Authorization, Authentication, and Pokemon-Go

When I opened up my news feed last week, 80% of the updates and news headlines were about the phenomenon that is Pokémon-Go.

For those of you that have no idea what this is, Pokemon-Go is a game that was started by a Google internal startup called Niantic. Within the game you can use AR (augmented reality) to catch, battle, and train Pokémon (fictional animals, or “pocket monsters”) throughout the real world.

The game has millions of users on both Android and iOS devices, and the numbers will continue to increase. This isn’t surprising as much of the millennial population grew up watching the cartoon, playing the video game, and collecting the merchandise like there was no tomorrow.

Despite the excitement of it all, unfortunately, some issues have come up as there have been muggings by criminals at popular game meetup locations and trespassing at memorial sites like the Holocaust museum. Furthermore, the story has taken a new turn as it has now stepped into the realm of cyber security.

The Authorization Problem

The (potentially catastrophic) problem of this game is regarding Authorization and Authentication. These two concepts are often mixed up, but let’s explore them a bit within the context of the game itself.

Authentication verifies who you are – that you’re not a robot trying to access the game. In order to do this, the game application requires you to authorize Niantic to access your information. Authorization happens just once, but that one-time authorization determines how much information you’re granting the application.

So the problem for this game ultimately lies in the authorization. You can authenticate your account via two ways within the application: through a pokemon.com account or through your Google account. Then normally, Google would show the level of permissions the application requires. However, before July 12, when authenticating through your Google account, when you clicked the button it automatically switched to the log-in screen meaning full permissions was handed over automatically – that means that all of your information related to the Google account were handed over to Niantic.

“Well, I’m just going to play the game. So it should be ok.”

But this kind of mindset is why it’s so dangerous to buy into the trend. The reality is, because this is your Google account, your account may contain payment information, your address, and your passwords. Millions have signed off their information to the application, and thus the database is now becoming a prime target for hackers.

Did Niantic mean for this to happen? Probably not – it was an oversight, and the error was corrected on July 12. Now, the application requires limited permissions, so that it will only maintain your basic information. If download the application now, you get this:

pokemongo-release

But the game isn’t over, because when there is data of any kind (even if it’s limited), there is value. The game is at 10 million accounts now, and experts say that when they hit 20-25 million records there is no doubt that there will be a data breach.

So, Pokemon Go or No?

Realistically, people will continue to play the game, and it’s likely to make its way into other parts of the world. What can you as the player/user do to protect your information?

First, be aware of the authorization you’re granting applications when following this kind of phenomenon. When an application first comes onto the scene, there’s a lot that can go wrong. It may have vulnerabilities that have yet to be discovered, and malware-infected versions that have been released.

Second, ask for transparency as the user. Any company, especially one that requires so much of your information, should openly state what security measures it is taking. As stated before, Niantic probably didn’t mean for this to happen. However, as AR and VR (virtual reality) are becoming increasingly prevalent within technology, more and more companies may inadvertently or intentionally seek higher levels of permissions in order to access your information. However, when society as a whole demands transparency, this can be mitigated to a significant degree.

Lastly and perhaps most importantly, stay safe in real life. Augmented reality, virtual reality – none of it matters if you’re not aware in physical reality of what’s going on.


Visit www.pentasecurity.com for more information on other web and data security products, news, and blog posts.