The success of Pokémon Go has been unprecedented and inescapable, with Forbes reporting that within four days of the game’s launch it was on course to exceed Twitter’s daily active Android users.
However, the game’s popularity has risked masking serious security concerns. Once downloaded, the Pokémon Go app asks users for a whole host of user permissions to access their contacts, camera, SD card content and, most importantly, GPS location.
And although other popular app games ask for some personal details, Pokémon Go requires a constant Wi-Fi or GPS connection to play, meaning that it knows exactly who you are, who your friends are, and where you are – even if you don’t have Google Maps running, or if permissions to access GPS data or the device camera have been turned off.
Through enabling players to bridge the gap between the real world and the virtual world by encouraging them to go out in public and visit landmarks to collect cartoon monsters, this latest craze from Niantic is collecting data about you worth potentially millions. So much so, it should perhaps be renamed Pokémon “GOld Mine!”
For the game’s makers, this data is hugely valuable as it enables them to pass on personally-identifiable information (PII) so that third parties can promote and sell to you.
This type of data tracking and collection has also been used by companies including Google, for Google Maps, however many consumers are not aware that these kinds of ‘free’ services also have the hidden agenda of being able to track whereabouts via your mobile device and suggest things that you might be interested in that are close to you.
All this data creates immense temptation for hackers who could potentially sell users’ data to foreign governments, or the black market. Credit card fraud is another risk to users, with in-app transactions potentially leading to identity theft and fake insurance claims. Hackers are also cashing in on users searching for discounted game currency, such as Pokémon Go’s “Pokécoins,” by creating fake links to online “hacks” that take users to survey scams if they search for items such as “Pokémon Go free coins generator.”
These types of scam sites earn money by requesting the Pokémon Go player’s username and inviting them to complete fake surveys that will ask for their personal details and email address, opening up more potential fraud risks. There are also fake Pokémon Go apps available online that include hidden Trojan horses designed to gather your personal data and provide the hacker with access to your device when downloaded.
While Pokémon Go is useful for inspiring users to get outside, most worryingly, by encouraging players to collect items by visiting PokeStops that correspond to real-world locations, it is also providing criminals with the ability to predict players’ locations, leaving users open to attack or robbery.
The potential for security risks such as revenue leakage and theft are not only at game level but also at a network and personal user level. If developers are unsure of how to protect users of their apps, it may now need to be up to the network operators to offer the expertise and technology needed to bridge the security gap and protect the bottom line.
This article was first published in Telcoprofessionals.com. You can find the original version here.