Can Pokemon and Security Co-exist?
Pokemon Go is the digital scavenger hunt we all wanted growing up and now kids and adults alike are experiencing that and getting some exercise as well. So what’s the harm? Like any massively successful online game, Pokemon Go involves millions of players and their data. This is no different than Twitter, Facebook and many social apps and data mining companies like Google. So while it’s not inherently unsecure, can Pokemon and best security practices really co-exist?
Pokemon Go was developed by Niantic, a mobile game developer that spun off of Google. Back in 2011, Google developed Ingress, an AR (Augmented Reality) game that had players walking around real environments searching for virtual clues and battles. Much of this data was used to formulate the maps and locations that now populate Pokemon Go. Together, Google, Niantic and Nintendo are responsible for both Pokemon Go’s tremendous success and security suspicions. From day one, Pokemon Go was fraught with release bugs that typically accompany new titles, especially ones that are so popular. Niantic promised to fix these bugs and has already released updates that address most of them. However, security concerns remain.
Pokemon Go was initially released in the U.S., Australia and New Zealand on both iOS and Android platforms. After over 20 years and billions of dollars in branding, Pokemon IP was all set to take on the world of mobile gaming and it did. The problem was Niantic’s servers weren’t prepared for the onslaught of new users. Most people trying to create a new account and Pokemon trainer (the character you play in the game) were met with frustrating server errors. Niantic offered an alternative by way of using Google accounts to login but iOS users immediately noticed a discrepancy. iOS users were notified that in order to play Pokemon Go, they had to agree to grant FULL ACCESS to Niantic. This traditionally means that not only would Niantic and Google have full access to your location, photos and email address, it also includes things like actual contents of emails and search history too! Niantic quickly issued a fix and stated that this was an error and nobody’s full data was ever received or used. But the red flags went up for security experts everywhere and have yet to lower back down.
These security concerns, hype and eventual backlash are all to be expected. After all, how often do 20 million people all sign up and begin playing the same data tracking game virtually overnight? Here are some tips to stay safe from some possible and some very real threats:
Terms of Service
Niantic’s EULA (End User License Agreement) requires binding arbitration should any user fall victim to both real or cyberthreats. This means that if Pokemon Go or Niantic is hacked and all of your user data is spilled out into the Internet, Niantic reserves the right to hold secret arbitration hearings because you have already agreed to it. This bypasses regular courts of law and makes class action lawsuits very difficult for victims. If that scares you more than a Squirtle with a CP of 250, cancel you account now. But if you want to play and retain your rights, simply send an mail to firstname.lastname@example.org with “Arbitration Opt-out Notice” as the subject. More details can be found in iMore’s Pokemon Go guide.
With so many new app permissions being granted for Pokemon Go, it might be a good time to look back at all of your past app permissions. I can almost guarantee you will find at least one old app that you no longer use that still has access to your data. Why not deny access to any app you do not use or trust? Simply login to your Google account and click on goto Privacy and Security > Account Permissions and remove any that you do not want.
Another safe way to play without worrying about data and permission issues is to simply create a dummy Google account. Go to gmail.com and click ‘create account’ at the bottom. It’s simple and free for anyone. Yes, it’s one more password to remember but at least you get to allocate the importance of this burner account by deciding what has access to it and what does not.
There have been multiple reports of robberies and accidents involving Pokemon Go players. While these are not cybersecurity threats per say, I would be remiss not to include them because they are real issues with real victims. The thought of millions of Pokemon Go players sent out into the world engage in Pokemon battles on their smartphones, sends a chill down any security expert’s spine. Not only are these players distracted by their devices but they are being lured by the game (and possibly by thieves) to specific areas to capture rare Pokemons. Unfortunately, we have not heard the end of Pokemon related crimes.
I am surprised that we have not heard about more traffic incidents involving pedestrians being struck by vehicles. After all, if you currently visit any busy city intersection, you will see dozens of people with their eyes glued to their phones as they cross busy streets. Perhaps we have evolved enough in the age of the smartphone to walk and battle Pokemon safely. But what about the drivers? Texting is still a huge safety issue on our roads and Pokemon Go doesn’t really address it effectively. Niantic claims that any movement faster than 20 MPH will not register in the game (walking great distances is required to hatch Pokemon eggs). But I suspect the game and its battles still function while driving. Sure enough, I was able to battle a Zubat over the course of a few blocks in stop and go traffic. By putting a 20 MPH speed limit on movement, Niantic may have successfully thwarted cheaters but they are doing very little to curb distracted driving. And if this game is truly bigger than Twitter and Facebook, I suspect we will be hearing about more distracted driving incidents as well as cybersecurity threats due to Pokemon Go in the future.
- Stalking has never been easier so let’s change that - 02/08/2023
- This is why nobody is allowed a cell phone in classified debriefings - 11/18/2022
- Death of the VPN: A Security Eulogy - 08/24/2022
Leave a Reply
You must be logged in to post a comment.