Pokemon Go – Trusting an Augmented World

Pokemon Go is a viral Augmented Reality (AR) game for Android and iOS. Recent revelations show that some users have been required to grant the app full access to their Google account prompting many to start citing security concerns.

AR is a new genre of gameplay which takes interaction by the player in the real world as part of its basic controls. Location based games like Pokemon Go were first made mainstream by Niantic with their release of a location based, smartphone game called Ingress. Ingress was hailed as a way for “nerds to get in shape” with the novel concept that to move about the games map users physically had to walk to locations called portals. These portals are places where users battle out for control of land based areas by deploying objects called resonators to take control of the portal  and obtain that portal’s key. Players are then able to link 3 portals together if the have the correct keys to create a field. These fields earn the player’s team points of which there are only two; the Enlightened (affectionately known as frogs owing to their green colour) and the Resistance (known as smurfs due to being blue). Ingress gained a cult following owing to its unique gameplay and conspiracy like storyline. See the Wikipedia article for more indepth discussion.

Ingress-screenshots

Ingress gameplay screenshots

When Ingress started, Niantic allowed players to submit locations as portals. These locations where supposed to be places of cultural significance such as landmarks, artwork, education institutions and religious buildings. This leads us to Pokemon Go. A new location based AR game built by the same company that made Ingress; Niantic Labs. In making Pokemon Go, Niantic have ported much of the map data they have gathered over the nearly 4 years since its closed beta in November 2012. This has meant that many of the user submited portals in Ingress are now PokeStops or Gyms in Pokemon Go. Two games, one set of map data.

This has not been without its own issues. What once made perfect sense as a portal in a game which had based into its storyline secrecy now may not make sense as a gym in Pokemon Go.

Screen Shot 2016-07-13 at 1.38.36 PMRoundAboutIssue1

In fact, a house built out of an old church has been mistakenly identified as a portal in Ingress and made its way as a Gym in Pokemon Go.


boon_sheridanHowever, the most startling revelation seems to be that iOS users installing the app have granted Niantic full access to their Google account in order to log in. Full access means the application can read and send emails on the user’s behalf without prompt, view, edit or delete the contents of Google drive, browse your search history or perhaps more concerningly, access Maps navigation history. [Update:Turns out this may have been misreported in the media hype. Full access doesn’t mean the above but, rather access to all data in your account such as name, address, birth date with edit permissions]

Niantic made comment on the situation in a statement provided to The Verge:

We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However,Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.

So it would seem that this was just a careless error on behalf of the developers. But is this acceptable? Or is this a case of developer culture?

Many applications require extensive permissions in order to function. Perhaps the most widely discussed is Facebook’s Messenger and its permissions:

This app has access to:

Identity

  • find accounts on the device
  • read your own contact card
  • add or remove accounts

Contacts

  • find accounts on the device
  • read your contacts
  • modify your contacts

Location

  • precise location (GPS and network-based)
  • approximate location (network-based)

SMS

  • edit your text messages (SMS or MMS)
  • receive text messages (SMS)
  • send SMS messages
  • read your text messages (SMS or MMS)
  • receive text messages (MMS)

Phone

  • read phone status and identity
  • read call log
  • directly call phone numbers
  • reroute outgoing calls

Photos/Media/Files

  • modify or delete the contents of your USB storage
  • read the contents of your USB storage

Storage

  • modify or delete the contents of your USB storage
  • read the contents of your USB storage

Camera

  • take pictures and videos

Microphone

  • record audio

Wi-Fi connection information

  • view Wi-Fi connections

Device ID & call information

  • read phone status and identity

Other

  • receive data from Internet
  • download files without notification
  • control vibration
  • run at startup
  • draw over other apps
  • pair with Bluetooth devices
  • send sticky broadcast
  • create accounts and set passwords
  • change network connectivity
  • prevent device from sleeping
  • install shortcuts
  • read battery statistics
  • read sync settings
  • toggle sync on and off
  • read Google service configuration
  • view network connections
  • change your audio settings
  • full network access

These may seem extensive and even that the application wishes to spy on you however, as has already been discussed extensively, these are relatively harmless and needed for much of behind the scenes operation of the application.

So does Pokemon Go really need full access to a Google account to run an account? Hell no. What we have seen here is simply a developer using a stock template, most likely from the days when Niantic was owned by Google, and forgetting to change the default permissions in the file. A careless error. One that would not have been tolerated by IBM’s elite Black Team back in the glory days of programming. A team whose sole job was to break your code in most horrific ways possible.

I premise that this is the true issue to come out of this: that programmers have become careless and do not error check their code for bugs enough. Users should not have to worry about cyber security as the most secure option should be the default. It should be the programmers responsibility to ensure their applications are trustworthy.

In the meantime, it seems the security concerns  regarding our online behaviour with respect to these games is not going to be the issue but, rather, our real world counterparts that aren’t so 90’s child friendly.

