• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Kudos2 Stats

Pokémon Go Cyber Security and Privacy Guidelines

In one way or another, you’ve probably heard of Pokémon Go, the latest new app that seems to be taking over smartphones everywhere. When I first heard about the app, it piqued my curiosity, given my passion for cyber security. Admittedly, I became addicted immediately, which lead me to research how the game works, how to play it, and what the possible security risks are that come along with the game.

Firstly, it is important to note that this game is not your average smartphone game. It uses a technology known as augmented reality, which is a blend of real life and technology. There are many layers to this game, using real time GPS locations, geocaching technology and the world around you. Since there are many factors that come into play when using this app, we are going to delve into these aspects in a three part series examining the risks in the cyber realm, the real world and the safety of children while playing the game.

What Are the Risks?

This game has literally become an overnight sensation and cybercriminals are looking to cash in on this huge opportunity in a variety of ways.

Malicious Apps:

Since, the App isn’t available in all countries yet, just days after the official Pokémon Go App hit the market, researchers from Proofpoint discovered a Trojanized version of the app. According to Proofpoint’s blog "Although we have not observed this malicious APK in the wild, it was uploaded to a malicious file repository service […] less than 72 hours after the game was officially released in New Zealand and Australia” So first thing’s first- when downloading the app, be sure to only download apps from trusted sources such as the Google Play Store and the Apple App Store.
Additionally, Norton has you covered when it comes to malicious Android apps. App Advisor automatically scans for malicious apps in the Google Play Store before they’re downloaded to your phone. 

The most recent and most dangerous malicious app was a discovery made by a group of security researchers on July 15th. The first fake lockscreen app, dubbed “Pokémon GO Ultimate,” was found on the Google Play Store. Luckily, the researchers contacted Google quickly, and it has been removed from the app store. You can read more about this threat here.

Online Scams:

With all popular games, users are sure to scour the Internet for cheats and hacks online. Scammers are already on top of this, as fake websites have started popping up offering Pokécoins and other powerups from the game in exchange for filling out surveys or visiting questionable websites. Surveys may seem harmless, however, they can collect a lot of personally identifiable information about you, which could be used in identity theft. 

Remember, if it sounds too good to be true, it probably is a scam. As of now, there is no legitimate way or “hack” to get Pokécoins except for buying them in the app. 

Privacy Risks:

Review App Permissions:

It’s always important to evaluate what an app wants to access when it is installed. Sometimes, granting an app permission to areas of your device can leave your personal information exposed as well as that of others. If it doesn’t make sense to you, such as an app requesting permission to access your phone and SMS capabilities, you can always deny the app access to that part of your phone. Keep in mind however, that it may place limitations on how the app functions, or it may not function at all without the requested access. It’s really up to you to decide how much privacy to give away for a game, but at least be informed.

Currently some iOS users and some Android users do not get asked permission to access anything. If signing in via Google, you are potentially allowing the game full access to your Google account. This means that the app has access to your contacts, e-mail, Google Drive documents, and more.

Niantic has released a statement saying that they have fixed the issue.
Here’s the full statement from the developer:

"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access.  Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."

While you wait for this fix to come out, you can revoke permissions for Pokémon Go from your Google account on this page

Privacy Policy and Terms of Service:

In this day and age, it’s important to take a look at these documents in order to see what the app plans to do with your personal information.

One notable issue in the terms of service located inside of the app is that the links to the privacy policy, and the Pokémon GO Trainer guidelines were not hyperlinked, and you have to agree to all three of them before gameplay. 

Pokémon GO Terms of Service
https://www.nianticlabs.com/terms/pokemongo/en

In the terms of service, it is emphasized throughout the risks of danger during gameplay. The line that really caught my eye was:
You agree that your use of the App and play of the game is at your own risk, and it is your responsibility to maintain such health, liability, hazard, personal injury, medical, life, and other insurance policies as you deem reasonably necessary for any injuries that you may incur while using the Services.”

I’ve never seen a Terms Of Service recommend that you get an insurance policy as a result of any injuries that may occur during gameplay, but this just reinforces how dangerous this game can become if you’re not paying attention to what you’re doing.

Pokémon GO Trainer Guidelines
https://support.pokemongo.nianticlabs.com/hc/en-us/articles/221993967
According to the terms of service, users must adhere to the Trainer Guidelines. Since you can’t access these URLs in the application before agreeing them, it’s a good idea to go over all of these documents just to know exactly what you’re agreeing to.

Pokémon GO Privacy Policy
https://www.nianticlabs.com/privacy/pokemongo/en
At the time of writing this article, Niantic and The Pokémon Company International issued this statement to us:
"We encourage all people playing Pokémon GO to be aware of their surroundings and to play with friends when going to new or unfamiliar places. Please remember to be safe and alert at all times. We are humbled by the overwhelmingly positive response to Pokemon GO and greatly appreciate the support of our fans."
 

The fact that there are risks should not encourage users to shy away from new things. The most important thing is to educate yourself on the risks and be aware. Once you’re empowered with this knowledge, you can embrace this new technology and go catch that Mewtwo!

Related articles to Pokémon Go:
Pokémon Go Parents Guide for Children
Pokémon Go Real World Risks and Safety Tips​
Fight Off Malicious Pokemon GO! Apps With The Help Of Norton Mobile Security​