Pokemon GO: giving hackers direct access to your phone


blog_main_pokemon
Pokemon GO took the world by storm over one weekend. Clusters of teens and adults alike are sweeping the streets nabbing animated creatures with their mobile phones.

With access to your clock and GPS, the app makes Pokemon; augmented animals such as dragons, rats and turtles, appear in the real world around you. As a ‘trainer’ you are to build up your Pokemon so that they can fight each other. The app uses Google Maps to guide you.

Captured Pokemon

Captured Pokemon

But what else does the app have access to?

On sign up, you will be asked to provide your Google login. Apps commonly use existing credentials rather than creating their own to speed up installation and make sign up easy. However, in the case of Pokemon GO, Niantic Labs, the app’s developers, offer no clear limitation to what the app has access to.

Upon reading the Privacy Policy, the Emsisoft team were shocked to find that the app had full access to all aspects of a player’s Google account, including the ability to send and read emails, access edit and delete documents in Google Drive and Google Photos and access browser histories and location information.

There is no mention of what Niantic Labs intends to do with the data it accesses, but users should be aware that full access to a user’s personal data is a huge security risk.

The legitimate app has full access to your private information, but what if that access were to end up in the hands of, say, a malware developer, or an organisation managing a botnet? What security measures do Niantic Labs have in place to protect the mass of data they have obtained? We aren’t sure.

Further, in some countries, the app hasn’t been released yet. Players are downloading the game from third party sites which have teamed up with malware developers. Exploitative versions of the app are giving hackers backdoor access to mobile phones all over the world.

By logging in to the app, you are granting full access to a company that has amassed huge amounts of their users’ personal information without any explanation as to how it will be used, and to any hacker or malware developer who has managed to access it.

Malicious apps can be hard to differentiate from legitimate ones, particularly if they are operating quietly in the background.

So, what can you do to keep your data safe?

It is the opinion of the Emsisoft Team that using this app is not worth the risk.

It is likely that Niantic Labs will update their privacy policy to align more closely with their other app Ingress, which only needs a player’s basic profile. We advise patience. But, if you must use the app:

[Update: 17/07/2016 – 11PM] – Pokemon Go Developers Niantic Labs have released the game’s first update. Version 1.0.1 corrects the previous permissions issue surrounding Google logins and the extent of their access to user data.

A statement released by Niantic called the level of access “an error.”

Google has verified that no other information has been received or accessed by Pokemon Go or Niantic.

Now upon login, the game only asks for access to your username and email. You may still have to manually revoke the app’s access and login again once the patch has been installed. This should not cause you to lose any of your game progress.

The patch also fixes a bug that required users to login each time a forced logout occurred, as well as correcting the issues that caused constant crashes.

This issue was only relevant for iOS versions of the app, you can update now through the iOS App Store.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Have a great (malware free) day.

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next