Gotta Hack em’ All: Pokemon Go, Security, and Privacy Awareness

July 29th, 2016   /     /   smarter identity, security and compliance

Pokemon Go made a big splash for many reasons when it was first released in early July. Its maker, Niantic, uses its mobile phone app to build on the legacy of a franchise that has been around in various forms since the 90s, which means it can effectively pull at the nostalgia heartstrings of many Gen Xers and Gen Yers, who are equipped with the latest smartphones, generous data plans, and enough discretionary income to not be put off by microtransactions in an otherwise free app. It also incorporates augmented reality features that really make it hard to say “no” to your inner child that secretly always wanted to catch a Pikachu in real life, and to those that love trying out new technologies (even though the technology is pretty dated at this point.)

The biggest reason it made headlines shortly after release though, was because of a flaw in its use of Google authentication, which gave it full access to an end user’s Google account. This created a firestorm of security and privacy concerns that the media happily jumped on, and ironically, most likely helped fuel the exponential growth of the app that followed by providing significant, and free, PR.

This flaw really highlighted the current “state of the union”, when it comes to the security and privacy mindset of your average mobile end user. All online data is at risk and that’s a fact that by this point, most end users are aware of. The last two years have really hammered home that point, with named vulnerabilities like Heartbleed, private sector breaches like the Sony one, and public sector breaches like the OPM one, making the headlines for months after the fact.

Despite the potential security and privacy impact of this bug, there was no mass exodus of Pokemon Go players, or even if there was, it was inconsequential based on the number of players that started using the app post bug publication. At first glance, you might think that this paints a dire picture of how far we have to go to improve the security and privacy awareness of the general public, but it actually paints a slightly better picture, and in a way demonstrates that the average end user inherently understands the basic infosec risk management process.

The first couple of steps in risk management are identifying and assessing the risks that need addressing. In this case, several researchers reported the issue with the app and it was widely published in its early days when the app had just started picking up in popularity. In other words, most end users were provided clear guidance, in a timely fashion, on what the issue was and how it impacted them.

In this case, it was possible for the app publisher, or a successful attacker targeting the publisher, to have full access to your Google account data; email, photos, documents, etc. Based on discussions with several people not in the infosec field, it was clear that the message was loud and clear and there was no confusion on what the issue was from a technical or impact perspective; the media had done its job in exemplary fashion.

The next set of steps in risk management deal with treating the risk. You can do this by avoiding the risk, reducing the risk, sharing the risk, or accepting the risk. In this case, you had people removing the app immediately (avoiding the risk), switching to a “throwaway” email account (reducing the risk), or accepting the risk (doing nothing). In a non-scientific survey of Pokemon Go users, it seemed it was evenly split between those removing the app and those doing nothing, and a small percentage opting for starting over with a throwaway email account. It’s hard to argue against any of these approaches, even after or especially after, the patch that fixed the issue was released a few days later.

Those who removed the app can point at the broken trust that can’t be repaired between Niantic and end users; after all, you could argue that a company with Google roots should know how app permissions work. Those who did nothing can point to the fact that there were no (known) data breaches due to the lapse in application restrictions prior to the patch. And finally, those who started over, well no one can fault someone for taking a conservative approach to their security and privacy, without missing out on the Pokemon Go hysteria.

What does it all mean in the end? This Pokemon Go incident served as a litmus test of where the average person, admittedly, most likely a Gen Xer or Yer, stands in terms of their security and privacy awareness. People are able to grasp subconsciously the basic concepts of threats, impact, and likelihood that make up risks, as well as any Data Privacy Officer or Infosec professional. Their appetite for risk though, is probably a little bit more flexible, especially when given the reins to inhabit an augmented reality world that your inner child dreamed of and maybe, just maybe, being able to catch them all.

About the Author

Alvaro Hoyos is OneLogin’s Chief Information Security Officer and is tasked with architecting and leading the company’s risk management, security, and compliance efforts. Alvaro also works with prospects, customers, and vendors to help them understand OneLogin’s Security, Confidentiality, Availability, and Privacy posture and how it works alongside, or in support of, customer’s own risk management strategy. He has worked over 15 years in the IT sector and prior to joining OneLogin, spent 8 years working with startups, SMBs, and Fortune 500 companies with their security, compliance, and data privacy efforts.

View all posts by Alvaro Hoyos