How to Protect Your Privacy On Your Pokémon Journey

Pokémon Go is sweeping the globe, but what is it doing with your data?

Niantic, Inc’s new augmented reality game, Pokémon Go, uses your phone’s GPS and camera to merge the fictional Pokémon universe with users’ own neighbourhoods — and it’s taking the world by storm.

It’s just amazing how, decades after the Internet was first invented, we’re still finding exciting new ways to take advantage of it. However, despite quickly becoming a global phenomenon, it’s not all sunshine and Ho-Ohs. The app has real privacy concerns that could potentially threaten the safety of its users.

Pokémon encounters within the game look to be tied to foot traffic and population density, which is information pulled from GPS data collection, and from Pokémon Go’s sister app Ingress. Pokémon Go can only populate the world with critters and landmarks by harvesting user data. Unfortunately, this includes precise location tracking.

poke.png

Pokémon Go follows you around in real-time. Down to the last street corner, it employs GPS tracking to observe your movements and pinpoint your exact location. Used for the purpose of finding Pokémon, it’s pretty harmless. But if Niantic, Inc. were to be sold, all of that personal information would be available to the highest bidder.

The app’s potential to access personal data has already raised a red flag for users. Earlier this week, it was reported that Pokémon Go requests full Google account permissions for users on iOS. Theoretically, full access gives the app a pass to read and send email messages, modify your contacts, edit your Google Drive, and more.

Despite the request for full access, Google and Niantic insist the game only accesses your basic profile, including user ID and email address. Asking for full account permissions seems to just be an issue with the iOS user interface, meaning the app doesn’t actually read your emails or rifle through your contacts. While this appears to have been an honest error, mistakes like these still hold potential for a violation of our privacy.

Niantic claims to have dealt with the permissions issues in the official app’s newest update. The bad news is much of their reach for fixing bugs is undermined by users who have accessed the game outside of the authentic app stores.

Since Pokémon Go is currently only available on iTunes and Google Play in the U.S., New Zealand, and Australia, unofficial versions have been popping up all over the Internet. But the unofficial apps come with their own security risks, some of which are more concerning than Niantic’s Google account blunder.

Security firm Proofpoint reported this week that a popular Pokémon Go APK for Android — a copy of the app downloaded from a third party — has been installing a backdoor on many unsuspecting users’ devices.

DroidJack, a remote access trojan (RAT), may be accompanying any third-party download of Pokémon Go. This malware has been shown to rewire permissions for the app, allowing it to view and send SMS texts, read and send email, record audio, access and modify your contacts, view your web history, and more.

If you were one of the thousands who downloaded Pokémon Go from a third-party site, visit this page to learn if the app is compromising your security. If so, be sure to delete the app and reinstall only the official version before you catch ‘em all. Have fun!