Pokémon Go raises security and privacy concerns

The Android and iOS app has become a phenomenon
Author:
Publish date:
1-pokemon-go.jpg

Major security and privacy concerns have arisen over Pokémon Go.

The Android and iOS app has become a phenomenon, with 2.94 million tweets from users in the UK - where the game isn't even officially available yet.

But hackers are spreading malware through the app. Pokémon Go is currently only available in certain countries, with eager trainers in countries such as the UK, but that hasn't stopped Android users from "sideloading" the app onto their phone, outside of Google's Play Store.

The malicious version of the app was discovered by Proofpoint, whose users discovered a version of the Pokémon GO program that included a remote access tool, or RAT, called Droidjack, which they say can give an attacker “full control over a victim’s phone.”

However, users who actually have the app (using US or other international accounts) should be relieved to find that separate reports of privacy concerns aren't as damning as first thought.

While the app is granted 'full access' to their Google account on Apple devices, the listed permission is somewhat misleading and is nowhere near as invasive as it seems.

Some execs within the IT and games industry have expressed concerns, while others have downplayed the security issues.

As reported by The GuardianSlack security engineer Ari Rubenstein has confirmed that, despite the misleading entry, only basic permissions are granted to the app.

“‘Full account access’ is not the best wording, and should probably be changed on Google’s end,” Rubenstein wrote.

“My best guess for what is happening is that one of the scopes is a legacy ‘login’ scope from OAuth1 which may be leading the UI to default to ‘Full account access’, when in reality, it only has the above perms.”

Niantech, the app's developer, has responded to this controversy, saying: “We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account.

“However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected. 

“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.”

The game has become a hit since launching last week in certain territories.

UPDATE: Pokémon Go has been updated to fix the Google access bug

Related