How to cheat on Ingress (or: sorry Niantic, i cheated)

genymotion

Sorry Niantic, i cheated.

Spoofing location in Ingress is really really easy.
Since i started to play this game, i always played cleanly, but recently  i started to see many episodes of GPS spoofing around me.

It is extremely bad when a player drives for kilometers and kilometers for a field just to see it destroyed by a cheater after few minutes.

So i decided to start an experiment to discover how easy is to cheat and to test the protection mechanisms implemented by your servers.
I discovered that one can cheat very easily and without any needs of technical knowledge.

So let’s see how to cheat in Ingress:

Unfortunately this method works only on Microsoft Windows, because of a issue in OpenGL (i think). If you can make this work under a free operating system, please let me know.

  • visit gmail.com and create a new, fake, free, Google account
  • visit www.genymotion.com and create a new account
  • download Genymotion and install it
  • open Genymotion and click “Add”
  • login with your new account
  • install a new virtual machine (WXGA 10.1 Tablet – 4.1.1 – API 16 – 1280×800)
  • follow this guide to install GApps on the virtual machine: http://forum.xda-developers.com/showthread.php?t=2528952
    You simply need to download two zip files and drag them over the running virtual machine, rebooting after every installation.
  • reboot your virtual tablet and open Play Store
  • log in with you new google account
  • install Ingress
  • before opening it, click on the “GPS” button on the right edge of the window and set your position (you can use the map or insert the coordinates manually)
  • start Ingress
  • Have fun!

I started my experiment in Amsterdam and reached level 5 in just 2 days. I created 100 fields and no one banned or suspended or reported my fake account.

If you are careful and don’t jump too far and too fast, you can do whatever you want.

I was to create a megafield over the France, but i decided to stop that and decided that it was time to publish this.

I think that Ingress is a real revolution, a brand new, brilliant idea that linked the real world to the virtual one.
Ingress started new kinds of social phenomena, making nerds leaving the houses and goes in the streets, talking each others and collaborating for the team.
Ingress created a lot of new relationship and real friendships, even between “enemies”.
What i like most of this game is that it forces you to meet to really enjoy.
This is great.

But then comes the bad aspects..

I really love computer science, and i know well that this kind of software require to trust the clients.
There is no escape: it’s the player that communicates it’s own location, the server can only trust him or not.
But there is much that the server can do to understand if it can trust the user position or not.
It is something that every programmer can do, and certainly Google has the resources to make it.

You could prevent the creation of second accounts by verifying new users and devices with an SMS. This simple shrewdness could have prevented me from cheating and publishing this post.
You could check the accelerometer and the compass to see if them are static or they are moving.
You could check the IP of the client and restrict his playground not in his own city, but at least his region or country.
You could check if the GSM cell matches the provided GPS position.
You could check if the WIFI networks matches the provided position.
You could try to associate user’s speed with his transport.
You could check if the user is moving in a line, through walls and buildings or he is following the shape of the streets.

These are just some suggestions that came to my mind in a few minutes. They won’t make impossible to still fake the location, but surely it would be more difficult.

One thing that surely don’t prevent cheating, is security through obscurity.
I can’t believe that in 2014 someone still believes that this bad practice can really help to make a system more secure.

Open the source of the game, publish it with a Free Software license. Build a public API to access game data, trough well controlled API keys.
The game will be better, like IITC is really really better than the standard INTEL.

The purpose of this post is to ask you, Niantic, to do more against cheaters. Every one knows that something more can be done and every one knows that Google has the power to do it.
So, please, do it.

You may also like...

32 Responses

  1. Nick scrive:

    Are you sure that this method works? i followed it step by step, but it simply won’t launch! The screen turns black for a few seconds and then it goes back to the main screen.
    Any suggestions?

  2. tapion scrive:

    Yes, it works. The primary purpose of this post is not to teach how to cheat, but to ask Niantic to do something.
    For this reason i won’t help you.

  3. Nick scrive:

    I’m playing since jan 2013* and i use genymotion from few months to use whatsapp, i’m only saying that this method doesn’t work, there is no need to become upset from a report ;)

    *i don’t need to cheat simply because i have a well stuffed inventory and in my cell we don’t need “help”

  4. tapion scrive:

    I don’t know if it works for whatsapp, i know that it worked for me.
    I’m really not upset at all :)
    Did you followed the instructions properly?

