Sorry Niantic, i cheated.
Spoofing location in Ingress is really really easy.
Since i started to play this game, i always played cleanly, but recently i started to see many episodes of GPS spoofing around me.
It is extremely bad when a player drives for kilometers and kilometers for a field just to see it destroyed by a cheater after few minutes.
So i decided to start an experiment to discover how easy is to cheat and to test the protection mechanisms implemented by your servers.
I discovered that one can cheat very easily and without any needs of technical knowledge.
So let’s see how to cheat in Ingress:
Unfortunately this method works only on Microsoft Windows, because of a issue in OpenGL (i think). If you can make this work under a free operating system, please let me know.
- visit gmail.com and create a new, fake, free, Google account
- visit www.genymotion.com and create a new account
- download Genymotion and install it
- open Genymotion and click “Add”
- login with your new account
- install a new virtual machine (WXGA 10.1 Tablet – 4.1.1 – API 16 – 1280×800)
- follow this guide to install GApps on the virtual machine: http://forum.xda-developers.com/showthread.php?t=2528952
You simply need to download two zip files and drag them over the running virtual machine, rebooting after every installation.
- reboot your virtual tablet and open Play Store
- log in with you new google account
- install Ingress
- before opening it, click on the “GPS” button on the right edge of the window and set your position (you can use the map or insert the coordinates manually)
- start Ingress
- Have fun!
I started my experiment in Amsterdam and reached level 5 in just 2 days. I created 100 fields and no one banned or suspended or reported my fake account.
If you are careful and don’t jump too far and too fast, you can do whatever you want.
I was to create a megafield over the France, but i decided to stop that and decided that it was time to publish this.
I think that Ingress is a real revolution, a brand new, brilliant idea that linked the real world to the virtual one.
Ingress started new kinds of social phenomena, making nerds leaving the houses and goes in the streets, talking each others and collaborating for the team.
Ingress created a lot of new relationship and real friendships, even between “enemies”.
What i like most of this game is that it forces you to meet to really enjoy.
This is great.
But then comes the bad aspects..
I really love computer science, and i know well that this kind of software require to trust the clients.
There is no escape: it’s the player that communicates it’s own location, the server can only trust him or not.
But there is much that the server can do to understand if it can trust the user position or not.
It is something that every programmer can do, and certainly Google has the resources to make it.
You could prevent the creation of second accounts by verifying new users and devices with an SMS. This simple shrewdness could have prevented me from cheating and publishing this post.
You could check the accelerometer and the compass to see if them are static or they are moving.
You could check the IP of the client and restrict his playground not in his own city, but at least his region or country.
You could check if the GSM cell matches the provided GPS position.
You could check if the WIFI networks matches the provided position.
You could try to associate user’s speed with his transport.
You could check if the user is moving in a line, through walls and buildings or he is following the shape of the streets.
These are just some suggestions that came to my mind in a few minutes. They won’t make impossible to still fake the location, but surely it would be more difficult.
One thing that surely don’t prevent cheating, is security through obscurity.
I can’t believe that in 2014 someone still believes that this bad practice can really help to make a system more secure.
Open the source of the game, publish it with a Free Software license. Build a public API to access game data, trough well controlled API keys.
The game will be better, like IITC is really really better than the standard INTEL.
The purpose of this post is to ask you, Niantic, to do more against cheaters. Every one knows that something more can be done and every one knows that Google has the power to do it.
So, please, do it.