What Pokémon GO Is Teaching Us About Mobile Device Security

Last updated: August 19, 2016

If you haven’t yet heard of the Pokémon GO phenomenon, it’s possible you’ve been transported to an alternate reality. Because it is a THING. Actually, it is a BIG THING. (This has been confirmed by my kids, their pals, several coworkers, and about a bajillion news stories. I’ll take “Things I Don’t Understand Because I’m Old and Lame” for $400, Alex.)

As is the case with most BIG THINGs, the spotlight draws the honest and the dishonest. And given that Pokémon GO lives in the mobile world, the exploitability of this digital dynamo is drawing cybercriminals and scammers to Pikachu and company like moths to a flame (as is evidenced by the phishing attacks that were afoot in what seemed like seconds).

But let’s not dismiss this as a Pokémon-specific issue. Many of the security issues with Pokémon GO are not unique. In fact, all are likely to exist in apps that have been long installed on thousands, if not millions of devices. But as is also the case with most BIG THINGs, learning opportunities abound. Even if this feels like an “everything old is new again” situation, there’s no need to let a good cybersecurity lesson go to waste.

Here are a few important cybersecurity best practices to keep in mind with Pokémon GO and all mobile apps:

Only Download Software From Trusted Sources

As of July 14, Niantic, Inc. (the game's developer) had released Pokémon GO in the U.S., Australia, New Zealand, and parts of Europe. Just over a month later, it is available in about 80 countries (with some notable exceptions, including India, China, and South Korea). The "slow roll" nature of the app's launch in markets around the globe has done a lot for anticipation — but it also enticed some users to seek access to the game prior to a legitimate in-country launch.  

Shortly after Pokémon GO's early launches, Android versions that could be “side loaded” sprung up virtually overnight, along with oh-so-helpful “how to” articles (like this ill-advised disappointment from The Guardian). The problem? Going off the reservation for any app is never a good decision, and it’s even less advisable in situations like this, where the economics of high demand and lack of supply lure scammers in for a big (and relatively easy) score.

Tech Times, Motherboard, IT Pro, and other outlets previously reported on a malware-laden side-load version of Pokémon GO that was discovered by Proofpoint researchers and was available just 72 hours after the release of the legitimate app in Australia and New Zealand. This particular version installs a back door for hackers, which provides a pathway in for cybercriminals.

The reality is that malicious apps and files that capitalize on this phenomenon — think cheat tools, maps, guides, and other items that will tempt serious and not-so-serious gamers — are surely on the horizon, if not available already. In fact, a search for "Pokemon Go" in Google Play apps on August 18 returned more than 120 results. Only the actual game — 1 of 120+ — was created by Niantic.

The bottom line is that any rogue app, piece of cracked software, or pirated file is extremely risky (despite the very mild warnings in the how-to articles that state that a download of this type “weakens the security of your device”). If you download a malicious piece of software, your device is compromised. Period.

Our Mobile Device Security and Mobile App Security training help users recognize and avoid common dangers related to smartphone and tablet use. These are just two of 18 interactive modules that you can use to improve your organization’s cybersecurity posture.

Understand Permissions and Evaluate Risk Carefully

In the early days following the U.S. launch, a number of stories broke about an apparent privacy overreach within the iOS version of the Pokémon GO app, which asked for full access permission to the user’s Google account. According to Google Support, with this level of permission “the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).”

Developer Niantic quickly indicated that the permission level was configured in error and released an update that backed down the access requirements. They also issued a statement claiming that, despite the permission level that was initially granted to the app, “Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.”

The storm of privacy concerns that erupted about this permission is one that, frankly, should extend much further than Pokémon GO, and it should be a lesson to mobile device users everywhere. Every app comes with a set of permissions and, in many cases, the permission levels that are requested are well outside of the scope of necessary with regard to app functionality. It’s critical that you review and consider the permissions you would grant to an application before you download it, particularly if you have private data (e.g., corporate email, calendars, and contacts) on your device.

Application permissions have been on our radar for a long time, and recent work by two of Wombat Security’s founders are designed to help users identify apps and settings that are outside of the scope of “normal” or that could impact personal and data privacy:

• Jason Hong and a team of researchers from Carnegie Mellon University launched PrivacyGrade in early 2015. This website helps users identify potentially risky Android apps. The apps are rated based on a proprietary privacy model that “measures the gap between people's expectations of an app's behavior and the app's actual behavior.” (Check out Jason’s blog post for more details.)
• A personalized privacy assistant is being developed by Norman Sadeh and researchers at Carnegie Mellon University. The assistant makes privacy setting recommendations that users can accept or reject. A recent field study showed that users approved almost 80 percent of the recommendations made by the privacy assistant and that the tool helped them feel more comfortable about their settings.

Make Physical Safety and Security a Priority

You might wonder how physical safety and mobile devices mix — though that’s less likely if you’ve heard some of the stories about Pokémon GO players crashing their skateboards and wandering into ditches. Mobile distractions — including texting while driving (and walking, for that matter) — are certainly nothing new, but augmented reality games like Pokémon GO are likely to take the idea of “smartphone injuries” to a new level. (I wonder if there’s an ICD-10 code for that?)

But beyond the caution to “be aware of your surroundings” (my dad would be so proud!), it’s important to recognize that mobile features and functionality on devices themselves could very much impact your personal safety. Case in point: several armed robberies were committed in Missouri when thieves used the PokeStops geolocation feature to identify an area that individuals were likely to visit, taking advantage of their distraction and relative isolation when they arrived.

This is just one more example of the dark side of technology. Social check-ins, GPS tagging, and similar convenience features also have hidden dangers. When you publicly telegraph your comings and goings to cybercriminals and other scammers, you open yourself to mobile security and physical security risks. With social apps and social sharing on the rise, it’s important to keep your personal safety in mind as your cyber persona navigates through the real world.