  5. Nick scrive:

    yes, i think

    launched the vanilla virtual device

    downloaded arm and gapps pack and installed them in the given order, every installation was followed by a reboot of the VD

    added an account to google accounts

    downloaded ingress from playstore

    activated gps (i didn’t even modify the default location)

    tried to launch

    When I lauch the app the screen goes black (as if the system actually is loading somethin) and the gps in the status bar appears, after a few seconds i return to the previous screen. the odd thing is that from the task manager ingress seems running
    http://i.imgur.com/LsJj1sN.png

    here’s the screen of the black screen before the return to the main screen
    http://i.imgur.com/Z62A7ZR.png

    i even tried with broot, but the problems remains the same

  6. tapion scrive:

    Are you using windows 7?

  7. Nick scrive:

    Nope, i’m using windows vista32 sp2 with all the most important updates

  8. tapion scrive:

    I used Windows 7, this is the only difference i can imagine…
    Ingress version? Have you selected that particular tablet?

  9. Nick scrive:

    from play store i see 1.43.1, the tablet is the wxga 10.1 tablet – 4.1.1 – api 16

    maybe is truly the operating system. If you want i can keep you updated if any progress will be made

    thanks, however; let’s hope nia will listen to you :)

  10. tapion scrive:

    Thanks :)

  11. Bob scrive:

    Hi, I tried this method (only for experimental purpose!) on WinXP and it works. But after 2 hours of “playing” Ingress version 1.44 (on the one place on the map, no hundred km moves) I received an email from Niantic that I broke the rules and account is terminated. Maybe Niantic is able to recognize an emulated Android – and so it should be.

  12. me scrive:

    Some of your suggestions simply wont work.
    I, for example, play often on my nexus7 wifi only. Where to get my GSM? My imei? You see?
    GPS sometimes does strange things. When in screen off mode, then moving behind a building and turning back on i sometimes get draged through the building. You see?
    Heck, i hate cheating like everyone (normal thinking) else but there must be some better methods and a little leeway… When in doubt…

  13. Luca scrive:

    Gioco ad ingress da quasi 1 anno! Il bello del gioco non è tirare link o sparare bombe! Il bello del gioco è incontrare i player! conoscerli, parlare, scherzare, uscire, creare rapporti! Giocare in fake GPS è scorretto nei confronti di chi gioca correttamente, ed è inutile! :) cazzo giocate a GTA o a PES!

    Game to ingress by almost 1 years! The beauty of the game is to throw bombs or shoot link! The beauty of the game is to meet with the player! know them, talk, laugh, go out, build relationships! Playing in fake GPS is unfair to those who play correctly, and it is useless! :) FK play GTA or PES!

    Every one knows that something more can be done and every one knows that Google has the power to do it.
    So, please, do it!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  14. SmokeBams scrive:

    I guess you woke some people up at Niantic. At least regarding this very solution. An account made this way and played carefully survived about 6 hours. ;-)
    Normal GPS spoofing still works fine thou -.-

  15. tapion scrive:

    Good! Thank you for the feedbacks!

  16. honog scrive:

    It works on Linux machine

  17. redanaccforp scrive:

    I accidentally found a completely different method for location spoofing. Without emulation, even without rooting or doing anything “special” with your device/android. I won’t publish how to do this and I hope you understand why … It’s a shame it works, but I personally have no idea how this can possibly be prevented, an I think there will always be a method …

  18. SmokeBams scrive:

    I stand corrected to what I have said before. Niantic is actually NOT able to detect this method of cheating :-(
    The reason they detected my test account in the first place was probably because of the Device ID or Model Name of the device. Both are settings which you can change in the paid version of Genymotion.
    Another test account made with the unfree version is now live for 4 days (played much more agressively than the first one) :-(

  19. tapion scrive:

    This is so bad… I guess that if Nia would open source this game, this problem would be fixed in a month!

