Update: The Apple version of the Pokemon Go app has been updated to fix "Google account scope" - meaning that it no longer obtains full permission to people's Google accounts.
While the recently released, and now viral, augmented-reality smartphone game, Pokemon Go, continues to spread like wildfire -- exceeding both Snapchat and Twitter in terms of daily active users -- it raises a couple serious security questions about which its users may wish to learn.
1. Pokemon Go requires users to login using Google credentials. (Theoretically, one can also use a Pokemon website login, but, perhaps due to the overwhelming traffic load that the site likely faced since the launch of Pokemon Go, the Pokemon site is not accepting new signups, so, unless you are an existing user of the site, you must use a Google login).
Security researcher Adam Reeve noted that when some users sign into Pokemon Go through Google on Apple devices, they effectively give the game and its developer full access to their Google account; this means, that at least in theory, Niantic, the firm behind Pokemon Go , can access players' Gmail-based email, Google Drive based files, photos and videos stored in Google Photos, and any other content within their Google accounts. From a technical perspective, Niatic could potentially send emails on your behalf, or copy and distribute your photos.
This is obviously concerning. Perhaps even scarier - and more eye-opening - is that users are accepting such permissions en masse without regard for the risks.
So, be aware of what permission you give an app when you install it.
2. Pokemon Go is only available via the official Android and iOS appstores in a limited number of countries. Because the game is popular, people in other countries are obtaining the Android version through unofficial channels - and hackers have already successfully posted malware-infected versions of the app in some file sharing services. One variant of such a malevolent version of the app was discovered by the security firm Proofpoint and is quite serious: it infects Android devices and allows hackers to access the infected devices via a backdoor.
The consequences of having your smartphone infected by such malware is severe - anything on your phone can potentially be copied by hackers, hackers could use your phone to commit crimes (e.g., make fraudulent online purchases or download child pornography), make social media posts or send emails and text messages on your behalf, and otherwise wreak havoc.
As Tim Erlin, Director of IT Security and Risk Strategy at Tripwire, put it: "People have proven time and time again that they'll click recklessly to get access to new, prohibited or early-release software. Attackers have proven time and time again that they'll find a way to infect that software."
My recommendation is simple: do not download Pokemon Go - or any other apps -- from file sharing services. Stick with the official appstores and well known third party app providers such as the Amazon Appstore.
Of course there are also physical security risks -- the game directs people to physical locations, and not all of them are necessarily safe. So, be careful, and enjoy!