‘Pokémon GO’ Poses Multiple Security Risks

No one needs an internet connection to see the extent to which the new Pokémon GO app has taken over the lives of millions around the world.

The app spent the weekend smashing records. A few days after launch, it had more registered users than Tinder. It looked as though the app would reintroduce Nintendo as an infallible gaming hero. But, after reports of potentially catastrophic security issues, the once elated users began turning on Niantic, the primary creator of the app.

Trouble arrived in Pokémon world in the form of a Tumblr post by Adam Reeve, a principal architect at the firm Red Owl Analytics. According to Reeve, when a new user downloads Pokémon GO, and logs in through Google, Niantic receives full access to the individual Google account. Full access suggests that Niantic and Pokémon GO have the ability to:

• read emails,
• access Google Drive accounts,
• view search histories,
• look at Google Maps histories
• access photos in Google photos

There is no certifiable proof that Niantic cannot do these things. However, the likelihood of the game creator logging into individual players’ accounts is unlikely.

According to Google, the full account access in this case refers to accessing the settings of the Google account which allows for reverse phone lookup. If Niantic could access users’ Gmail accounts or other applications, the permission would say so explicitly.

Niantic also put out a press release saying they only use the profile information, and calling the full access permission a system error.

Other security experts have also suggested that the likelihood of Niantic trawling through users’ Google data is slim.

Still, Google’s own definition of “full account access” is problematic. According to Google’s privacy setting site, granting full account access to an application means that the app is able to both see and change information. Technically, the access allows the app to read and send emails, if that is what the app wants to do.

Google also says that users should only grant this kind of access that users know is trustworthy.

It is also important to note that just because Niantic’s permission request was a coding error does not mean the company could not access private information like emails. Whether or not it chose to is a different matter.

Questions still remain about the data collected through the wildly popular mobile game despite the clarification.

New users must sign in either via their Google account or a Pokemon.com account. At the time of writing, Pokemon.com was no longer accepting new sign ups. There is also no way to create a new Google account in app. Thus, to sign up immediately, entering existing Google information is the easiest way forward.

Furthermore, there is also a strong relationship between Niantic and Google.

Niantic started out as a pet project at Google.

In fact, Niantic began when Google executive John Hanke, who worked on the Google Earth and Google Maps projects, put together a small group of engineers to build apps on Google’s map technology.

Niantec was released from the family after the creation of Alphabet. It is now an independent company. However, its close associations with Google, including Google’s significant investment in the firm, present new questions about the coding error that inadvertently granted the firm so much data.

There is also the question of the security systems used by Niantic. Even if the access was a simple coding error, the information and access was still available. Availability means vulnerability on the internet. Niantic has not yet confirmed the safety measures used to protect user data.

Regardless of the implications of past or present uses of data, the new Pokémon app has clearly catapulted augmented reality into the mainstream market.

[Photo By David Hamilton/AP Images]