Is Pokémon GO a Security Risk?

On August 5th, 2016, posted in: Security Threats by Comments Off on Is Pokémon GO a Security Risk?

By now you’ve likely heard of – or you’re at least familiar with, the concept of Pokémon GO – the most popular mobile game in U.S. history. But are you aware of the “dark side” of this cultural craze?

  • Within just 5 hours of its release, the game rose to the top of the app download charts.
  • It was installed on 7.5 million devices – in just one week.
  • This is the equivalent of 5% of all Android devices in the US.

Is Pokemon Go  SECURITY RISK?

Not surprisingly, the game’s rise in popularity has many security experts concerned about the developer’s privacy policy and hidden vulnerabilities within the game.

Whether you’re a concerned parent or a business owner/manager worried about how this game might affect corporate security, here are the answers to your most pressing Pokémon GO questions.

1. What Is Pokémon GO’s Privacy Policy?

While most apps collect data about users, when Pokémon GO users first downloaded the app, they were required to sign in with a Google account and grant access for the app to use their data, camera and contacts. But that’s not all

According to their privacy policy, Niantic, (the company who developed the game for Nintendo’s Pokémon brand), may also collect your username, email address, IP address and web pages you used prior to logging into the game.

On July 11th, Niantic issued a statement that they had “recently discovered the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account.”

They assured users that although the mistake allowed them the ability to dive deep into personal data, the app only accesses a user’s ID and email address. The statement then read, “No other Google account information is or has been accessed or collected.”

Pokémon GO is not “Free” – Advertisers Want Your Location Data

Pokemon security risks

Many people have concerns about Niantic’s “flexible” privacy policy, which provides the company the ability to hand personally identifiable information (PII) over to law enforcement, share it with third parties or even sell it to the highest bidder.

Initial reports that stated Pokémon GO harvests detailed account information like the content of emails – were incorrect.

But that information doesn’t matter to the owners of this popular app. They’re after something bigger – they want to know your location at all times so they can sell that information to advertisers.

Brands like McDonald’s (whose logo has already been found in Pokémon GO’s code) can pay the developers a big fee to turn their stores into desirable locations in the Pokémon universe. They’ll draw players to their location and encourage them to buy things “IRL” – in real life. Advertisers will be charged on a “cost per visit” basis, rather than a traditional “cost per click” basis, as Google charges through Adwords.

2. Is Pokémon GO a Target for Cybercriminals?

The combination of a massive amount of users, and large database of user information makes this app the perfect target for criminals and hackers.

If Niantic’s servers were hacked, cyber criminals could potentially harvest all your personally identifiable information (PII). Though the company hasn’t mentioned how they plan to store the data, they promise they are taking appropriate measures to protect the data hackers are doing all they can to get their hands on right now.

3. What Are Other Major Security Concerns with Pokémon GO?

Pokémon GO has not only affected the cybersecurity of players, but it has jeopardized their safety in the real world.

Malware & Mirrored Websites

Since Pokémon GO was released in select countries only, cybercriminals jumped at the opportunity to create mirrored websites with fake versions of the app that contained malware and caused other harm to users’ smartphones. In just 4 days, they exploited this demand and assembled a repackaged download of Pokémon GO, complete with embedded malware.

When infected with this malware (specifically designed to target Android users), attackers could control the device’s camera, microphone, and they could even enable remote recording. In a bring your own device (BYOD work environment), clearly this creates a huge security risk for the organization the individual works for.

Physical Security

In one recent story, armed robbers lured unsuspecting players into a trap. The criminals attracted Pokémon GO players to a remote area and robbed them at gunpoint using the geolocation feature.

Although the Pokémon GO game has been well received, it is important that players make security a #1 priority no matter what.

4. Is Pokémon GO a Risk to the Bring Your Own Device (BYOD) Workplace?

Let’s be clear – Pokémon GO isn’t a unique BYOD threat. Any app installed on a personal device used for work is a potential risk, and the more popular the app, the larger the target. Since Pokémon GO is now the most popular mobile game in U.S. history, this app is a HUGE target for hackers right now.

This risk means there is a greater need for managed IT security and mobile device management (MDM). If employees are playing Pokémon GO on their personal phone they use for work, this presents the risk of exposing sensitive business data in the event of an attack – both in the cyber and physical world.

5. How Can I Stay Protected When Using Apps Like Pokémon GO?

  • Cybercriminals repackage popular apps with malware and deliver them through mirrored web pages designed to trick users. No matter what, never download an app from an “unofficial” market. If in doubt, search for “official [name of app] download page”.
  • Smartphones have never been so distracting. It’s more important now than ever to pay attention to your physical surroundings when engaged with your smartphone.
  • In a work environment, the best way to ensure sensitive business data doesn’t end up in the wrong hands is by taking BYOD seriously. This means establishing a BYOD policy, educating employees about the risks and leveraging a mobile device management system in the workplace.

With a MDM solution, business owners or managers have the ability to remotely wipe an individual’s data in the event the device is lost or stolen. This solution also allows for control over app management and restrictions on app purchases from non-approved markets.

Want to Bulletproof Your Business
Network Against Hackers?
Sign Up for a No-Fee, 100% Free Network Discovery

To see if Ontech Systems is a good fit for your organization, take advantage of our FREE Network Discovery, where we will identify high risk vulnerabilities within the business and make recommendations to strengthen the security your network – from data backup, to firewalls, server security and more.

 
NO obligation. NO commitment. Put us to the test!
 
Just enter your name and email address below to get started!
 We respect your privacy. We will NEVER sell, rent or share your email address.
Read previous post:
Mobile Security Checklist: Is Your Business at Risk?

According to CyberEdge Group*, the biggest security risk today for businesses is none other than - mobile devices. Are mobile devices...

Close