Pokémon Go was just released in Canada. The title, which has rocketed to the top of the Apple and Google Play charts, is an augmented reality (AR) game which gets players out and about their neighborhood hunting for Pokémon, special items, and battles.
It was released in the US on the 6th of July and had an immediate impact adding billions to Nintendo’s stock value and grabbing the attention of everyone.
But it hasn’t been all roses (or…um…Roselia’s).
There have been issues with the game’s servers, challenges with some locations, criminals robbing players, and a security scare. And while we’re all enjoying the game, it’s that security scare that should be addressed.
Too many permissions
A mistake in an early version of the game requested full account access to new users’ Google accounts. The initial reaction to this was swift and loud (myself included). A game should never need full access to your Google account.
After further investigation, it turns out that the game might not have had the permissions it appeared. Regardless, the game’s developer Niantic Labs responded quickly with an update and clear communications around the issue.
But the scare does highlight a real issue: We do not check the connections to our social media accounts often enough.
Apps linking to apps
Linking an app to your account is a common practice. It makes it a lot easier to post to Facebook, publish on LinkedIn, send a tweet, or take an action in any number of other social networks. If we had to login to each network every time we wanted to share, users simply wouldn’t use these services.
This is what’s lead to a standard called oauth – an open framework to enable this type of 3rd party authorization.
You’re already familiar with the flow. When starting to use a new app (like Pokémon Go) you’re prompted to sign in using your Google account (or Facebook or Twitter or LinkedIn, etc.). During this process you are sent to the provider’s website to securely login. After you successfully sign in to your account, the new app is sent a token (a unique code) representing that authorization.
The new app never sees your password for your account but does gain some level of access using the token.
Lack of granularity
Each app or service that requests access to your accounts also requests a set of permissions in that account. Some apps only want to know your name and email, while others push for a lot more information.
One of the challenges here is that the protocol is an all or nothing situation. When an app requests a set of permissions, you don’t have the flexibility to say yes to some of the permissions and no to others.
This can lead to some apps having more permissions than you are necessarily comfortable with.
Lack of review
In addition to the lack of granularity, a lot of people forget to periodically review the connections they’ve made. Maybe you’re playing Pokémon Go now but stop in a month or two. Cleaning up those third party permissions can help ensure that your information stays safe.
Imagine for a moment you’ve granted a new app permission to post and read messages on your behalf. This means that the app is now holding a token that represents that access. If that app is hacked, the attacker can potentially use or harvest those tokens and abuse your social accounts.
While the risk may be minor, you can easily mitigate it by reviewing the accesses you’ve allowed every few weeks. The process is extremely simple and will only take a few minutes. Here are the instructions for;
Please take a few minutes now to check the access you’ve granted. It might save you a headache down the road.
How do you handle granting third party access to your accounts? Let me know your thoughts (and where you saw that rare Pokémon) on Twitter @markca.