The security risks of Pokémon Go, explained

Pokémon Go just got political.

Pokémon characters are manifesting at the Republican National Convention zones in Cleveland.

The "augmented reality" smartphone game was released eight days ago. Now a zillion adults share their obsession alongside kids who are too young to remember the original anime game from the ‘90s. People have been busted trampling through cemeteries chasing the colorful pocket monsters. The Holocaust Museum in Washington, D.C. had to declare itself a Pokémon-free zone.

The mobile game just outpaced Tinder and Twitter as the most-downloaded app since July 6, 2016, its first day of availability in the United States.

Guess who’s not playing Pokémon Go: cyber security experts.

In order to play, the app needs to know your location through your device’s GPS and access the camera.

"Pokémon Go is a huge security risk," warned Adam Reeve in a post on the blog of RedOwl, the cyber security company where he is principal architect.

When the geeks get scared, we get scared. So we wanted to learn more about these allegations that the mega-popular smartphone app is siphoning everything about our personal lives, at great risk.

Here’s a screenshot of the permissions screen that appears upon downloading Pokémon Go on an Android device, as posted by Twitter user @oscaron:

Only iPhone users were informed they had to grant the app "full account access" on Google. The only other way to sign up is through the game’s website at pokemongo.com, which has been overwhelmed with users and is currently limiting the number of new users that can sign up at once.

What does "full account access" mean?

Reeve, who was among the first experts to sound this warning, claimed on his blog that downloading Pokémon Go would enable it to "read all your email, send email as you, access all your Google Drive documents (including deleting them), access any private photos you may store in Google Photos, and a whole lot more."

"I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk," Reeve wrote.

Niantic, which developed the game for Nintendo’s Pokémon  brand, issued a statement July 11 that they had "recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account." They assured that though the mistake allowed them the ability to dive deep into personal data, the app only accesses a user’s ID and email address.

"No other Google account information is or has been accessed or collected," the statement read. Niantic said that they were working with Google to fix the permissions issue.

iOS users now see this screen that includes the update, "Fixed Google account scope."

Does that fix the security concerns?

We consulted David Kennedy, a a cyber security expert and founder of Ohio-based Binary Defense Systems (his official title: Chief Hacking Officer). His company monitors his clients’ systems and tries to break in to reveal where their security is weak. (Niantic is not a client.)

We asked whether the fix by the app’s developer means that Pokémon Go "trainers" (players, in the game’s parlance) are in the clear.

Kennedy said that the updated app will restrict what information it collects to the minimum required for it to function, which still includes location data, email address and camera access.

Be sure, though, that other outside forces will be looking to exploit any cracks in Pokémon ’s armor, Kennedy said, because mobile applications are prone to attack.

"Let’s say I hacked into that application; I would now have access to everyone who installed it, their gmail accounts and everything else," he said. "So it’s a big security and privacy issue from that perspective."

Even with the promised tweaks, Kennedy won’t download it.

Other concerns

There are other unsettling features of Pokémon Go that, while not unique to the game, might make privacy lovers think twice.

Niantic’s privacy policy is a 20-page document that no kid in reality, virtual or otherwise, is likely to read. Within the policy, Niantic describes how it may share user’s information with third parties who "may not have agreed to abide by the terms of this Privacy Policy."

Those third parties could be unspecified  "private parties," according to the terms of service.

They might sell or transfer personally identifiable information about users in the event of a "merger, sale of assets, acquisition, dissolution, reorganization, bankruptcy, change of control or other similar event."

Kennedy says the third-party issue raises concerns. "With Google, it’s a well-established service. Facebook is a well-established service, with terms and conditions you can read. These third-party applications could be selling your name, your address, your phone number, your contact list, what you’re browsing — directly tied to your name."

A word on conspiracy theories

Then there’s the matter of the app’s developer’s origins, which are a conspiracy theorist’s all-you-can-eat buffet.

Niantic’s founder, John Hanke, created the startup that became Google Maps and Google Earth. Now he’s cast as the man behind the curtain, using unwitting gamers to spy on each other for the CIA -- or so the nether regions of the ‘net would have you believe.

Here’s what Hanke said that set off musings about Pokémon Go being part of a more sinister plot (he was describing how Pokémon Go and it’s predecessor, Ingress, work): "By exploiting the capabilities of smartphones and location technology and through building a unique massively scalable server and global location dataset, we have helped users all around the world have fun, socialize, and get more fit as they play and explore."

As if the words "global location dataset" and "massively scalable server" didn’t sound ominous enough, there’s Hanke’s prior business dealings. Hanke’s mapping startup, called Keyhole, was funded by In-Q-Tel, a techie incubator which "identifies, adapts, and delivers innovative technology solutions to support the missions of the Central Intelligence Agency and broader U.S. Intelligence Community," according to its website.  

Such realizations spawned this Gawker headline "Pokémon Go is a Government Surveillance Psyop Conspiracy." A Reddit thread titled "Pokémon GO could be a photo-based intelligence gathering operation," emerged the day after Pokémon Go was released.

All of that aside, Kathleen Stansberry, a Cleveland State University assistant professor with expertise in social media and strategic communications, told PolitiFact Ohio that it’s easy to see the utilities the technology could provide to police.

"Google has a history of cooperating with law enforcement," Stansberry said, "and I would imagine Pokémon Go would as well."

Another section of the app’s privacy policy says it may "disclose any information about you (or your authorized child) that is in our possession or control to government or law enforcement officials or private parties."

Despite the risks these issues raise, Stansberry plays Pokémon Go with her son.

"By closing that particular loophole (for Google account access), Pokémon Go will be much more on par with other location-based apps," Kennedy said. "I think this is something we’re going to see increasingly, as virtual reality and augmented reality apps become more popular, and I think these privacy issues are going to become of greater concern."

Privacy is a fallacy, she said.

"There’s a big gap between what we believe is private, and what information is really out there about us," Stansberry said. "Did you use your debit card at Target? They’re tracking your purchases so they know how to better target you for ads.  CVS does the same thing. Let’s say every month you buy a pregnancy test and then, suddenly you stop buying pregnancy tests. Now you get a coupon for diapers."