Pokemon GO: giving hackers direct access to your phone

Pokemon GO: giving hackers direct access to your phone

blog_main_pokemon
Pokemon GO took the world by storm over one weekend. Clusters of teens and adults alike are sweeping the streets nabbing animated creatures with their mobile phones.

With access to your clock and GPS, the app makes Pokemon; augmented animals such as dragons, rats and turtles, appear in the real world around you. As a ‘trainer’ you are to build up your Pokemon so that they can fight each other. The app uses Google Maps to guide you.

Captured Pokemon

Captured Pokemon

But what else does the app have access to?

On sign up, you will be asked to provide your Google login. Apps commonly use existing credentials rather than creating their own to speed up installation and make sign up easy. However, in the case of Pokemon GO, Niantic Labs, the app’s developers, offer no clear limitation to what the app has access to.

Upon reading the Privacy Policy, the Emsisoft team were shocked to find that the app had full access to all aspects of a player’s Google account, including the ability to send and read emails, access edit and delete documents in Google Drive and Google Photos and access browser histories and location information.

There is no mention of what Niantic Labs intends to do with the data it accesses, but users should be aware that full access to a user’s personal data is a huge security risk.

The legitimate app has full access to your private information, but what if that access were to end up in the hands of, say, a malware developer, or an organisation managing a botnet? What security measures do Niantic Labs have in place to protect the mass of data they have obtained? We aren’t sure.

Further, in some countries, the app hasn’t been released yet. Players are downloading the game from third party sites which have teamed up with malware developers. Exploitative versions of the app are giving hackers backdoor access to mobile phones all over the world.

By logging in to the app, you are granting full access to a company that has amassed huge amounts of their users’ personal information without any explanation as to how it will be used, and to any hacker or malware developer who has managed to access it.

Malicious apps can be hard to differentiate from legitimate ones, particularly if they are operating quietly in the background.

So, what can you do to keep your data safe?

It is the opinion of the Emsisoft Team that using this app is not worth the risk.

It is likely that Niantic Labs will update their privacy policy to align more closely with their other app Ingress, which only needs a player’s basic profile. We advise patience. But, if you must use the app:

  • Download the original app from either the official Apple Appstore or Google Play. If it isn’t out in your country yet, please wait for the official release.
  • Create a brand new Google account dedicated to the game. Ensure it has no connection to your other personal accounts.
  • Stay away from third party download sites
  • Install and update Emsisoft Mobile Security which is built for layered Android protection.

[Update: 17/07/2016 – 11PM] – Pokemon Go Developers Niantic Labs have released the game’s first update. Version 1.0.1 corrects the previous permissions issue surrounding Google logins and the extent of their access to user data.

A statement released by Niantic called the level of access “an error.”

Google has verified that no other information has been received or accessed by Pokemon Go or Niantic.

Now upon login, the game only asks for access to your username and email. You may still have to manually revoke the app’s access and login again once the patch has been installed. This should not cause you to lose any of your game progress.

The patch also fixes a bug that required users to login each time a forced logout occurred, as well as correcting the issues that caused constant crashes.

This issue was only relevant for iOS versions of the app, you can update now through the iOS App Store.

Have a great (malware free) day.

  • Jon

    Just had a friend I forwarded this article to ask if they uninstall Pokemon Go will that block Niantic Labs from having access to their data or do they need to restrict/remove access via Google account some how?

    • SwedishElk

      IF someone already got there hands on the login credentials it’s no good to just remove Pokemon Go. Change password, check the account and unauthorize any other machines, add two step verification. And change passwords on everything else that connects through that Google account. Two Step verification to another e-mail or phone is one of the best protections.

      • Jon

        Hi,thanks for the reply… Howevee I don’t belive they would have anyone’s Google password but only permission to some of your google services… I’m just wondering after uninstalling the app if that will remove that access as well? I belive it will but wanted to make sure…

        • SwedishElk

          Problem is that even if you remove the app, is that a potential Malware still have got the same access rights. And that will not be removed by removing Pokemon.

          • Jon

            I would like to ‘think’ that if that was the case Google would have pulled the app from the store by now if it left malware behind after an uninstall? Would be very interested to hear some facts if the access to peoples Google account is purely ‘via’ the app (so if removed access is lost) or if the user grants the company access to your Google data/services (which I’m sure is not the case, else I suspect a user would need to get re-direct to a Google authentication page for this level of access to be granted were Google would more clearly state the level of access you are given out?)

  • musicmugger

    I can’t say the thought of ever wanting to look at that program has ever crossed my mind. I would rather listen to music, but then I have a life, and have never allowed it to be ruled by toys, other people want to brain wash me with

  • Nik Fowler

    Can you have a second Google account on your Android?

    • SwedishElk

      Sure you can, you can have one account per app if you wish. Just have to remember to switch account before installing the app.

      • Nik Fowler

        I did not know that! Thanks SwedishElk!

  • Sokrates

    So much (justified) doggedness against a game seeking access ‘by mistake’ to all user’s personal data, and not a single word about that monstrous arrogant piece of snoopware forced down our throats as Windows 10… double standards?

    • Nathaniel Donaghy

      believe it or not, you can run windows 10 and not give up your personal data.

      • Sokrates

        just a test – someone or something is messing up things here