The record-shattering virtual reality game, created by Niantic, is no stranger to the media spotlight. Designed for iOS and Android devices, it enables users to indulge in an addicting scavenger hunt anywhere they go. The latest news mentioning Pokemon GO, however, is the stuff PR nightmares are made of.
As an app released by a Google-owned company, users considered Pokemon GO to be benign. Instead, it behaved like a malicious program. Pokemon GO enabled Niantic to freely access users’ Google accounts, while keeping them in the dark about their compromised privacy.
What actually happened?
Released on June 6, 2016, Pokemon GO gave users two choices to sign up for the game. One option was to use their Pokemon Trainer Club account. As an alternative, they could also sign up using their Google credentials.
As a rule, when someone signs up with their Google credentials, they are presented with a list of permissions the app wants to use. When Pokemon GO was originally released, the users never got a chance to see this list. The notification screen was bypassed, leading users straight to the login screen.
As some players soon discovered, by using their Google credentials, unknowingly, they granted the company full access to their Google accounts. Niantic was able to access their emails, documents and photos stored on the Google drive, look through their search and browsing history. Basically, Niantic was in full control of their accounts. Like scary malware, the app allowed Nianatic to spy on the users’ private online affairs.
The question which bothered many users was what was the intent for creating this accessibility?
Data monetization, or what is in it for the company?
Pretty much any software app collects data on its users. For legitimate apps, most of it is done with full disclosure and user knowledge (assuming users actually bother to read the disclosure). The types of data collected include locations of logins, times of logins, types of browsers used, and more.
Most of it is done anonymously, so the collected data can’t be traced to any specific user. For example, we can tell with certainty, Pokemon GO legitimately collected GPS location data of the players.
Businesses collect data for man different reasons. Understand, this information can be used by the company for a multitude of reasons or as we often see it is sold to a third parties. The uses for such information are numerous – from serving local mobile ads, to city infrastructure planning, to picking locations for new business ventures.
On the other hand, personally identifiable data can be worth exponentially more than anonymous data. The problem, of course, is it can cause irreparable damage to users. Companies have to take extra caution when collecting sensitive, personally identifiable data – the question, was Niantic’s collection blatant or out of ignorance.
It was simply an error!
The official position of Niantic is simple – it was just an error. They are not arrogant geniuses who thought you would never discover that they gained access to your data. Here is a partial statement they issued:
“We recently discovered the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.”
Unless we see a massive lawsuit, with attorneys spending years untangling the mystery, chances are we will never know what really happened.
It could have been an honest mistake. Niantic is part of Google. They could have reused the code from another app (released or not) with access to Google accounts. Or maybe they did toy with the idea of asking permission to access some of your sensitive information (after all, they are providing you with the game for free), but forgot to incorporate it into the notification screen. The possibilities of how it happened are endless.
What we do know, is Niantic is not the only app we should worry about. The vulnerability can be easily exploited by hackers, giving them full access to your private data.
An update has been issued to remedy the situation, revoking Niantic’s access to your sensitive data. However, it is still not clear whether the company collected and saved user information before the security hole was patched up.
How unique is Niantic’s “error”?
Sadly, there is no way to prevent legitimate companies from creating (by mistake or intentionally) such security holes. The reason Pokemon GO’s privacy problems came to light relatively quickly was because of its immense popularity. Since the introduction in June 2016, it has been downloaded by over 130 million users worldwide.
What about other, less popular apps? Chances are, such security holes are never discovered. Mobile apps in general are riddled with vulnerabilities. According to CVE Details, iPhone OS was ranked second (after Mac OS X) in 2015 by the number of discovered vulnerabilities (375, to be exact). And those are the known flaws, waiting to be exploited. So just imagine how many undiscovered weaknesses your mobile phone is hiding.
It is not rare to hack an app to gain access to the collected data. One of the latest interesting examples was the app sold by Mspy. Enabling users to trace another person’s online actions, including their browsing history, messages, phone calls and more, it was originally designed to enable parents to supervise their kids’ whereabouts (but often used for other purposes, such as to expose cheating spouses). It was a treasure trove of information, just waiting to be exploited. The company was finally hacked last year, and the retrieved information posted on a website accessible an undergorund network.
The truth is, your data is being collected by pretty much everyone, from governments to businesses, to opportunistic hackers. Some make attempts to disclose their actions, while others do it without your knowledge. If you don’t use security measures to protect yourself, sooner or later your data will get exposed.
How can we protect ourselves?
It is scary to think about how data on your smartphone can be easily accessed without your permission. A few simple steps can help you prevent it from happening:
- Keep everything up to date -it includes your operating system and your software. You may have to do your own periodic checks on the updates and patches issued by your browser and software developers. Carriers are not always very proactive at letting you know about the latest updates, so have to spend time checking the original source.
- Encrypt your sensitive data – it is easy and inexpensive, and protects you if someone physically gets ahold of your phone, or hacks into your accounts remotely. It won’t prevent hackers or legitimate apps from accessing your email without your permission, but it will prevent them from reading your messages without having proper credentials. In the Pokemon GO case, if users’ data was encrypted, they would not have had to worry whether or not Niantic actually accessed and/or saved their emails for future use. Encryption would have blocked the company from reading user messages.
- Make sure your phone is still supported – the unfortunate reality is that phones become obsolete faster than some people can pay them off. If your phone is older than 2 years, you want to ensure it is still being supported, or upgrade it to the latest version.
- Enable a password on your device – to prevent others from physically accessing your data, or uploading malware to your device while you are not looking. Make sure there are a limited number of attempts and have the device time out, this will prevent brute force attacks.
- Use two-factor authentication – to safeguard your device with an extra layer of security, forcing the other party to go through extra steps to get to your data. These steps can protect you from an outsider who doesn’t know any of your personal details. Custom authentication details can include zip codes, phone numbers, and other details known to you and the legitimate party you do business with.
- Screen free apps carefully – since we don’t live in an altruistic society, there is really no such thing as a free app. Users often pay for free apps by allowing companies to collect data about them. You have to ensure you know exactly what type of data is collected, so you can decide if the program is really worth it.
- Don’t jailbreak your phone – often done to add features or programs not allowed, or not supported by the manufacturer, it creates security holes, and simply enables hacker’s easier access to your information.
- Don’t use Google credentials – when it comes to login credentials, the most convenient way is usually the least safe. It pays off to spend a few extra minutes and create a separate account for each app you are using.
- Remotely disable your stolen or lost smartphone – once you lose the physical possession of your phone, the only way to ensure your data is safe (especially if it is not encrypted) is to erase it remotely.
The story of Pokemon GO is a good cautionary tale which brought attention to the (very unsafe) world of mobile apps. Until now, we mostly heard about exploits done by malicious programs. Pokemon GO showed us how easy it is for a legitimate program to do the same. Relying on developers to disclose everything about their apps is not realistic, but taking steps to protect your data is something everyone should be able to do easily and inexpensively.
Todd Sexton
Latest posts by Todd Sexton (see all)
- Pokemon GO and Your Privacy - September 2, 2016
- Technology is Moving, Are You? - August 1, 2016
- Cyber Liability Insurance – A “Nice to Have” or a “Must Have”? - July 26, 2016