Talk to Our Experts  

Information Risk Management Blog

Pokemon GO - Security lessons you just cannot afford to miss !

[fa icon="calendar"] Jul 15, 2016 5:41:46 AM / by Anupam Bonanthaya

Anupam Bonanthaya

This week in technology has been disruptive to say the least !

Pokémon GO, a location-based augmented reality mobile game has broken all previous records.

The mobile app has become so popular that it has become a social media phenomenon.  

So much that it is something that has changed and united the world for once. Now we all have a reason to believe that this game can solve all our problems !

Not the gaming kinds? It is still worth paying attention because it impacts all of us. Read on to know how...

pokemon-go.jpg

 

(Image credits : theverge.com)

Pokémon GO was developed by Niantic and published by The Pokémon Company as part of the Pokémon franchise.

If I had to explain the app in a single sentence - As we can take a guess, augmented reality (AR) is a marriage of real and virtual worlds.  In this game - As players travel the real world, the avatar moves along the game's map. When a player encounters a Pokémon, they can view it in augmented reality mode using the camera and gyroscope on the player's mobile device to display an image of a Pokémon as though it were in the real world. The rest of it is standard gaming features.

The big deal and hence the addictive part of the game is that you are hunting for these Pokémon characters in your own neighbourhood using your phone !

You can't beat that in either real or virtual life. 

 

Some statistics that shows why this game is changing the world:  

Upon 24 hours after its release, It topped the American App Store's "Top Grossing" and "Free" charts.

It has become the fastest game to top the App Store and Google Play, beating Clash Royale.

Within two days of release, it was installed on more than 5% of Android devices in the United States.

As of 13th July, it had an estimated 15 million downloads.

The number of daily active users in the US surpassed that of Snapchat and Tinder and was also approaching the number of Twitter users.

The most active mobile game in the United States ever with 21 million active users, eclipsing Candy Crush Saga's peak of 20 million.

It is only available in a few select countries for download because Niantic's servers are not able to handle the demand and it is crashing all the time.

There has been reports of all kinds of benefits -  improvement in mental and physical health of players, aids people suffering from depression and social anxiety, strong reinforcement for people to go out and become more active, increased motivation to exercise and improved moods, more visitors to all public places and some even experienced weight loss. 

Looks like this is the only mobile game that parents will encourage their kids and even force them to play all the time.

Nintendo owns a part of The Pokémon Company. As of 14th July,  shares were up 50%. And it owns only 33% stake in the Pokémon franchise. 

It has become so popular that many police departments have issued warnings regarding inattentive driving, trespassing, and being targeted by criminals due to being unaware of one's surroundings. The Holocaust Museum in Washington, D.C. has declared itself a Pokémon-free zone.

Pokemon Go has all the ingredients right when it comes to making the game go viral. The part where it has screwed-up big time is the security !!

There are 3 lessons we can learn as an organization

1. Do not mess around with users' privacy and security

Everyone freaked out when news got out that the app had full access to Google accounts. Which meant the app can see everything -  the Gmail mailboxes, Google drive, Google docs, etc, etc. 

Niantic later clarified that it did not need that kind of access and it never used it in the first place. They later also fixed the issue. But the damage was done. 

The problem is less to do with Niantic as a company having access your personal data, but more to do with the what-if scenario of hackers breaking into the app. Given that Niantic's developers had an oversight of a basic checkpoint like the Google access privileges, there was more reason for concern that they might not have paid all the attention to other security checks.

Keep in mind this is an augmented reality app that has access to your location services and camera as well.

Any party with a spying intent (malicious or not) can have a field day !

 

2. Do not blindly trust your partners when it comes to security

For Niantic and Nintendo it was mostly positive popularity, but for Google - It was only negative publicity.

In spite of it indirectly benefiting because Niantic is a Google spin-off, and the app uses Google maps, Google was under the spotlight for all the wrong reasons.

It turned out that Niantic developers were using an outdated API for requesting access, but it was Google – the much larger, more security-conscious company – who got the flack for misrepresenting the limited permissions granted as “full access”.

Maybe there is nothing like a "full access", but we cannot deny that this incident did not raise a doubt in the minds of people about the security of their "own Google accounts".

How many such apps "might" have access to my account ? If Pokemon could get through, so can my less-popular-malicious-spyware. Right under the nose of Google's Security ?

 

3. Do not ignore the fact that breaches can happen in your corporate network through innocent mobile apps

With BYOD, the lines between office and personal use has blurred. 

There were reports of a malware version of Pokemon Go for android devices. Apparently this version includes a remote access tool, called Droidjack, which can give an attacker full control over a victim’s phone. Nothing to do with Google this time because Android phones have the ability to “side load” files downloaded from sources outside of Google’s Play Store. (Source: Fortune, 10th July 2016)

Given that the app is not available for download in many countries, and the game is too irresistible to have-to-wait - there is no reason not to believe many people would have fallen for the malware version.

There are also other concerns like the one with Niantic’s privacy policy, which  is apparently a long 20-page document that no-one dares to read and it describes how it may share user’s information with third parties who "may not have agreed to abide by the terms of this Privacy Policy." (Source: Politifact.com, 14th July 2016)

Also there are other conspiracy theories around the background of John Hanke, the founder of Niantic, and how he might be helping certain state agencies in spying. (Source: Politifact.com, 14th July 2016)

Btw, John Hanke was the creator of Google Earth and Google Maps, as the founder of start-up by name Keyhole, that got acquired by Google in 2004. 

Bottomline, If you are the CISO of the organization, you have a reason to worry - Irrespective of you liking or not liking Pokemon Go, and even if you don't have anything to do with it.  

 

Conclusion

It is a dream come true to have a product that becomes viral overnight !

But as consumers, security is a big concern. Irrespective of a viral product or yet-to-become viral, you need to pay attention to security - from many perspectives - the app/product development side, the IT side, the partner/vendor side, and the overall company/brand perspective.

Security is no longer just about "securing", but it is more about "enabling" the business. Therefore you need to be proactive about security, well before "the shit hits the fan" as the saying goes . 

 

 


At Aujas, We can help manage your Product/Application security with our many services and platform offerings like Application Security Program Management, Application Security Advisory, Advanced Security Testing Services, Security Architecture Design, API Management Platform Consulting, Software & API Control Implementation, Identity Management of Businesses, People & Things, Security Validation & Remediation, and more. 

Talk to us to know more about how we can help enable your digital business

Contact Aujas 

Topics: Application security, Security, Digital Security, Pokemon Go

Anupam Bonanthaya

Written by Anupam Bonanthaya

Chief Marketing Officer @Aujas, Passionate about Information Risk & Security. Working with customers globally to help them secure their Most Valuable Asset - Information Assets.

     

Other Popular Posts

Subscribe

Case Studies