Niantic, the developer of the planet dominating augmented reality game, Pokemon GO, responded to concerns about reported security related flaws in the iOS version of the app, stating that there was no risk to users if Google was chosen as the authentication method. The issue was whether the iOS Pokemon GO app had full access to the player’s Google account data; something that would have been a serious security risk.
Why would ‘full access’ be so bad?
If the Pokemon Go app had full access to Google accounts, it would be able to access everything to do with the account. This would include email messages, contacts, Google Docs, Google Drive files … everything. The concern was never what Niantic might do but rather the consequences if the company’s server security was evercompromised, something that has happened many times to many organizations over the last few years. If a breach was to occur and full access to Google accounts was possible, Pokemon GO players would be completely exposed. What makes this an even more profound threat is the speed and scale of the Pokemon GO’s adoption. According to TechCrunch:
The game is now the biggest ever in the U.S.; it has now topped Twitter’s daily users, and it sees people spending more time in its app than in Facebook, according to reports from various tracking firms. … On Monday, Pokémon Go saw just under 21 million daily active users in the U.S., topping Candy Crush’s rumored peak audience in 2013 as well as other top games like Draw Something, Clash Royale, and Slither.io, which hit their own peaks in various years.
Given such incredible market penetration, the consequences of a breach would be catastrophic for users and businesses alike. While full access would expose personal and business information in email, perhaps the biggest reason for concern was that many people use their Gmail accounts as the default email address for password recovery for other sites. If Pokemon GO had full access and there was a breach, it would be trivial for an attacker to reset passwords for every site a user was registered on and take complete control making the scope and reach of the breach potentially bigger than any breach in history.
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Once again, we see that being an early adopter of any software can have a serious downside. If the potential exposure to Pokemon GO players had been as serious as claimed and a breach had occurred, it wouldn’t have just been a problem for millions of users, it would have been a disaster for hundreds of thousands of businesses. The bottom line is that games and the work environment aren’t compatible if you want to have a robust business security.
No matter how big your business is, if your employees need access to your business email or additional business resources you should consider mandating MDM (Mobile Data Management) on their personal devices or provide them with a phone that is just for business. It’s your business and your employees livelihoods that are on the line.
Learn more about protecting your business by reading Azstec’s Seven Cybersecurity 2016 Must-Do’s.
Our Azstec Cybersecurity Center provides more information on how to protect yourself and your business.
*Photo credit http://bit.ly/29CjUvG