Pokémon Go gets into trouble over user data
Pokémon Go gets into trouble over user data

The Pokémon Go app has shaken up the gaming world. It was released less than two weeks ago into the US, New Zealand and Australia and is breaking records in terms of downloads and user engagement. It’s an app developers dream. Users desperate to get hold of your app and play the game. Unfortunately for the developers it is not the game that many commentators are currently talking about but the downsides.

What is good about Pokémon Go this?

This is the most successful of the emerging genre of augmented reality (AR) games. Emerging might seem a little much for a technology that has been around for several years. Unfortunately, while some toys, games and apps have had limited success the technology has yet to taken off. This is not just about AR. Pokémon Go is also part of a genre known as exergames. These are games designed to get the players involved in the physical world.

For Niantic, this is their second AR/exergame following on from Ingress a successful science-fiction game launched back in 2012 for Android. In 2014 it added support for iOS devices and is still available today. There is a growing group of gamers who still play the game although it hasn’t been successful on the same scale as Pokémon Go.

Pokémon Go has united at least two generations of gamers. Parents who remember the original Pokémon craze seem to be just as engaged as new players. As an exergame it has meant people have had to leave their homes and find the Pokémon. There are a number of side benefits to this not least health.

Problems with login and personal data?

The success of the game in its first week has created a lot of problems. Despite being hosted in the cloud its popularity caused Niantic to rethink a global launch. They restricted the launch countries to New Zealand, Australia and the USA. Even so, the servers were unable to cope with the number of users who wanted to sign up. It managed to break the Google and Pokémon Club login systems forcing users to connect using other logins.

It is the use of one of these alternative logins that has gained much of the press. Users logging in from iOS and using their Google ID have discovered that the app has excessive access to data. The permissions granted to the app allow it to see and modify almost all your personal data held by Google. It is not just the app with this level of access. Anyone who has access to the Niantic servers will be able to take the data and use it.

This has created a major backlash against the game developers which turns out to be unfair. The developers had used an authentication approach known as OAuth. The problem is that the developers connected to an older API which meant that the messages it passed back were inaccurate.

Web site engadget reported that Slack security dev Ari Rubenstein discovered: “..an out-of-date API that caused Google to display a message showing it had ‘full access’ to your account, even though the app ultimately does not have permission to access things like your email or calendar even if it wanted to.”

Why is the API issue a big thing?

We are moving into a world where everyone sees computer systems connecting through APIs. Those APIs will evolve and change just as the Google and iOS ones in this case. That means that developers run the risk of connecting to older APIs which do not work as expected. More importantly, those APIs could be changed without the developer knowing.

In this case it is likely that the Niantic developers simply used the same API that they had built for Ingress. Some of the social media comments say as much. This means that nobody at Niantic bothered to check the version of the API they were connecting too which raises questions about their code practices.

There will be many users playing Pokémon Go using the same devices that they use for work. This means that they could have sensitive data in their Google Drive and Google Docs. There could be other files on their local storage devices that the app could conceivably access. In this case it isn’t happening because it was just a mistake. That mistake did not stop users from authorising the app and risk having that data taken. This is an issue that is likely to become more and more of a problem for security teams.

What is Niantic doing to fix this?

Niantic is being very open about the problem. They have reiterated that they are only taking basic information from Google such as User ID and email address. The developers are also said to be working on a client-side fix to ensure only basic information is accessed. The security teams at Google have also been involved to ensure that Niantic is only taking what it claims.

The problems with the privacy policy

The company is also pointing those with concerns back to the Niantic Privacy Policy which can be found here: https://www.nianticlabs.com/privacy/pokemongo/en. That policy has itself come under fire for what it claims to gather and how it intends to handle data.

At first glance is seems a fairly standard and easy to understand privacy policy. It sets out some clear targets for what it gathers and how to have data deleted. This is something most companies fail to do.

What the privacy policy does contain is the statement that Personally Identifiable Information (PII) is a business asset. Should Niantic sell the company, the buyer would not necessarily be bound by the same rules as in the privacy policy. It could choose to not anonymise the data or even to not delete data when asked. The policy does state that users will have 30-days to ask for data to be destroyed before it is handed to a seller. However, there is no way to ensure this happens if the company is inundated. A seller could also just pull the data back from archive files.

Hackers and criminals quick to cash in

The problem with what data is being gathered is not the only serious issue. Within days of the launch security vendor Proofpoint had spotted hackers cashing in. Given the restrictive release of the game users from other countries were willing to download the game from unofficial sources.

Some of those sources contain an infected Android version of the game. It contains a Remote Access Tool (RAT) called DriodJack or SandroRAT. Proofpoint says that the infected code was uploaded within 72 hours of the game being released in New Zealand and Australia. What is interesting is that Proofpoint is putting some of the blame here on large media outlets. It claims that they published instructions in how to load the game from unofficial sources without thinking about the consequences.

It is not just hackers who are taking advantage. There are already reported cases of armed robbery connected to the game. In one instance reported by Inverse, nine players were lured to an intersection and robbed at gunpoint. The police have arrested four people already but there are other cases of similar crimes being reported.

In another worry case a nineteen year old woman was looking for a Pokémon in a natural water source found a dead body. Police have ruled out foul play but it is unclear how the individual died. News sources say it was a suicide or an accident while the deceased was trying to catch the Pokémon themselves.

Conclusion

One of the problems of being successful is dealing with that success. Niantic already has a very successful game before and should have been better prepared for the launch. When the previous Pokémon craze was at its peak it was a monster and there was no reason to think this would not be the same. It used cloud services from parent Google and then failed to keep services running. This is about poor planning not a failure of the cloud as a scale out service.

The bigger issue here is privacy and data. The privacy policy is well written but there are concerns over data and where it is held. Google is believed to be part of the NSA Prism programme. This means any data on Google servers is accessible to the NSA. Also making this data a business asset and saying it would be sold as such if the company closed sends all the wrong messages.

Niantic has proven that with the right game augmented reality and exergames can have some real benefits. However, it has also demonstrated that poor planning can also lead to major problems.

1 COMMENT

  1. […] on Apple iOS without giving an Android date? The answer to that is yes, especially given it saw a similar scenario play out with Pokémon Go. It could perhaps have mitigated the attack by giving an Android launch date but that would not […]

LEAVE A REPLY

Please enter your comment!
Please enter your name here