Pokémon Go Developer Niantic is Being Accused of Abusing Android Permissions to Fight Device Rooting

By Tom Pritchard on at

There's a bit of a love/hate relationship that goes on with Android rooting, especially where developers are concerned. While some people may have the attitude that rooting is pretty dodgy, there are plenty of perfectly innocent things you can only do on a rooted device - removing bloatware being the most obvious. The latest news in this arena is that Pokémon Go developers Niantic have been accused of abusing their permissions access to crack down on rooted devices.

The latest version of the Pokémon Go app has been throwing up error messages at users who are playing on rooted devices, which has been explained as an anti-cheating measure. The company has been pretty strict in cheaters in the past, and it seems this is the latest step in a crackdown against those who have an unfair advantage. Well an unfair advantage that doesn't involve paying for extra items in the official store.

But that's not exactly interesting, and frankly it's a surprise this hasn't come up before. Especially since iPhone users have faced multiple issues playing on a jailbroken device. But that's not the issue here. The issue is that one member of the XDA Developers Forum claims Niantic is going a bit far with the root-detection, allegedly abusing its device permissions in the process.

The user, who goes by .NetRoller 3D, claims to have been using a Samsung Galaxy S4 to play Pokémon Go. It's a device that's been rooted in the past, but has since been returned to the factory settings and no longer offers root access. But the phone is still being flagged as rooted by the game, so some digging was done. .NetRoller 3D then scrubbed the internal and external storage to remove any mention of anything remotely related to rooting, and that worked:

What finally got it to work shocked me beyond belief. I went through the internal & external SD card, and deleted everything related to rooting (flashable-looking zips, APKs of root-related apps, logfiles, Titanium Backup, any folder with "root", "magisk" or "xposed" in its name, etc - many of them stuff I copied over from my previous phone, never installed on this one). And magically, Pokemon Go started working!

Bottom line: Pokemon Go is abusing its storage read permissions to scan the storage for evidence of rooting. Magisk will need to redirect Pokemon Go's storage accesses to controlled "sandbox" directories, and prevent it from reading the real internal or external storage. (Simply blocking storage access won't work, as the game actually writes to internal storage.)

Interestingly Android Police decided to test the theory, creating an empty folder labelled "MagiskManager" on an otherwise unrooted device. Then they were immediately locked out of the game until the folder was deleted. Android Police also noted that the most recent update didn't seem to change anything, suggesting that it's not just something that was briefly tested.

Going after rooted users to crack down on cheating isn't the worst thing in the world, even though some root-lovers may disagree. That said actually scanning storage and files is taking things to an extreme, and looks quite bad from a privacy perspective. Niantic hasn't commented publicly from the looks of things, but I've emailed to ask and will update if I hear back. [Android Police via Nintendo Life]