  20. GreenToad scrive:

    You could prevent the creation of second accounts by verifying new users and devices with an SMS. This simple shrewdness could have prevented me from cheating and publishing this post.
    - they started implementing it in v1.45

    You could check the accelerometer and the compass to see if them are static or they are moving.
    – compass and accelerometers can be faked easier then gps

    You could check the IP of the client and restrict his playground not in his own city, but at least his region or country.
    - this would kill VPN users

    You could check if the GSM cell matches the provided GPS position.
    - you can tether tablet with ingress to phone so this doesn’t help.

    You could check if the WIFI networks matches the provided position.
    - you can have wifi disabled and if its required – this is also client side info so can be faked

    You could try to associate user’s speed with his transport.
    - ingress doesn’t report your location to servers constantly, your location is reported only when you interact with anything – hack a portal, deploy resonator, pickup key, fire xmp etc. Speed limits are enforced based on that – if your previous action location and time and current action location and time give speed above 60kmph (about) then current action is denied.
    This would require a client to report location constantly so a lot more bandwidth and server power.

    You could check if the user is moving in a line, through walls and buildings or he is following the shape of the streets.
    - same as above

  21. UXGuy scrive:

    SMS Verification will only go so far. Virtual #’s are accepted like Skype, Google Voice, etc. As well as voice verification which would work on a payphone if you can find one. It will be very difficult to close off all avenues for one to cheat.

    While the accelerometer / compass data can be faked, they could potentially go a long way to prevent a casual cheater from being successful. Changes in compass should accompany a movement pattern detectable by the accelerometer. Getting an emulator to do this would be cumbersome, but what does the app do if the user closes and restarts it in a new location.

  22. Soul Man scrive:

    I tried this and managed two days play (got to Level 6) but then received notification my account was banned. How do you think they detected it? I didn’t make any crazy fields and played exactly how I might in real life. @SmokeBams, what did you do differently with the paid Genymotion software?

  23. thatguy scrive:

    I just wanted to see if this works just to see. Got everyrthing loaded as per the instructions 100% Google play works downloaded ingress set my gps location to down the street (no portals just wanted to test the gps) and Ingress won’t load. I am running on Windows 7 x64 everything else works perfectly just not Ingress. Any ideas?

  24. Heart Man scrive:

    @Soul Man I have modified build.prop and even ingress APK to ensure no fingerprints about vbox86 & any genymotion, however my account could still be banned.

  25. Nami scrive:

    Still working?

  26. Franco scrive:

    Ingress doesn’t work on Genymotion anymore.

  27. anon scrive:

    There are so many ways to spoof in ingress. There are web sites that build side loaded versions that have spoofing and botting incorporated.

    Using a root app is really available too.

    First, I would say disable Wi-Fi or hard connections. If it isn’t using cell data, it’s a no go. The accelerometer is a good idea, combined with elevation.

    They have many ways they could fix the side loaded versions. Do better about verifying the md5 hash with the app, and other certifications in the app.

    The reality is this:

    Niantic doesn’t care about the cheating. This isn’t the end product. This is the demo. They are using this to show other companies that it’s possible and can then sell the engine to them to make their own games.

    If you really want to change it, affect their bottom line. They want to sell this, but the other companies that may try and use this as an engine to create their own games, will need to see the cheating. Then it will become priority #1 when they can’t sell it.

  28. Sirp scrive:

    Is it working right now or not?

  29. Diego scrive:

    Its working, but when you want to start ingress. “unfortunately ingress has stopped” any ideas?

  30. Megathron scrive:

    @tapion same problem
    Is there a way to fix the error with? ” unfortunately ingress has stopped”

  31. Band scrive:

    It works: if you have some troubles using it it’s only because you are using a non-working Android version (I wasn’t able to run it on Android Kit Kat).

    I tested and Niantic is now detecting this cheat: in less than 30 minutes my testing account was suspended, and I only hacked some portales in the same location and deploy some resonators on a neutral portal.

    Good work in this case for Niantic :-)

  32. Felix scrive:

    I tested it. Just to see, how spoofing works. It worked for two days. Now (with level3) and very carefuly playing in an far away town I received the mail from NIA. Good work, NIA!
    With my real Account I walked more than 1.500 km. And I detected more and more spoofers in my town. I hate this! These people dont understand the gameplay. So Im glad to see that NIA is learning on this topic. :-)

Lascia un Commento

L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *

È possibile utilizzare questi tag ed attributi XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>