As Professor Oak once warned you way back in Pallet Town, it’s dangerous out there. Unless you’ve been living under a Geodude for the past week, you’ll be well aware that the augmented-reality game Pokémon Go is taking over the world, despite not being available for most countries yet.
While the somewhat dubious viral stories surrounding Pokémon Go may be filling newsfeeds, it seems that cybersecurity may actually be the real worry for the popular game. Adam Reeve, a researcher at a security analytics firm, wrote a Tumblr post explaining how Pokémon Go could pose a security risk and a threat to your online privacy.
The post explained that to play you needed to sign in with an account, obtainable on the pokemon.com website or – as most users would have done out of convenience – through their Google account. According to the post, accepting this option means that Niantic, the developers of the game, have full access to your Google account – meaning they can access your Google drive documents, see your search history, and view your images on your Google photos. It’s also worth considering that if Niantic got hacked, all this information would be up for grabs.
Niantic issued a statement to Polygon in response to Reeve’s post, which said they have acknowledged the issue, yet added: “Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”
Additionally, others have since suggested that Niantic has never had access to certain aspects of your Google account, such as your emails (although other information could still be out there).
Reeve seemed content with Niantic's response, saying in an update post: “I’m really happy they’re addressing the problem promptly, my intention was only ever to get some attention after my initial attempts to contact the developers failed. Now everyone go catch some Pokémon :)”
But there’s another threat lurking around that you’ll want to be aware of before you set off on your adventure.
There have already been reports of malware being developed for Pokémon Go. Proofpoint, a data protection service, highlighted there have been several reports of Pokémon Go apps being modified to contain a malicious remote access tool, which effectively can give an “attacker” full access to your phone’s data. They added that these “fake” apps, which come with malicious software, are more likely to be found by eager players who download the app from an unofficial source to get it before their country’s release date.
There are a few ways to check if your version is an infected app. One way is to check the list of permissions you’ve granted to the app. You can see how to do this, along with more complex and thorough methods, on the Proofpoint website.
Considering that Pokémon Go already has millions of users within a matter of days of being released, it’s no surprise it has run into some controversy. However, as Proofpoint notes, if you downloaded the app from the official Apple Store or Android Play Store, you should be fine as far as malware is concerned.
As for the issue of Niantic data-gathering, you can only hope they will resolve the issue before anybody else manages to get their hands on it. Nevertheless, considering Google’s reputation of handing over data to police, it will be interesting to see if Pokémon Go data could be used as evidence in criminal trials, such as the case of the Pokémon Go stick-up men. 2016 is a strange place.
If you are concerned which applications have access to your Google account, you can click this link here.
Image credit: enchanted_fairy/Shutterstock