Pokémon Go Hacks

Pokémon Go, a newly launched augmented reality game for smartphones, has swept the nation since its release just last week. As of yesterday in the US alone, the game secured 7.5 million downloads and boasts a daily revenue of $1.6 million. The number of Pokémon Go downloads has already surpassed Tinder and is currently rivaling Twitter. Users are already spending significantly more time using the game than they do popular apps like Instagram, Snapchat, or WhatsApp.

Excited users across the US quickly signed up for the game upon its release, but what went unnoticed by many users – at least until recently – was the alarming security risk the game’s registration posed. When creating an account on Pokémon Go, players are given the option to sign up via their Google accounts, which many users opted to do. On Monday it was discovered that logging in with your Google account from an iOS device grants the app “full access” to your Google account. This means that Niantic, the game’s developer, may have access to your Gmail, Google Drive, calendar, Chrome search history, contacts, photos, and anything else that may be linked to an account. Thus far the problem has not been much of an issue for Android users.

Niantic and the Pokémon Company have responded to user concerns, stating that the situation was caused by utilizing an outdated version of Google’s shared sign-on service. The service is meant to make sign-ups easier and faster while asking the user which information to grant to different apps, but the outdated version used in Pokémon Go does not do this. Niantic has stated that they are working with Google to fix the problem, explaining that the only user information the game actually needs is your user ID and password, and they have reassured users that their private information has not been compromised. Ari Rubenstein, a security engineer at Slack, affirmed Niantic’s statement by explaining that there is nothing to suggest Niantic had malicious intentions. Google told users that it is working to reduce Pokémon Go’s access to their information, and that it will be achieved “soon.”

The real danger, however, is not Niantic’s promise to stay out of user information. Instead, until the issue is resolved, the concern remains the possibility for hackers to steal user information. Should Niantic get hacked before the issue is resolved, the hackers would have access to user Google accounts. This is significant because many users link their Google accounts to many aspects of their digital lives, thus giving potential hackers access to passwords and all sorts of sensitive data.

Until Niantic and Google grant the “all clear,” here is how you can revoke unnecessary access:

  1. Visit the Google Accounts page
  2. Log into the account linked to your Pokémon Go
  3. Click on “Sign-in & security”
  4. Scroll down then click on “Manage Apps” under “Connected apps & sites”
  5. Click on “Pokémon Go Release”
  6. Click “Remove,” then “OK”

You should be able to continue using the game as normal. Unfortunately, every time the app signs you out at random you will need to revoke access again. Alternatively, if you’re willing to restart your game completely, you can try creating a new log-in by creating a Trainer Club account.

While it’s important to keep your information safe, this potential vulnerability doesn’t pose any immediate danger. Perhaps something more concerning is affecting Pokémon Go players outside of the US, Australia, and New Zealand. To circumvent the game’s release, limited at first to only a few countries, players around the world are searching for ways to join in the fun. Most have either jumped through hoops to download the game in either the US, Australian, or New Zealand app stores or have resorted to downloading the game through third parties. While inconvenient, accessing the app through a different country’s app store won’t necessarily hurt your phone (although issues concerning international copyright may exist), downloading the game through a third party definitely demands caution. Researchers at Proofpoint, a cybersecurity company based in California, discovered an infected version of Pokémon Go targeting Android users. This version of the game contains the malware known as DroidJack that grants hackers full control over your Android phone.

Despite these risks, players in the US, Australia, and New Zealand can continue playing the game without much concern. By reviewing your Google account settings and staying away from third party downloads, you’ll be all set to go out there and catch ‘em all.