Gotta Hack em’ All: Pokemon Go, Security, and Privacy Awareness
August 2016 by Alvaro Hoyos, Chief Information Security Officer at OneLogin
Pokemon Go made a big
splash for many reasons when it was first released to iPhone and Android users in
early July. Building on the legacy of a franchise that has been around since the
90s, effectively pulled at the nostalgic heartstrings of many Gen Xers and Gen Yers
almost all of which are equipped with the latest smartphones. It also incorporates augmented reality features that really make it hard to say “no” to your inner child that secretly always wanted to catch a Pikachu in real life, and to those that love trying out new technologies (even though the technology can no longer be considered particularly new by this point.)
As we know, bad news sells and therefore, the biggest reason the app made headlines shortly after release was due to a flaw in its use of Google authentication, which incidentally provided full access to an end user’s Google account. This in turn, created a firestorm of security and privacy concerns in the media. The flaw in question highlighted the current “state of the union”, when it comes to the security and privacy mind-set of the average mobile end user. The reality is that all online data is at risk. This is certainly a fact that most end users are aware of. The last two years have really hammered home that point, with named vulnerabilities like Heartbleed and private sector breaches like Sony Pictures – leaving customer and employee data laid out for all to see.
Despite the potential security and privacy impact of this bug, there was no mass exodus of Pokemon Go players, or even if there was, it was inconsequential based on the number of players that started using the app post bug publication. At first glance, you might think that this paints a dire picture of how far we have to go to improve the security and privacy awareness of the general public, but it actually paints a slightly better picture, and in a way demonstrates that the average end user inherently understands the basic infosecurity risk management process. The first couple of steps in risk management are identifying and assessing the risks that need addressing. In this case, several researchers reported an issue within the app, which meant it was possible for the app publisher, or even a successful attacker, to have full access to users Google account data; email, photos, documents, etc. By being widely published in its early days this meant that most end users were provided clear guidance, in a timely fashion, on what the issues were, how is was being addressed and how it impacted them.
The next set of steps in risk management deal with treating the risk. You can do this by avoiding the risk, reducing the risk, sharing the risk, or accepting the risk. In this case, you had people removing the app immediately (avoiding the risk), switching to a “throwaway” email account (reducing the risk), or accepting the risk (doing nothing).
What does it all mean in the end? The Pokemon Go incident served as a litmus test of where the average person, admittedly, most likely a Gen Xer or Yer, stands in terms of their security and privacy awareness. People are able to grasp subconsciously the basic concepts of threats, impact, and likelihood that make up risks, as well as any Data Privacy Officer or Infosecurity professional. Their appetite for risk though, is probably a little bit more flexible, especially when given the reins to inhabit an augmented reality world that your inner child dreamed of and maybe, just maybe, being able to catch them all.