Pokemon GO: giving hackers direct access to your phone
Pokemon GO took the world by storm over one weekend. Clusters of teens and adults alike are sweeping the streets nabbing animated creatures with their mobile phones.
With access to your clock and GPS, the app makes Pokemon; augmented animals such as dragons, rats, and turtles, appear in the real world around you. As a ‘trainer’ you are to build up your Pokemon so that they can fight each other. The app uses Google Maps to guide you.
But what else does the app have access to?
On sign up, you will be asked to provide your Google login. Apps commonly use existing credentials rather than creating their own to speed up installation and make sign up easy. However, in the case of Pokemon GO, Niantic Labs, the app’s developers, offer no clear limitation to what the app has access to.
There is no mention of what Niantic Labs intends to do with the data it accesses, but users should be aware that full access to a user’s personal data is a huge security risk.
The legitimate app has full access to your private information, but what if that access were to end up in the hands of, say, a malware developer, or an organisation managing a botnet? What security measures do Niantic Labs have in place to protect the mass of data they have obtained? We aren’t sure.
Further, in some countries, the app hasn’t been released yet. Players are downloading the game from third party sites which have teamed up with malware developers. Exploitative versions of the app are giving hackers backdoor access to mobile phones all over the world.
By logging in to the app, you are granting full access to a company that has amassed huge amounts of their users’ personal information without any explanation as to how it will be used, and to any hacker or malware developer who has managed to access it.
Malicious apps can be hard to differentiate from legitimate ones, particularly if they are operating quietly in the background.
So, what can you do to keep your data safe?
- Download the original app from either the official Apple Appstore or Google Play. If it isn’t out in your country yet, please wait for the official release.
- Create a brand new Google account dedicated to the game. Ensure it has no connection to your other personal accounts.
- Stay away from third party download sites