Application security

Pokemon Go: A new Rising Cyber Threat

Irfan Shakeel
July 25, 2016 by
Irfan Shakeel

Earlier this month people have encountered the new mobile gaming pop culture phenomenon that is Pokemon Go. It is being downloaded by millions of users around the world making it the biggest mobile game in US history.

The augmented reality-based mobile game is what everyone is seeking for their spare time. With Pokemon Go, the real world becomes a virtual safari park, where you catch wild Pokemons. It allows you to roam around in search of Pokemons. Its initial target market was Australia and New Zealand, due to huge interest of users around the world this app launched globally within days.

After Pokemon had gained the interest of million through its cartoon series, everyone was seeking for a continuing Pokemon trend in the form of movies, games and more which Pokemon Go has done brilliantly.

According to data from the Survey Monkey Intelligence till earlier this week we have witnessed that around 26 million Americans have played Pokemon Go on Android and iOS devices. And there is no sign of slowing down. This is extraordinary for a mobile game and makes it a top 10 app by daily active users.

Pokemon Go has already proven itself to be a global phenomenon. The game is doing a great job getting gamers out to the real world with social activities as well. It's nearly impossible to walk down the street without seeing dozens of people catching Pokemon and roaming around.

The download rate shows that iOS users than Android more likely play this app, the download rate has already beaten many famous applications like Snapchat, Facebook, Twitter, Instagram, and others. At its recent rate of 4-5 millions download every day, by September the app would be on every single smartphone in the United States.

https://www.surveymonkey.com/business/intelligence/early-pokemon-go-retention/

However, the game is beating many other social applications in term of daily active users; there are many security concerns as well that need to be addressed soon to make this app hit for years.

Before you start catching a Pokemon, you have to sign-up. There are two options available to do so, one is a sign-up with Pokemon Trainer, and the other is Gmail. Most of the users don't prefer to create new accounts as it is hectic to remember passwords that also lead to reuse of password. That's why most users go for existing accounts.

Image reference

The real threat lies here when you sign-up. The permission that you granted to the app while installing is the main concern to serve securely. Pokemon Go has become a security concern for those users who signed up from their Google accounts. They discovered that the game has full access to their accounts.

Image reference

At the time of installing the app, the permission agreement stated that it might request access to contacts, location, modify or delete the data of USB storage, have full network access and much more. Many users just accept it without reading the terms and condition that left them at high-security risk.

Image reference

The developer of Pokémon Go, Niantic, Inc was founded by John Hanke, who previously received funding from the CIA's venture capital firm In-Q-Tel to develop what eventually become Google Earth. So there is no doubt that may be it's a new project to spy on individual through this gaming app. It may be a global surveillance operation conducted and funded by CIA as it's the easiest way to trick users actually to grant permission to do so in quite an intelligent way.

Giving complete access to your Google account unknowingly is like a fraud that Pokemon Go is doing while requesting such detailed access to its app. That somehow is suspicious that why they required such information? It's just a game, what it has to do with my Google account?

As Pokemon Go allows us to enter into the world of an augmented reality game that access our camera and location to catch Pokemons. Maybe it's a trap by the CIA to take real-time ground level footage of cities, homes, basement and personal rooms where spy satellite or any other spying device can't reach. In a way, this game is ideal for spying with, as it does not require much investment, hardware or lots of hard work.

The worst part is when we looked at the privacy policy of Pokemon Go it shows that it gathers personal information like email address, birth date, privacy setting and more. "During gameplay and when you (or your authorized child) register to create an account with us, we'll collect certain information that can be used to identify or recognize you (or your authorized child) Personally Identifiable Information (PII)."

This raised a big question that why they need such confidential information for just playing a game, "Mobile apps are notorious for requesting excessive permissions, something that users should scrutinize whenever installing a new app" said Javvad Malik, security advocate at AlienVault.

Niantic ( the company behind this application) has released a statement regarding acquiring full access to the Google accounts on sign-up for the game.

"We recently discovered that the Pokemon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokemon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokemon GO or Niantic. Google will soon reduce Pokemon GO's permission to only the basic profile data that Pokemon GO needs, and users do not need to take any actions themselves".

The immediate success of Pokemon Go has already stolen millions of users from most popular social media websites like Facebook, Twitter, and others; people are spending more time on Pokemon than social media sites. The app has become a great competitor in less than a month and expected to rule the world with the craze of wild Pokemons.

The devastating security effect of Pokemon Go is not limited to those that we have discussed, but it's more than that. By installing this app, you granted permission to the app to access all your PII details and Google account. The game's privacy policy explicitly states that it collects data -- including personally identifiable information (PII) -- is "considered to be a business asset." The threat is not only that, what if the company goes out of business or sold to someone else? The information gathered for so-called "Recognizing Individual" will also be sold with the company.

According to Nowadays news channel on Youtube, it has been reported that a teen crossed a dangerous highway to catch Pokemon while playing Pokemon Go and then was hit by a car. That's not the one case; people are also being targeted for snatching while searching for Pokemon.

The most common and obvious reason behind this danger is the players are not paying attention to where they are walking while they attempt to earn experience and level up.

The game's tracking system encourages users to look down at their phones often to see if they are getting closer or further away from a particular catch and this can make it a little too easy to stare at the phone while walking instead of the path ahead. In the best case scenarios, this leads to walking into a stranger, but near busy streets and construction zones, the risks leap exponentially.

So the app Pokemon Go has created many potential threats to human life and personal information that is the main challenge in this evolving world where cyber security risks are being raised due to applications like this.

Pennsylvania State Police have released an alert for its citizens in consideration to the interactive virtual game for mobile devices. It's not the one state that recognized this threat; Canada has also warned its citizen regarding the risk behind this application.

Now it's up to you whether you want to surrender your personal information like this or will take some counter measures. To prevent your personal information to be accessed by Pokemon Go, change the permission setting from your Gmail account.

If you did sign up with your Google account, here's how to revoke access:

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."
  • Log in to your Google account and open up the "Apps connected to your account" page.
  • Scroll down to "Pokemon Go," then hit "Remove Access."
  • Confirm by hitting "OK."

The extensive information access by this application has dragged companies in a new threat. If their employees are playing such games on their mobile devices and performing a business operation on the same device, then it will be a massive trouble if something went wrong or get hacked. So companies should conduct awareness program for their employees and keep an eye on their business usage to prevent any bigger loss.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of ehacking.net An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.