The game was recently making headlines after hackers knocked gaming servers offline, but major privacy concerns have been on a rise since then. And this gives Nintendo something more to worry about other than its tumbling share value due to an evasive statement.
SimilarWeb’s report about the mobile game outpacing Tinder and Twitter as the “most-downloaded app since July 6, 2016” validates the popularity of the game. But guess who’s not playing it: cyber security experts. And there’s a reason to that!
“Full access” debate
When a player downloads Pokémon GO, his phone is “fully accessible” by the app. So this means that the player’s email address, IP address, the web page used before logging into Pokémon GO, username, and the current location are openly susceptible towards misuse by anyone who has access to Niantic’s servers.
Adam Reeve, the principal architect of cyber security company RedOwl unveiled his concerns about the game in a blogpost. He noted, “Normally you’d see a little message saying what data the app is going to be able to access – something like “This app will be able to view your email address and name”. For some reason that’s not shown in this case.”
“What’s more, given the use of email as an authentication mechanism (think “Forgot password” links) they now have a pretty good chance of gaining access to your accounts on other sites too,” Reeve added.
According to Google’s help page, “When you grant full account access, the application can see and modify nearly all information in your Google Account”
This ‘Full account access’ privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.
Niantic is already threatened with a lawsuit in Germany, where consumer advocates are demanding more “privacy-friendly” mobile app’s terms. According to them, the game breaks German consumer and privacy laws.
Heiko Dünkel, Policy Officer at The Federation of German Consumer Organizations (VZBV) reportedly told Fortune:
We think is there is not a high enough level of consent in the use of data—these extended rights of giving users’ data away to third parties in circumstances, which are not sufficiently described.
The company later clarified that the request was a mistake and has reportedly changed the access requirement in updates to the game.
Later, it was revealed that Niantic was using an outdated version of Google’s shared sign-on service, which conveniently allowed it to skip the step that asks for permission to access a person’s account. And hence came the warning– the app had ‘full access’ to player accounts.
So for those who are yet to venture the ‘Pokémon land’ with this new game, we would say that using your personal Gmail account is a complete “no-no”. Instead, you can use a burner Google account. For this, create an all new Google account, with no significant data, and use this account to sign into Pokémon GO as well as other apps that you may find doubtful.
Businesses…BEWARE!
The International Association of Information Technology Asset Managers (IAITAM) is warning businesses against downloading the game in “bring your own device” (BYOD) phones/tablets with direct access to sensitive corporate information and accounts.
Quoting fake apps and data breaches as major crooks, Dr. Barbara Rembiesa, CEO, IAITAM said, “Frankly, the truth is that Pokémon Go is a nightmare for companies that want to keep their email and cloud-based information secure. Even with the enormous popularity of this gaming app, there are just too many questions and too many risks involved for responsible corporations to allow the game to be used on corporate-owned or BYOD devices.”
“We already have real security concerns and expect them to become much more severe in the coming weeks. The only safe course of action here is to bar Pokémon Go from corporate-owned phones and tablets, as well as employee-owned devices that are used to connect to sensitive corporate information.”
And if this was not jolting enough, cyber security experts at Zscaler’s ThreatlabZ spotted an Android SMS Trojan disguised as the Pokémon GO app in their threat feeds. The malware installs itself with the legit Pokémon GO application icon so that the users are not suspicious, routing unsuspecting gamers to another URL which downloads a fake version of the game.
The rogue app, according to the experts, is capable of “scamming gamers financially by sending SMS messages to premium numbers.”
“Unlike common android malware, this malware performs malicious activity from a HTML page residing in the asset folder of the malware package,” explained the blogpost.
At a time when DDoS attacks have soared by 149% in the past year, one has to be cautious and minimize vulnerability to cyber threats. In the end, Pokémon GO is just a digital world overlapping the real world with “REAL RISKS.”
