likely to run away if the area is too crowded? So
every once in a while the client asks the server how many players are there
nearby, or something.

~~~
_asummers
I've noticed higher CP pokemon tend to run away more quickly. You also have to
remember that there's now great balls and razz berries to influence throw
chances, so the client probably publishes the events it's doing (gave a razz
berry, threw a pokeball, threw a greatball) and the server creates some
randomness that says yes/no.

~~~
uryga
That "randomness generating" still seems like it would be easily done locally,
and it'd reduce server load. But maybe there's some more advanced mechanisms
we don't know of.

~~~
corobo
if it's done locally then people will bodge the client so the random is no
longer random. The server's always going to have to do the math, even if to
just ensure the client's not lying.

------
mmazer
You should checkout
[https://github.com/disdain13/PokeRoadie/](https://github.com/disdain13/PokeRoadie/)

The best PokemonGo bot by far!

------
airplane
Does anyone know about the legality of projects like this in the US?

I vaguely remember stories about game companies legally going after companies
making bots.

Would uploading an API like this open someone up to a lawsuit? What about
someone uploading a bot or a botting framework?

~~~
prusswan
Usually they will just get a cease and desist.

If they are profiting off their work to the extent that it actually makes
business sense for the game company to sue them for damages, then that is the
action they can expect to get.

------
greenpizza13
This just goes to show that Niantic has no idea what they're doing and
completely lucked into the popularity their app has had.

It's terribly buggy and clearly totally insecure. They can't keep up with the
server load and nobody had a conversation before the game shipped about
protecting against abuse from people reverse engineering their APIs. This is a
joke.

~~~
spicyj
Alternatively: the game's success (and profits) show that none of that matters
so they were wise not to waste time on it. There's no way to perfectly harden
an app like this, anyway.

~~~
greenpizza13
I think the game's success speaks to the popularity of the franchise and the
desire for fans to have this sort of game. I agree, they must have known it
was so buggy before launching and went ahead anyway... because profits.

There should be some minimum level of quality regardless of the fact that if
you shove crap through the door people will buy it.

------
jacquesm
Could someone please start something called 'Pokemon news'?

~~~
scrollaway
And React news? Python news? Maybe we can just have HN tags :)

I could be reading too much in your comment but I get the feeling you're upset
at the overwhelming amount of pokemon-related threads. Don't be.

Reverse engineering is a very interesting field of programming. Video game
reverse engineering is one of the most amazing things, actually. It's where
many teenagers discover how the games they play work. Where they first start
understanding technology, write their first scripts, start being in control of
their computer.

I haven't touched Pokemon Go yet, and am not overly interested (mostly because
it's not available where I live). But the reverse engineering effort behind it
is spectacular and passionating. Why dismiss it like this?

~~~
jacquesm
Because it's just a hype. The new page is literally flooded with pokemon links
by parties trying to lift along on the hype.

It's utterly boring.

~~~
scrollaway
So just because the subject at hand "is just hype", you're dismissing the
excellent work that goes behind it?

For someone who clearly wants to "keep HN pure", you're very quick to judge a
hack by its cover. Guess you didn't read my comment at all.

~~~
jacquesm
> Guess you didn't read my comment at all.

That's really getting old, right along with 'did you read the article'.

~~~
scrollaway
Is it? I've seldom seen it pointed out. Do people keep telling you that?

I respect your comments a lot usually, but you're being incredibly arrogant
here. You are taking one subject which people quite clearly enjoy, and
dismissing reverse engineering work that goes into it just because you don't
like it.

If this is you standing up for what you wrote, I really do hope you didn't
read my comment.

~~~
jacquesm
> I've seldom seen it pointed out.

[https://www.google.nl/search?q=site%3Anews.ycombinator.com+d...](https://www.google.nl/search?q=site%3Anews.ycombinator.com+did+you+read+the+article)

> I respect your comments a lot usually, but you're being incredibly arrogant
> here.

That's another one of those oft repeated patterns. Usually it means "I like
you when we agree, but now that we disagree I don't like you any more".

> You are taking one subject which people quite clearly enjoy, and dismissing
> reverse engineering work that goes into it just because you don't like it.

No, I simply don't like dumb games that cause adults to run around like
headless chickens whilst ignoring the world around them and then to see my
favorite tech news site flooded with one link after another. And yes, it
upsets me because it crowds out other submissions not tied into the hype. Then
people start making HN specials in order to ride along on the hype.

> If this is you standing up for what you wrote, I really do hope you didn't
> read my comment.

You be the judge on that one.

Best of luck with HN.

~~~
scrollaway
I'm not asking if you read the article, I'm asking if you read my comment. But
I guess I have my answer now.

> Usually it means ...

Ok, now you're just doing it on purpose. What it _means_ is I respect you, and
I'm surprised you're behaving like a run of the mill HN troll.

> I simply don't like dumb games

You're _still_ conflating the game and the work that goes behind the game. I
don't like Facebook, but I don't shit on articles about React. I think Twitter
is one of the dumbest thing on the web right now, but I _still read articles
about Twitter 's engineering_, because it's interesting as fuck.

You're going on your 10th year on HN. How have you not caught on to this
pattern?

~~~
jacquesm
Note how each of your last three comments contains some kind of personal
insult. Is it really that hard to disagree without resorting to personal
attacks?

