Two men recently fell off a cliff while playing Pokémon Go in San Diego. Two teens accidentally crossed the U.S.-Canadian border to catch the ubiquitous Pokémon characters. A driver in Baltimore, apparently distracted by the game, crashed into a parked police car. In New York, dozens of people dashed out of their vehicles to chase a Vaporeon through Central Park. Unfortunately, these lapses in judgment are not the only disturbing issues to arise from the Pokémon Go phenomenon.
Pokémon for the Uninitiated
For those of you who haven’t downloaded the insanely popular Pokémon Go app, the game basically gets you to travel around in real life and look for Pokémon characters to capture. Well, you don’t actually see Pokémon in real life (unless you’re in San Diego for Comi-Con). Instead, the characters appear on your mobile device – which you can find yourself staring at even more intently than usual. (It’s no wonder that some players lose sight of their surroundings, and even walk off cliffs.) The goal is to capture as many Pokémon as you can. While you’re playing, the app accesses your location and camera and keeps copious notes. Malicious hackers could obtain your Google login information as well as sensitive information you might have in your Google account.
Malicious hackers could obtain your Google login information as well as sensitive information you might have in your Google account.
Fans of the game praise it for getting people off the couch and exploring the world around them, and millions of players worldwide are certainly enthralled. But given the potential risks to personal data, our inner adult might say, “Put the phone down and just take a walk.”
Pokémon as Personal Assistant
[Update: According to the app store, Google has reduced Pokémon GO’s permissions so that the app can only access basic Google profile information.]
To access the Pokémon app, users must grant full access to their Google account. It doesn’t take an IT security genius to tell us that this means that someone exploiting the app could:
- Read and delete your email
- Send email as you
- Read, edit and delete your Google Drive documents
- Access your calendar, location and contacts
It also means that anyone who accesses the Pokémon servers could exploit that information as well. Malicious hackers could not only obtain your Google login information, but they could also access sensitive information you might have in your Google account, such as credit card numbers, security codes and medical information.
Pikachu Goes Phishing
Even if you’ve followed security protocols by the book and have never sent or received sensitive data via email, you’re still at risk. Because the app has access to your contacts and email, anyone who has access could send and receive emails as you. Because the app has access to your contacts and email, anyone who has access could send and receive emails as you.
Because the app has access to your contacts and email, anyone who has access could send and receive emails as you.
This means that Janice in accounting could get an email from “you” asking her to remind you of your bank information, or Sean in IT could get an email from “you” asking for the network login. Trusting that you’re a legitimate employee, they could send that information back via email thinking you will get it – but, unwittingly, they’ve just compromised the entire company.
Hidden in Plain Site
The Pokémon app can access your personal information, including:
- First and last name
- Email address
- Telephone number
- Address and current location
- IP address and device identifier
- ISP name
- School or company name
The Pokémon App tracks your every move and uses that information to sell you things.
The Pokémon App tracks your every move and uses that information to sell you things. Oliver Stone calls this “surveillance capitalism,” and warns that this type of access can be used to further manipulate our behavior.
Parents Be Warned
One of the more frightening aspects of Pokémon Go is the potential for kidnapping. Hackers love to exploit security holes in mobile apps, and Pokémon is an ideal app for tracking and locating individuals of interest. The fact that businesses and individuals can purchase “lures” to be placed in the game only heightens concerns.
Rules of Thumb
Pokémon Go is unquestionably fun for millions of players who’ve become enthralled with the game. That said, given the privacy issues involved, there are a few basic takeaways if you’re considering becoming one of them – or even if you’re already swept up:
3.) If you’re concerned about who and what may be connected to your Google account, review that information here.