9ryvxqh

 

Advertisements

The Playboy centrefold at the centre of computer science

This article was originally published on May 11, 2015 for The Conversation. Read the original article.

Richard Matthews, University of Adelaide

The November 1972 issue of Playboy magazine is the magazine’s best selling issue of all time. This is not because of the articles, but due to the proliferation of one iconic image from the magazine: that of centrefold model Lena Söderberg.

The original image was digitised by researches at the University of Southern California Signal and Image Processing Institute (SIPI) in 1973. Alexander Sawchuk, the assistant professor of electrical engineering, his graduate student and the SIPI lab manager were frantically looking for a new image for a research paper.

They had already exhausted the stock of usual test images. It was at this moment – according to legend – that a colleague walked in with the November 1972 issue of Playboy. Seeing the predicament that the researches were in, he tore a 5.12 inch strip from the top of the centrefold and fed it to their scanner. As it had a resolution of 100 lines per inch, the resulting image was the perfectly cropped head and shoulders image 512 x 512 pixels in size.

This image has since been used widely in imaging processing circles. That’s because the nature of the image makes it amenable for testing a wide range of image processing algorithms.

The image contains a mixture of detail, colour, shading, focus, textures, reflections and flat regions that allow testing of multiple algorithms. These algorithms range from edge detection to denoising and even include shrinking the image down to the size of a human hair.

Pornography in the lab

Given the provenance of the image, its use is not without controversy. In a recent article in the Washington Post, a student from the Thomas Jefferson High School for Science and Technology in the US, Maddie Zug, suggested the school’s use of the image in her computer science course was evidence that the school’s culture unfairly marginalises women in an already male-dominated subject.

Maddie isn’t the only one to have taken offence or look for alternatives. In a 2013 paper by Deanna Needell and Rachel Ward, the authors got permission from the agent of Fabio Lanzoni to use the popular male model’s likeness rather than use Lena.

Fabio Test Image

The outrage over Lena is less about the intrinsic properties of the image itself, but rather about the image’s provenance. Maddie argued that by using the Lena image, women are turned away from computer science.

Yet Needell and Ward, two female researchers in this space, saw it as an opportunity to highlight gender issues in society at large by replacing the image with one of a male model instead.

Heidi Norton, a second year PhD student from the University of Pennsylvania, and co-founder of the website Beta Pleated Chic, which is devoted to women in STEM, has argued that the source of the image is due to the bygone era when academia was perceived as an “Old Boys’ Club”.

Norton says:

[…] in some ways, I felt like my strong negative reaction towards this image was unjustified […] I realised the (provenance) had nothing to do with the image itself. It had more to do with the fact that our culture historically (and often at present) values the beauty of women much more than their intelligence or talents.

It is accepted that all STEM fields need to attract more women into their ranks to achieve greater gender equality and diversity. However, the use of the Lena image is not an example of causation to correlation.

Disregarding the provenance of the Lena test image, we see that it is like many others within the SIPI database. The fact that the image is of an attractive woman should not weigh into this discussion for its use. Art in all of its many forms exists to capture beauty. Is it, therefore, not a logical conclusion that subjects of beauty, like Fabio and Lena, are going to turn up in our tests?

Computer Science Lecturer Hannah Dee, from Aberystwyth University, summed the issue up perfectly when she wrote for the the Software and Sustainability Institute in March of 2014:

[…] despite my avowedly feminist stance, I’m somehow unable to get that annoyed about [Lena].

The fact that there’s a historic Playboy image at pretty much every conference I go to, and on the walls of my colleague’s labs, and downloaded with every single image processing library I use, well… on the one hand, it’s part of that drip-drip-drip of strangeness that comes from working in a male-dominated field, where the topics of conversation and the general attitude can be a little disconcerting. But on the other hand, with changing cultural attitudes, and the effect the internet has had on pornography, the entire centrefold (yes, you can easily find it online if you look) seems very tame indeed by today’s standards. And the crop that is used in image processing research is, well… I’ve developed quite an affection for the picture. It’s one of the quirks of computer science. So when I was asked what picture we should use to illustrate this blog post, there was only one choice.

But is it appropriate?

Still, the moral issue remains: did the Jefferson High School for Science and Technology do anything wrong when they asked students to Google the Lena image and use it to test the students algorithms? Potentially.

Given the ease with which a simple Google image search could yield nudity, perhaps in future the school should simply direct link to the image in the SIPI image database. This way it will shield the students from accidentally accessing something they shouldn’t and will also provide them with several images to test their algorithms on. Something I am sure even Maddie would appreciate.

Should the field in general stop using the Lena image? My personal view is: no. The use of the Lena test image is a quirk of the industry that should be celebrated. That being said, it should be used alongside others equally. Blue Steel anyone?


Warning: searching the internet for “Lena Söderberg” or the “Lenna image” may yield results that are not safe for work.

The Conversation

Richard Matthews, Research Assistant in Digital Forensics, University of Adelaide

This article was originally published on The Conversation. Read the original article.