Actu
Gotta Hack em’ All: Pokemon Go, Security, and Privacy Awareness
August 2016 by Alvaro Hoyos, Chief Information Security Officer at OneLogin
Pokemon Go made a big
splash for many reasons when it was first released to iPhone and Android users in
early July. Building on the legacy of a franchise that has been around since the
90s, effectively pulled at the nostalgic heartstrings of many Gen Xers and Gen Yers
– almost all of which are equipped with the latest smartphones. It also incorporates
augmented reality features that really make it hard to say “no” to your inner child
that secretly always wanted to catch a Pikachu in real life, and to those that love
trying out new technologies (even though the technology can no longer be considered
particularly new by this point.)
As we know, bad news sells and therefore, the biggest reason the app made headlines
shortly after release was due to a flaw in its use of Google authentication, which
incidentally provided full access to an end user’s Google account. This in turn,
created a firestorm of security and privacy concerns in the media. The flaw in
question highlighted the current “state of the union”, when it comes to the security
and privacy mind-set of the average mobile end user. The reality is that all online
data is at risk. This is certainly a fact that most end users are aware of. The last
two years have really hammered home that point, with named vulnerabilities like
Heartbleed and private sector breaches like Sony Pictures – leaving customer and
employee data laid out for all to see.
Despite the potential security and privacy impact of this bug, there was no mass
exodus of Pokemon Go players, or even if there was, it was inconsequential based on
the number of players that started using the app post bug publication. At first
glance, you might think that this paints a dire picture of how far we have to go to
improve the security and privacy awareness of the general public, but it actually
paints a slightly better picture, and in a way demonstrates that the average end
user inherently understands the basic infosecurity risk management process.
The first couple of steps in risk management are identifying and assessing the risks
that need addressing. In this case, several researchers reported an issue within the
app, which meant it was possible for the app publisher, or even a successful
attacker, to have full access to users Google account data; email, photos,
documents, etc. By being widely published in its early days this meant that most end
users were provided clear guidance, in a timely fashion, on what the issues were,
how is was being addressed and how it impacted them.
The next set of steps in risk management deal with treating the risk. You can do
this by avoiding the risk, reducing the risk, sharing the risk, or accepting the
risk. In this case, you had people removing the app immediately (avoiding the risk),
switching to a “throwaway” email account (reducing the risk), or accepting the risk
(doing nothing).
What does it all mean in the end? The Pokemon Go incident served as a litmus test of
where the average person, admittedly, most likely a Gen Xer or Yer, stands in terms
of their security and privacy awareness. People are able to grasp subconsciously the
basic concepts of threats, impact, and likelihood that make up risks, as well as any
Data Privacy Officer or Infosecurity professional. Their appetite for risk though,
is probably a little bit more flexible, especially when given the reins to inhabit
an augmented reality world that your inner child dreamed of and maybe, just maybe,
being able to catch them all.
