Everyone has been talking about Pokémon Go, the new app featuring the augmented reality game. But the hype is more than just talk:
- Nintendo stock nearly doubled from the popularity of the app (though it later crashed when investors realized the company did not have full ownership of the game.)
- The app quickly surpassed other social media platforms like Tinder and Twitter in terms of daily use.
- The average player spends more time interacting with the game than they do on Facebook.
- Some users are walking into traffic or over cliffs in their craze over the game, sparking a great deal of debate about whether the game puts gamers at risk of bodily harm.
But there’s another aspect to this game that deserves some hype: the potential risks posed by hackers targeting the app and its players.
The Trouble with Success
Unfortunately, with great success also comes the potential for trouble.
This point was illustrated about a week ago when servers for Pokémon Go collapsed. PoodleCorp, a hacker collective that takes “Chaos is fun” as its motto, claimed responsibility. It promised a further outage on August 1 with a planned DDOS, or Distributed Denial of Service, attack.
It is not known for certain whether PoodleCorp actually caused the server to crash, but the potential for attacks is certainly here. While most DDOS attacks are relatively harmless, this demonstrates the possibility for any popular platform to become a target for hackers or cyber-criminals.
This also emphasizes the importance for consumers and businesses to protect themselves from such attacks. Any entity that serves so many customers and has possession of valuable information, such as healthcare providers, banks, and government services, may find itself vulnerable to attack unless it takes proper precautions.
Too Much Information
A more likely threat to users of the game is presented by the app’s initial request for excessive permissions to the player’s Google account. Niantic, the creator of the app, only made the game available to customers that granted the company full access to information including location history, email, Drive documents, and calendars.
In addition to raising privacy concerns, this consolidation of personal data could make the app a tempting target for hackers. Once hackers and thieves have access to email, they can acquire sensitive material such as passwords. Obviously, this provides them with the tools they need to gain entry to other accounts.
Concept of Least Privilege
To its credit, Niantic acknowledges the danger of what it describes as an “erroneous” request for permissions. The company also says it has not collected anything beyond a login ID and the Gmail address of its customers. Furthermore, it states that it’s working on a fix for the issue so that the app only requests permission for this basic profile information.
This relates to the concept of least privilege, which has been discussed in my previous articles but warrants repetition. Users for any system should only be granted the access they need to accomplish their purpose. In this case, Niantic did not need the extensive access they requested from customers, which could make them more vulnerable than necessary.
Organizations that need information from their users should collect no more than is absolutely necessary to maintain their function. Consumers must be cautious about granting access to data and should be aware of the exact permissions they are approving. Furthermore, they should only give this material to trusted organizations that will make a good faith effort to protect customer data.
Another potential risk to security was revealed last week when fake versions of the Pokémon Go app appeared on Google Play and Apple App stores. These false apps infected thousands of phones after being downloaded. In some cases, the malware-afflicted device visited porn sites or advertisements without the owner’s awareness. In other cases, the viruses had the potential for backdoor attacks that would siphon data from the phone, including text messages and photos.
This example further shows the importance of being cautious when downloading material to your device. Again, customers should pay close attention to the permissions being granted to the developer. Before downloading an app, a user should also take note of the publisher and be sure that it was developed by a legitimate vendor.
So be careful out there, both with the potential harms you can see – and those you cannot.
Umesh Verma is the award-winning CEO and driving force behind Blue Lance, the global provider of cybersecurity governance solutions. For more than 25 years, Blue Lance’s automated software solutions have been protecting digitally managed corporate assets by assessing, remediating, and monitoring security of information systems. Call Blue Lance at 1-800-856-2586 for your 25-point credentials assessment, or get social with us on LinkedIn, Facebook, or Twitter.