You are undoubtedly aware of the smartphone game Pokémon Go. If somehow you have been living under a rock, this game has become a phenomenon not unlike the original Pokémon card games in the 1990s. The difference here is that the “Pokémon masters” utilize an app for their iOS or Android devices to find these magical creatures. Due to the popularity of the game, the millions upon millions of participants may be risking their own security.
The first issue arises from the fact that not everyone is downloading the Pokémon Go app from the official Google Play or Apple App stores. There are numerous reasons for this occurring, from general ignorance to the fact that Pokémon Go is only available (so far) in the U.S., Canada, Egypt, Germany, Norway, Russia, Portugal, Spain, the U.K., Australia, and New Zealand. A particularly vicious counterfeit version of Pokémon Go for Android devices is installing malware called DroidJack. DroidJack is a backdoor virus that allows unbridled access to an individual’s phone. We are talking about everything from GPS logs to your private text messages. It would not be illogical to think that an attacker using DroidJack could gain root access to your phone, putting its very core programming at risk.
This tends to be a major problem with many unofficial sources of applications for smartphones. As such, it is unfair to place all of the blame at Pokémon Go’s feet (or Niantic’s–the app’s creator–either, for that matter). The fact is, however, that the amount of users downloading third party copy-cats of Pokémon Go are placing themselves in great danger. If the application is not yet available in your country, it may be tempting to find a workaround, but the consequences are not worth it. (Ever hear about all the crap people ended up downloading after using Limewire or KaZaA about fifteen years ago? Porn and viruses instead of the TV show or game they would have preferred to download instead? Yeah, that’s about right.)
Even with the official Pokémon Go application, there are security issues. These mainly stem from the amount of access that is requested from the user before instillation. Most do not think twice about giving access to their phones when asked by their app store of choice. This is a poor risk management tactic and ultimately could wind up giving you some serious invasions of your privacy. In the case of Pokémon Go, Niantic has acknowledged that it requests more permission than needed on its iOS version. In a statement, the company admitted that “the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account.” While Niantic insists that a fix is coming soon, one has to wonder how much personal data they may have been accessed (the company denies any instances of this happening).
One final issue that is arising security-wise with the Pokémon Go app is criminals utilizing its geolocation to commit felonies. There are countless instances of muggings and assaults because of players being lured into an area, only to be robbed. Criminals are putting a beacon known as a “Pokéstop” to bait nearby players into walking directly towards a trap for robbery or other crimes. The geolocation of the app allows would-be felons find players near them. As one police department put it after a robbery, the app allowed the muggers to find “people standing around in the middle of a parking lot or whatever other location they were in.”
In short, be a little more careful when engaging in this current craze. It is not worth losing sensitive data (or worse) over a few virtual creatures.
Photo credit: Pokemon