News

Actions

The security risks of Pokémon Go, explained

Posted

Pokémon Go just got political.

Pokemon RNC tweet.JPG

Pokémon characters are manifesting at the Republican National Convention zones in Cleveland.

The "augmented reality" smartphone game was released eight days ago. Now a zillion adults share their obsession alongside kids who are too young to remember the original anime game from the ‘90s. People have been busted trampling through cemeteries chasing the colorful pocket monsters. The Holocaust Museum in Washington, D.C. had todeclare itselfa Pokémon-free zone.

The mobile game just outpaced Tinder and Twitter as the most-downloaded app since July 6, 2016, its first day of availability in the United States.

In order to play, the app needs to know your location through your device’s GPS and access the camera.

"Pokémon Go is a huge security risk," warned Adam Reeve in a post on the blog of RedOwl, the cyber security company where he is principal architect.

When the geeks get scared, we get scared. So we wanted to learn more about these allegations that the mega-popular smartphone app is siphoning everything about our personal lives, at great risk.

Here’s a screenshot of the permissions screen that appears upon downloading Pokémon Go on an Android device, as posted by Twitter user @oscaron:

Android permissions Pokemon.jpg

Only iPhone users were informed they had to grant the app "full account access" on Google. The only other way to sign up is through the game’s website at pokemongo.com, which has been overwhelmed with users and is currently limiting the number of new users that can sign up at once.

What does "full account access" mean?

Reeve, who was among the first experts to sound this warning, claimed on his blog that downloading Pokémon Go would enable it to "read all your email, send email as you, access all your Google Drive documents (including deleting them), access any private photos you may store in Google Photos, and a whole lot more."

"I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk," Reeve wrote.

Niantic, which developed the game for Nintendo’s Pokémon  brand, issued a statement July 11 that they had "recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account." They assured that though the mistake allowed them the ability to dive deep into personal data, the app only accesses a user’s ID and email address.

"No other Google account information is or has been accessed or collected," the statement read. Niantic said that they were working with Googleto fix the permissions issue.

iOS users now see this screen that includes the update, "Fixed Google account scope."

fixed google account scope.jpg

Does that fix the security concerns?

We consulted David Kennedy, a a cyber security expert and founder of Ohio-based Binary Defense Systems (his official title: Chief Hacking Officer). His company monitors his clients’ systems and tries to break in to reveal where their security is weak. (Niantic is not a client.)

We asked whether the fix by the app’s developer means that Pokémon Go "trainers" (players, in the game’s parlance) are in the clear.

Kennedy said that the updated app will restrict what information it collects to the minimum required for it to function, which still includes location data, email address and camera access.

Be sure, though, that other outside forces will be looking to exploit any cracks in Pokémon ’s armor, Kennedy said, because mobile applications are prone to attack.

"Let’s say I hacked into that application; I would now have access to everyone who installed it, their gmail accounts and everything else," he said. "So it’s a big security and privacy issue from that perspective."

Other concerns

There are other unsettling features of Pokémon Go that, while not unique to the game, might make privacy lovers think twice.

Niantic’s privacy policy is a 20-page document that no kid in reality, virtual or otherwise, is likely to read. Within the policy, Niantic describes how it may share user’s information with third parties who "may not have agreed to abide by the terms of this Privacy Policy."

Those third parties could be unspecified  "private parties," according to the terms of service.

They might sell or transfer personally identifiable information about users in the event of a "merger, sale of assets, acquisition, dissolution, reorganization, bankruptcy, change of control or other similar event."

Kathleen Stansberry, a Cleveland State University assistant professor with expertise in social media and strategic communications, told PolitiFact Ohio that it’s easy to see the utilities the technology could provide to police.

"Google has a history of cooperating with law enforcement," Stansberry said, "and I would imagine Pokémon Go would as well."

Another section of the app’s privacy policy says it may "disclose any information about you (or your authorized child) that is in our possession or control to government or law enforcement officials or private parties."