99% of the custom roms, are rooted, which means , no POGO, if the SU binary is present, No Pogo... Pokemon go uses SafetyNet, well, niantic does.. so Ingress also uses SafetyNet, So.. quoting someone:
SafetyNet is the tool Niantic is using to prevent the use of root from android users. This is a Google Service provided with GooglePlayServices, is used in critical app to avoid alteration of data as an example AndroidPay, and it follows most of the guidelines to provide a safe "device authentication"; its main scope is to tell if a device is in a compatible state or in other words if there are no major alterations to the system. This is more or less the workflow:
an apk register to GooglePlayServices obtaining an object that identify the apk in an unique way;
- the apk request a SafetyNet check on the device and provide a nonce (a unique number);
- GooglePlayServices make a request to Google Servers. This request is certificate pinned;
- a SafetyNet client is downloaded to the device, up to now this client is a Java executable that uses reflection. This client is often updated, so it's a cat mouse race scenario;
- the client performs some checks of the device and collect some data, then sends those data to Google Servers;
- the client overall read what application made the request, ask to GooglePlayServices what is the application and request also some checksum about the APK, also those data are sent to Google Servers;
- Google Servers analyze those data (we don't know what checks they do, but we can imagine from the nature of data collected on our device) and produce a compatibility check flag [true/false];
- Google Servers create a resulting string called JWS aka JSON web signature [I will call the result of SafetyNet JWS], this string is composed by:
- the nonce provided by the APK
- a timestamp
- the name of the apk
- the signature of the certificate of the apk
- the hash of the apk
- the flag, a simple true or false that will tell if the device is compatible.
- the SafetyNet client get the response and pass it to the calling apk;
- the apk check locally or even better on a remote server (Niantic check on their servers) if the device is compatible, reading the response and sending a request to Google servers of the authenticity of the response;
- if Google servers receive a request of authenticity but they don't recognize the nonce and every other data in the JWS, they won't authenticate the JWS.
This is more or less the workflow, as you can see an attacker has a limited window for performing attacks. One of the most important thing is that SafetyNet Client run with user privileges.