Pokemon GO: giving hackers direct access to your phone
Pokemon GO took the world by storm over one weekend. Clusters of teens and adults alike are sweeping the streets nabbing animated creatures with their mobile phones.
With access to your clock and GPS, the app makes Pokemon; augmented animals such as dragons, rats and turtles, appear in the real world around you. As a ‘trainer’ you are to build up your Pokemon so that they can fight each other. The app uses Google Maps to guide you.
Captured Pokemon
But what else does the app have access to?
On sign up, you will be asked to provide your Google login. Apps commonly use existing credentials rather than creating their own to speed up installation and make sign up easy. However, in the case of Pokemon GO, Niantic Labs, the app’s developers, offer no clear limitation to what the app has access to.
Upon reading the Privacy Policy, the Emsisoft team were shocked to find that the app had full access to all aspects of a player’s Google account, including the ability to send and read emails, access edit and delete documents in Google Drive and Google Photos and access browser histories and location information.
There is no mention of what Niantic Labs intends to do with the data it accesses, but users should be aware that full access to a user’s personal data is a huge security risk.
The legitimate app has full access to your private information, but what if that access were to end up in the hands of, say, a malware developer, or an organisation managing a botnet? What security measures do Niantic Labs have in place to protect the mass of data they have obtained? We aren’t sure.
Further, in some countries, the app hasn’t been released yet. Players are downloading the game from third party sites which have teamed up with malware developers. Exploitative versions of the app are giving hackers backdoor access to mobile phones all over the world.
By logging in to the app, you are granting full access to a company that has amassed huge amounts of their users’ personal information without any explanation as to how it will be used, and to any hacker or malware developer who has managed to access it.
Malicious apps can be hard to differentiate from legitimate ones, particularly if they are operating quietly in the background.
So, what can you do to keep your data safe?
It is the opinion of the Emsisoft Team that using this app is not worth the risk.
It is likely that Niantic Labs will update their privacy policy to align more closely with their other app Ingress, which only needs a player’s basic profile. We advise patience. But, if you must use the app:
- Download the original app from either the official Apple Appstore or Google Play. If it isn’t out in your country yet, please wait for the official release.
- Create a brand new Google account dedicated to the game. Ensure it has no connection to your other personal accounts.
- Stay away from third party download sites
- Install and update Emsisoft Mobile Security which is built for layered Android protection.
Have a great (malware free) day.
Related Posts:
- Emsisoft Mobile Security 1.0 released!
- ALERT: Google Drive Phishing Scam
- No more nude selfies! (at least not on the cloud)
- Beware of these popular WhatsApp scams
- Covert Redirect Security Flaw in Sites Using OAuth and…