Chances are you’ve already heard of or are playing Pokémon GO, an iOS and Android mobile game that uses Google Maps data to superimpose digital creatures into the world around players. As players move, GPS on their devices tracks their real world position and the game indicates if they are close to virtual Pokémon creatures that they can capture, train, and battle with. The game has over 30 million downloads worldwide making the likelihood of the game entering your enterprise mobile environment very high.
Our security team reviewed potential security risks associated with this popular game. We found three risk areas:
- Version 1.0 of Pokémon GO for iOS requested full access to the user’s Google account. This meant the app was requesting more access than necessary and a dangerous level of access. If granted access, the authorization token could, with some manipulation, be exchanged for an “uberauth” token that would grant full access to the user’s Google accounts. This dangerous access-level permission request was fixed in version 1.0.1 although Google stated that the ‘full access’ request was an error and they were only accessing basic, not advanced level account details.
- Both iOS and Android game versions send Personally Identifiable Information (PII) information in the form of precise GPS location coordinates. GPS coordinates are sent to the “pgorelease.nianticlabs.com” server running in Google Cloud. While the connection uses SSL, we found that the app was not pinned to “pgorelease.nianticlabs.com” opening it to potential Man-In-The-Middle tampering and/or eavesdropping. Additionally, the developer could better protect the SSL and data in transit to prevent the risks of MiTM and eavesdropping that may leak employee’s location while the game is running.
- Trojaned versions of Pokémon GO can now be downloaded from 3rd party app stores and sideloaded to mobile devices. The game’s huge popularity and staged region-by-region release encouraged unofficial and some malicious versions to be released in the wild.
Our research team also assessed some risk areas where we did not find risky behaviors we thought might be present. Specifically:
- We did not observe Pokémon GO running in the background. Network traffic and activity was actively collected only when the game was on the screen and open.
- We did not observe Pokémon GO collecting and sending camera footage or pictures from the “Augmented reality” feature used for capturing Pokemons.
We are already seeing the Pokémon GO app on a significant number of devices in customer environments and we recommend that enterprises advise employees to do the following:
- Only download the game from official stores. Do not sideload this app. The biggest risk associated with Pokemon GO is related to malicious unofficial versions of the app distributed outside of the Apple App or Google Play stores. This is of particular concern for Android versions due to the popularity of 3rd party Android stores and the tendency for fake and risky apps to be promoted there.
- Update to the latest version of the app to ensure you have the most secure version. In early versions of the app, there was a concern about Pokémon GO’s use of an outdated version of Google’s shared single sign on service. The new app versions have made bug fixes and corrected misleading language to be more accurate about the permissions being requested. Keep in mind, however, that even if Google only accesses the user profile as claimed, this doesn’t prevent malicious apps or attackers from accessing the user’s full Google account in the event the app or mobile device is compromised. If the Pokémon GO app is authenticated with a corporate Google account, this potentially exposes corporate documents, e-mail, etc.
- Ensure that the app only has access to Google information needed. As a precautionary measure, follow this guide to limit access to the Google Accounts information needed.
- Be aware when playing the game. Pokémon GO is an immersive experience which can distract players from real world risks including traffic, changes in terrain, people and obstacles. Players are advised to check their walkway frequently, to avoid unsafe locations in pursuit of Pokémon, and to maintain situational awareness when playing so as not to become victims of pickpockets or digital device thieves. Device theft with potential access to enterprise accounts is a data loss risk for the player and the company.
Additionally, Appthority customers who find that the risks mentioned above warrant further action can use the Appthority web portal and apps to:
- Assess the presence of various versions of Pokémon GO in their mobile environments. A support document is available here outlining key steps for taking this action in the Appthority web portal.
- Protect against trojaned versions of Pokémon GO and other malicious apps by creating and enforcing policies that restrict and prevent sideloaded apps. (Note: Sideloaded app detection is only available for customers who have deployed the Appthority mobile app on employee devices.)
Photo credit: Michael Kan