Security Risks about Pokémon GO !

Pokemon Go allows players to flit between the real and virtual world to capture different creatures which appear on phone screens in a number of real-life locations (the map of the game is pictured above).

WHAT POKEMON GO CAN ACCESS

When you grant full account access, the application can see and modify nearly all information in your Google Account,’ Google says.

This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.’

Information that can be accessed includes:

  • All your email, inlcuding the ability to send email as you
  • All your Google drive documents (including deleting them)
  • Search history and Maps navigation history
  • Access to private photos stored in Google Photos

The maker of Pokémon GO promises it has no plans to catch all the information on your Google account.

Niantic Labs, maker of the augmented reality game for smartphones, said in a statement Monday the game’s request to access all of a player’s Google account in order for a player to sign up is an “error,” and it only needs an account name and an email address.

“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access,” wrote Niantic, a spin-off of Alphabet, Google’s parent company, in a statement. “Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”

Though it appears the request was just an honest programming mistake, the request, says cybersecurity experts, brings to light the debate about how much mobile apps can access your personal information, and how that information can be manipulated or stolen.

“What something like this points to is how easy it is to make applications overly permissive,” Kevin Butler, an information security professor at the University of Florida who specializes in information security, tells The Christian Science Monitor in a phone interview Tuesday. “This is a problem with smartphones and other types of devices that are permission based.”

“It’s really important to understand what the consequences of permissions are, and find ways to ensure that app developers are not ‘over-permissioning’ their apps because of the security consequences involved,” he adds.

“What something like this points to is how easy it is to make applications overly permissive,” Kevin Butler, an information security professor at the University of Florida who specializes in information security, tells The Christian Science Monitor in a phone interview Tuesday. “This is a problem with smartphones and other types of devices that are permission based.”

“It’s really important to understand what the consequences of permissions are, and find ways to ensure that app developers are not ‘over-permissioning’ their apps because of the security consequences involved,” he adds.

With any of these apps, however, it’s unclear how the information will be used. Pokémon GO’s privacy policy, for the most part, prohibits it from selling a player’s personal information to third parties (unless, for instance, Niantic is bought out). But Niantic could be hacked, and its trove of user data stolen. More concerning to some is if malware or software bugs target a user’s phone. Malware, for example, could trick a user into thinking they are giving Pokémon GO permission to access their Google account when, in fact, they are actually giving it to a hacker.

Given all of these unknowns, Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security, isn’t sure he’d play Pokémon GO at all. He isn’t into these games, he said. If he were, though, he would use a separate phone, and create a separate Google account, so it doesn’t access any more of his personal information.

“The problem with this, as well as the problem with all these other apps, is there isn’t a way, when you’re installing it, to say, ‘Well, it wants this permission. I’m going to deny it, but still install it,’ ” says Dr. Neuman. “ That would be a much better way to do things from a security perspective. That’s where we really need to get to. Of course, app developers want unfettered access to just about everything.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s