Pokemon GO: giving hackers direct access to your phone
Pokemon GO took the world by storm over one weekend. Clusters of teens and adults alike are sweeping the streets nabbing animated creatures with their mobile phones.
With access to your clock and GPS, the app makes Pokemon; augmented animals such as dragons, rats and turtles, appear in the real world around you. As a ‘trainer’ you are to build up your Pokemon so that they can fight each other. The app uses Google Maps to guide you.
But what else does the app have access to?
On sign up, you will be asked to provide your Google login. Apps commonly use existing credentials rather than creating their own to speed up installation and make sign up easy. However, in the case of Pokemon GO, Niantic Labs, the app’s developers, offer no clear limitation to what the app has access to.
There is no mention of what Niantic Labs intends to do with the data it accesses, but users should be aware that full access to a user’s personal data is a huge security risk.
The legitimate app has full access to your private information, but what if that access were to end up in the hands of, say, a malware developer, or an organisation managing a botnet? What security measures do Niantic Labs have in place to protect the mass of data they have obtained? We aren’t sure.
Further, in some countries, the app hasn’t been released yet. Players are downloading the game from third party sites which have teamed up with malware developers. Exploitative versions of the app are giving hackers backdoor access to mobile phones all over the world.
By logging in to the app, you are granting full access to a company that has amassed huge amounts of their users’ personal information without any explanation as to how it will be used, and to any hacker or malware developer who has managed to access it.
Malicious apps can be hard to differentiate from legitimate ones, particularly if they are operating quietly in the background.
So, what can you do to keep your data safe?
It is the opinion of the Emsisoft Team that using this app is not worth the risk.
- Download the original app from either the official Apple Appstore or Google Play. If it isn’t out in your country yet, please wait for the official release.
- Create a brand new Google account dedicated to the game. Ensure it has no connection to your other personal accounts.
- Stay away from third party download sites
- Install and update Emsisoft Mobile Security which is built for layered Android protection.
[Update: 17/07/2016 – 11PM] – Pokemon Go Developers Niantic Labs have released the game’s first update. Version 1.0.1 corrects the previous permissions issue surrounding Google logins and the extent of their access to user data.
A statement released by Niantic called the level of access “an error.”
Google has verified that no other information has been received or accessed by Pokemon Go or Niantic.
Now upon login, the game only asks for access to your username and email. You may still have to manually revoke the app’s access and login again once the patch has been installed. This should not cause you to lose any of your game progress.
The patch also fixes a bug that required users to login each time a forced logout occurred, as well as correcting the issues that caused constant crashes.
This issue was only relevant for iOS versions of the app, you can update now through the iOS App Store.
Have a great (malware free) day.
The malware landscape has shifted - These online threats are waiting for you in 2016