Pokémon Go Security and Privacy Risks: Gotta Catch Them All?

By Conner Sinclair | Online Security

Last Updated on

The mantra of just about every millennial’s childhood seemed to be “gotta catch ‘em all.” And this month, Pokémon fans rejoiced as the biggest thing to happen inside the world of Pokémon since the Gameboy games hit the market. Pokémon Go has skyrocketed in popularity, causing a bit of an uproar.

There have been numerous reports of people who trespassed on private property (and were even arrested) in order to catch a rare or legendary Pokémon. And the growth statistics are nothing short of unbelievable. Within the first week after the launch, there were more Pokémon Go users than Tinder users. It seems that everyone can’t wait to catch a few more pocket monsters.

But it’s not all sunshine and daisies. The ugly truth is that there are some serious security concerns that you need to consider before continuing playing the game. If you haven’t downloaded the app yet, take a moment to read through the security flaws before making a decision.

Gmail Concerns

Pokémon-Go

Pokémon Go was created by Niantic Labs, which was formerly owned by Google (which has now been restructured under Alphabet). One of the largest security concerns is that the game has full access to their Gmail accounts.

By default, the Pokémon Go game has an alarming amount of control over user accounts via Gmail, which essentially grants developers access to everything connected to their Gmail account (drive, Google+, etc.).

And right now, there isn’t really a secure alternative. You see, when users first fire up the app, they can choose to either use their Google account or opt to sign up through the  Pokémon Trainer Club. The Trainer Club is more secure since it isn’t linked with your Gmail account, but unfortunately, registration has been suspended via tha Trainer Club because of unfathomably high demand.

This lack of a secure alternative leaves many users with Pokémon fever throwing caution to the wind and signing up with Gmail anyway. And what’s worse is that the game doesn’t present an option during the installation process that helps a user edit settings that would limit Niantic Lab’s access. And it’s really challenging to successfully limit access.

The default setting is for the app to have “full account access.” But on iOS devices, there’s no way to edit the permissions. The only other option is to completely revoke account access.

It’s similarly troubling for Android users as well, because the app doesn’t show up under Google account security permissions.

This massive Gmail flaw means that developers, technicians, and people you’ve never seen in your life could access all of your email, photos, videos, and other data saved in the cloud. Now consider that most web servers use email as a way to verify users’ credentials and to signup for services.

For instance, if someone had access to your Gmail, they could likely easily use account recovery methods on other sites to reset your password, and thus hack into other sites that you frequent (like Facebook or Twitter).

The Privacy Policy

Pokémon Go

Niantic Labs clearly outlines what information they collect and share in their privacy policy, but it’s rather frightening. As you may have guessed, Niantic Labs gathers a ton of location information from your smartphone, leading many to believe they could be more easily tracked.

Many have speculated that law enforcement and federal agencies could locate an individual by obtaining a court order that would cause Niantic to forfeit GPS information on individual users. The crux of the issue is that Pokémon Go is and augmented reality game, which wouldn’t be possible without location data. In particular, Niantic Labs claims the following on their website:

“The App is a location based game. We collect and store information about your (or your authorized child’s) location when you (or your authorized child) use our App and take game actions that use the location services made available through your (or your authorized child’s) device’s mobile operating system, which makes use of cell/mobile tower triangulation, wifi triangulation, and/or GPS.”

The data they collect is already troubling enough, but now consider two additional factors. First of all, Google has complied with the NSA in wiretapping scandals in the past (such as PRISM). In addition to the NSA having access to your Gmail account, playing Pokémon Go allows yet another entity to access your account.

Adding them together, you already have two entities that could snoop through your data and crush your privacy. But things get worse. In their privacy policy, Niantic reserves the right to share data with other third parties as follows:

“We may disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate:

(a) to respond to claims, legal process (including subpoenas); (b) to protect our property, rights, and safety and the property, rights, and safety of a third party or the public in general; and (c) to stop any activity that we consider illegal, unethical, or legally actionable activity.”

Reserving the right to share information in the realm of governmental compliance is actually pretty typical of digital services and apps. But the part that worries me is the line that says they reserve the right to share information in order to protect their property, rights, and safety for any activities they deem to be unethical.

Basically, they can make a judgment call whether or not to share your information. What happens if they think you’re up to no good, only to find out that you didn’t break any laws or misuse their service? To put it bluntly, this is a security and privacy nightmare!

The good news is that they seem to make it simple to modify or delete your account, as well as any stored data. Users can rescind their consent, but doing so can bar users from enjoying the game’s full features and functionality. The contact page seems to be designed for another one of Niantic’s products, called Ingress, thought it should work for Pokémon Go as well.

It’s also worth noting that once an account is deleted, it cannot be recovered, and the email address associated with the deleted account cannot be used to create future accounts.

A Reasonable Alternative

Pokémon

So you don’t want to be left out when all of your friends are having fun catching Pokémon. But you don’t want to give strangers in the cloud access to your data, either. The good news is that there is one suitable alternative option.

Probably the best solution I’ve come across is to simply setup a “dummy” email account through Gmail. This account should never be used to send emails or store data on Google Drive. Instead, it only exists to serve your Pokémon Go addiction.

Bear in mind, this isn’t the most secure alternative. Niantic will still be able to collect information about you (like your physical location, IP address, etc.) and then share that data with third parties. However, at least you’ll be able to rest assured that even though they can access your fake Gmail account, there’s nothing in there for them to view.

Personally, I’d recommend practicing discipline and self control, and just abstain from indulging in the latest Pokémon fad. It’ll pass in time, and I think the security and privacy drawbacks outweigh any ephemeral satisfaction gained from capturing Pokémon.

Final Thoughts

PokémonGo

Fads come and go, but there hasn’t been such an explosion of a cutting-edge technology like Pokémon Go ever before. Unfortunately, Pokémon Go is extremely aggressive regarding the permissions that it requests by default.

There are many security concerns, including allowing third parties to access your Gmail, physical location tracking, the ability of Niantic to track data and share your information with others, and even physical threats.

Believe it or not, some people have used the game to rob people. There are many tactics, but the idea goes something like this, “Excuse me, if it’s not too much trouble, could I try to catch the Pokémon hiding on your property?” There really is a sucker born every minute, and some people blindly trusted others, and ended up getting robbed.

Don’t get me wrong, I loved Pokémon as a child. And I can see why so many people like it today – it’s probably about as close as we’ll ever get to a real Pokémon experience without virtual reality. But for me, the security and privacy risks are too much. I highly recommend you, at the very least, use a fresh “dummy” Gmail account.

If you don’t, you have no idea who could be snooping through your private information!

Follow

About the Author

Conner is a self-professed tech nerd, obsessed with digital security and privacy. He loves debugging "lost causes" and thwarting hackers. When not in his depressing cubicle in Corporate America, he's blogging here.