Pokémon GO has numerous security concerns
This article was first published in August 2016 but remains relevant.
Iran has become the first country to outright ban Pokémon GO outright. Despite restrictions on internet usage in Iran the BBC says, “there have been a number of discussion on social media about the game.”
They then added, “The Iranian High Council of Virtual Spaces, which is the official body overseeing online activity took the decision to ban the game after having tried to see to what extent the game’s creators would co-operate with them.” It is not known what cooperation was requested.
What’s on Dubai says Pokémon GO “is slowly beginning to take over.” However, Pokémon GO from developer Niantic has only been released officially in the US, UK and Australia. For those not in the know, it is a craze to catch virtual monsters in real world settings. As well as safety concerns of people playing it in dangerous areas, there seems to be a very real number of security concerns.
So what are the issues and potential threats associated with this growing craze? Philip Ingram MBE takes a look.
In the terms and conditions for the game it clearly states that the data used by the game, and this is personal data, locational data and with the option for the user to photograph themselves with their captured Pokémon character, photo data, could be moved to USA based servers; essentially bypassing any home country security or privacy laws given the option to capture local images. This will “almost certainly have concerned the Iranians”, James Abernethy a former British Intelligence officer told Security News Desk.
Thomas Rid, Professor of Security Studies with King’s College Londonhas said guidelines for US military and government workers when using Pokémon Gowere shared with him by a US government officer. They discuss Operational Security (OPSEC) best practices and include “avoiding playing the game anywhere that shouldn’t be geo-tagged, not using a personal Gmail account with the game or a username associated with your social media accounts, exercising caution when taking pictures of Pokémon with the in-game augmented reality camera, and staying aware of your surroundings.” Rid then notes this is, “generally good advice even if you aren’t an intelligence officer.” The Indonesian police have banned its use whilst on duty.
The issue with Gmail was identified by the blogger Adam Reeve who wrote, “To play the game you need an account. Weirdly, Niantic won’t let you just create one – you need to sign in with an existing account from one of two services – the pokemon.com website or Google. Now the Pokémonsite is for some reason not accepting new signups right now so if you’re not already registered there you’ll need to use a Google account – and that’s where the fun begins.”
He went on to highlight how logging in via your google account gave Pokémon Go full access to all of your Google account services, ie they could see and modify anything to do with your account.
Niantic quickly released a statement on their website saying, “We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”
It seems the developers of the game got it out to market before all of the security implications around the app had been considered. If that wasn’t enough a leading cyber security company has commented on potential issues where the game is available on BYOD in the workplace.
Devin Jones, SVP of Product Management at Cyber adapt said, “The release and popularity of Pokémon Go came out of the blue for everyone except the 40 million teenagers in the United States. This application provides an interesting case study that illustrates the risks of BYOD in the enterprise. Businesses can’t prevent users from downloading apps on their personal devices and those apps will drive traffic to and from the corporate network. How does a business maintain control and visibility of their corporate traffic when users are hunting down virtual monsters and sharing GPS coordinates directly with other users? More importantly, how do you know that GPS tracking packets aren’t exfiltrating your financials?”
Vladimir Kuskov, Security expert at Kaspersky Lab outlined another flaw, that could cause the BYOD problem when working on android devices: “The Android version of the Pokémon Go app has been affected with malware called the “HEUR:Trojan-Spy.AndroidOS.Sandr.a” and there has been a lot of advice online about how to get the app early if it has not been made available in a certain country.”
Kuskov concluded, “The use of popular online games as a vehicle for installing malware is well known, and the best way to protect yourself and your device is to only install apps from official app stores and to complement this with an appropriate security solution. Don’t take short cuts, disable device security or download software from an unverified source; it’s just not worth it.”
This article was first published in August 2016 but remains relevant – for further comment from Philip Ingram please visit the contact us page.