On July 6, Niantic launched Pokemon Go — a free, augmented reality game for iOS and Android devices. The world went wild. Pokemon Go grabbed 26 million users in the U.S. alone, surpassing both Google Maps and Twitter in daily active users.
It’s been hard to escape the colorful news over the past week. Articles continue to surface on where to find the best Pokemon, how to catch them, and (most importantly) how to stay safe while doing so. In addition to warning users to be aware of their physical surroundings, many headlines warn of the cybersecurity risks involved with the game.
Full Google Account Access
One of the main concerns was Pokemon Go’s access to iOS users’ full Google Accounts. Although the app was vague on what this entailed, many privacy experts and users were concerned the game could access everything from Gmail to Google Drive.
Niantic was quick to respond to the alarm, claiming this was an error. “Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected,” Niantic said in a joint statement with The Pokemon Company.
The statement also clarified that no additional information has been received or accessed within Google. Instead of potentially accessing your entire Google footprint, the app can now only access your Google user ID and email address.
Pokemon Go is only currently available in the United States, Australia, New Zealand, and United Kingdom, though it will soon be available in Italy, Spain and Portugal. While other regions wait for their chance to build their Pokedexes, many over-eager gamers are downloading versions from third-party sites.
“When it comes to malware, you really don’t want to catch ’em all,” Tim Erlin, Director, Security and IT Risk Strategist at Tripwire told InformationSecurityBuzz.com. “Cybercriminals are after any angle that helps them gain a foothold on your devices. A popular app that’s not available in some places is a near-perfect target for crafting a malware delivery strategy. … Installing software from third-party markets and unknown sources increases your risk of malware. Period.”
The security firm Proofpoint claims to have found a third-party version of the game which included a RAT, or remote access tool, called Droidjack. While Proofpoint has not observed the malicious tool “in the wild,” Droidjack has the potential to give a cybercriminal full control over a victim’s phone.
Take Action: If Pokemon Go is not currently available in your area, be patient. Do not risk infecting your phone and devices with malware. Android users should also take care to download the app from App Store.
Watch Where You Work
The cybersecurity risks around Pokemon Go give employers a great opportunity to create a conversation around BYOD security (and time management) in the workplace. Companies and employees should be aware that a device infected with malware could affect the entire network’s security.
Take Action: Brush up on our best practices for protecting your business.
Create a Conversation with Kids
While apps – and Pokemon – are meant for fun, it’s important to examine the privacy policies of all your apps to ensure you are not over-sharing data. This can help lead into a conversation with your family, and especially your kids, about privacy and security.
Discuss what types of information should be kept private, both online and in person. Discuss concerns over connecting devices to public Wi-Fi, and how to recognize a scam. Creating a conversation now can lead to better cybersecurity habits later.
Take Action: We discuss more tips for talking to your kids about privacy.