Researcher Helps Put a Stop to GO App Privacy Flaw

By: Krista M. | Cyber Threat Intelligence Analyst, NJCCIC

Image Source: Nintendo

Over the weekend, an “augmented reality” game called Pokémon GO took America’s mobile phone users by storm and soared in popularity practically overnight. Created by video game giant, Nintendo, and mobile game developer, Niantic, the Pokémon GO game app became an instant hit on both the Android and iOS platforms as people downloaded it in record numbers. Its usage quickly surpassed that of the popular dating app, Tinder, and social media platforms such as Instagram, Facebook, and Snapchat. By Monday morning, everyone from radio hosts to newscasters were talking about the game and you could hardly go anywhere without seeing people walking around and pivoting in unusual patterns while holding their phones out in front of them.

For those unfamiliar with how the game works, the player must use his or her mobile phone’s camera and GPS function to find locations where imaginary characters, called Pokémon, are hiding. Once found, players can “capture” the cartoon creatures and advance through the game. On the one hand, it’s a clever way to get people outside and encourage human interaction and exercise. Several businesses even found ways to capitalize on the viral gaming sensation by luring players to their establishments with additional characters and game features. On the other hand, as a cyber threat analyst, I was curious to see what, if any, negative ramifications would result from a free game that was being installed so quickly by so many seemingly without any regard for safety and security.

It wasn’t long before alerts from law enforcement began to surface warning gamers about the hazards of not being aware of their surroundings while playing. Both pedestrians and drivers are becoming distracted by the game, creating potentially deadly situations. Wednesday night, a driver in New York “admitted to actively playing the Pokémon GO game while driving causing him to become distracted and run off the roadway into a tree,” according to police.  Trespassing has also become an issue as some Pokémon GO enthusiasts have been seen wandering around all hours of the night and walking across private property in pursuit of Pokémon. A report out of Missouri claimed that four teenagers used the game to lure victims into secluded areas where they proceeded to rob them by gunpoint. What caught my eye, though, was a blog post by a security researcher that suggested the account permissions required by the app on the iOS platform were suspicious as it seemed to gain “full access” to the Google account used to sign into the game.

This alarmed the cybersecurity community because the app did not give any warning about the access requirements and they were only discovered when the researcher checked his Google account to see which apps could access his data. Android users were a little more fortunate as they were given notice and were able to uncheck certain permissions before allowing the app to continue with the installation. However, the fact that any app would require full access to users’ email accounts is concerning, to say the least, especially since the other option of creating an account within the game was mysteriously disabled. Criticisms and warnings flooded social media feeds and Niantic took notice. To the company’s credit, they did release an update for the app quickly to address the security concerns, apologized to users, and reduced the permissions to only allow access to the user’s email address and associated name.

However, in a world where cybersecurity is a rapidly growing concern among individuals and businesses alike, it’s a little unsettling how something like this could be the result of a simple mistake or oversight. Even if the company did not plan on accessing users’ email accounts for its own benefit, it certainly could have created an avenue that allowed hackers or insider threats to acquire access, putting users at risk for additional compromise of their accounts and devices. Nonetheless, this can serve as an important reminder to be mindful of what permissions various apps have on mobile devices and avoid installing any app that requires access to features and settings it does not need in order to function. Also, make sure to only download apps from reputable and trusted sources, such as the Apple App Store or Google Play Store. Criminals often like to capitalize on the popularity of some apps by creating malicious imitations to fool users, as was the case with the phony Android Pokémon GO app that was spotted by researchers this week.

For more information on how to keep your mobile devices safe, please visit the NJCCIC’s Mobile Malware Threat Profile.