Pokemon Go – Trusting an Augmented World

Pokemon Go is a viral Augmented Reality (AR) game for Android and iOS. Recent revelations show that some users have been required to grant the app full access to their Google account prompting many to start citing security concerns.

AR is a new genre of gameplay which takes interaction by the player in the real world as part of its basic controls. Location based games like Pokemon Go were first made mainstream by Niantic with their release of a location based, smartphone game called Ingress. Ingress was hailed as a way for “nerds to get in shape” with the novel concept that to move about the games map users physically had to walk to locations called portals. These portals are places where users battle out for control of land based areas by deploying objects called resonators to take control of the portal  and obtain that portal’s key. Players are then able to link 3 portals together if the have the correct keys to create a field. These fields earn the player’s team points of which there are only two; the Enlightened (affectionately known as frogs owing to their green colour) and the Resistance (known as smurfs due to being blue). Ingress gained a cult following owing to its unique gameplay and conspiracy like storyline. See the Wikipedia article for more indepth discussion.

Ingress-screenshots
Ingress gameplay screenshots

When Ingress started, Niantic allowed players to submit locations as portals. These locations where supposed to be places of cultural significance such as landmarks, artwork, education institutions and religious buildings. This leads us to Pokemon Go. A new location based AR game built by the same company that made Ingress; Niantic Labs. In making Pokemon Go, Niantic have ported much of the map data they have gathered over the nearly 4 years since its closed beta in November 2012. This has meant that many of the user submited portals in Ingress are now PokeStops or Gyms in Pokemon Go. Two games, one set of map data.

This has not been without its own issues. What once made perfect sense as a portal in a game which had based into its storyline secrecy now may not make sense as a gym in Pokemon Go.

Screen Shot 2016-07-13 at 1.38.36 PMRoundAboutIssue1

In fact, a house built out of an old church has been mistakenly identified as a portal in Ingress and made its way as a Gym in Pokemon Go.


boon_sheridanHowever, the most startling revelation seems to be that iOS users installing the app have granted Niantic full access to their Google account in order to log in. Full access means the application can read and send emails on the user’s behalf without prompt, view, edit or delete the contents of Google drive, browse your search history or perhaps more concerningly, access Maps navigation history. [Update:Turns out this may have been misreported in the media hype. Full access doesn’t mean the above but, rather access to all data in your account such as name, address, birth date with edit permissions]

Niantic made comment on the situation in a statement provided to The Verge:

We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However,Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.

So it would seem that this was just a careless error on behalf of the developers. But is this acceptable? Or is this a case of developer culture?

Many applications require extensive permissions in order to function. Perhaps the most widely discussed is Facebook’s Messenger and its permissions:

This app has access to:

Identity

  • find accounts on the device
  • read your own contact card
  • add or remove accounts

Contacts

  • find accounts on the device
  • read your contacts
  • modify your contacts

Location

  • precise location (GPS and network-based)
  • approximate location (network-based)

SMS

  • edit your text messages (SMS or MMS)
  • receive text messages (SMS)
  • send SMS messages
  • read your text messages (SMS or MMS)
  • receive text messages (MMS)

Phone

  • read phone status and identity
  • read call log
  • directly call phone numbers
  • reroute outgoing calls

Photos/Media/Files

  • modify or delete the contents of your USB storage
  • read the contents of your USB storage

Storage

  • modify or delete the contents of your USB storage
  • read the contents of your USB storage

Camera

  • take pictures and videos

Microphone

  • record audio

Wi-Fi connection information

  • view Wi-Fi connections

Device ID & call information

  • read phone status and identity

Other

  • receive data from Internet
  • download files without notification
  • control vibration
  • run at startup
  • draw over other apps
  • pair with Bluetooth devices
  • send sticky broadcast
  • create accounts and set passwords
  • change network connectivity
  • prevent device from sleeping
  • install shortcuts
  • read battery statistics
  • read sync settings
  • toggle sync on and off
  • read Google service configuration
  • view network connections
  • change your audio settings
  • full network access

These may seem extensive and even that the application wishes to spy on you however, as has already been discussed extensively, these are relatively harmless and needed for much of behind the scenes operation of the application.

So does Pokemon Go really need full access to a Google account to run an account? Hell no. What we have seen here is simply a developer using a stock template, most likely from the days when Niantic was owned by Google, and forgetting to change the default permissions in the file. A careless error. One that would not have been tolerated by IBM’s elite Black Team back in the glory days of programming. A team whose sole job was to break your code in most horrific ways possible.

I premise that this is the true issue to come out of this: that programmers have become careless and do not error check their code for bugs enough. Users should not have to worry about cyber security as the most secure option should be the default. It should be the programmers responsibility to ensure their applications are trustworthy.

In the meantime, it seems the security concerns  regarding our online behaviour with respect to these games is not going to be the issue but, rather, our real world counterparts that aren’t so 90’s child friendly.

9ryvxqh

 

Leave a Reply

Your email address will not be published. Required fields are marked *