Pokémon Go has attracted hordes of players within days of its release. The mobile game has also attracted concerns about just how vulnerable our personal data can be in the hands of seemingly benign applications.
In the last few days, security bloggers noticed that the game, which is free to download and made by Niantic Inc. in partnership with the Pokémon Company and Nintendo, requested permission not only to use a player’s smartphone camera and location data but also to gain full access to the user’s Google accounts — including email, calendars, photos, stored documents and any other data associated with the login.
Critics quickly called the game a “huge security risk” that was invading people’s privacy, and Senator Al Franken, a Democrat, on Tuesday expressed concerns about the issue. Niantic has said the expansive permission requests were “erroneous” and that Pokémon Go did not use anything from players’ accounts other than basic Google profile information. Niantic also said it was working on a fix to change the permissions to a level that would be “in line with the data that we actually access.”
The flap highlights how clicking “yes” to whatever requests pop up when installing an app on a mobile device can compromise privacy, sometimes in insidious ways. In disclosures, some apps say they will hand over data to law enforcement officials or other private parties to respond to legal requests, for example, or even on their own volition.
“A number of these games are not only making money on the front end by selling you the game or things within the game, they’re also collecting data about your habits and what you’re doing on your phone, and selling that to third-party marketers,” said Andrew Storms, vice president of security services at the security company New Context. “You’re pretty much giving the rights to all your information to this company.”
So what can be done to minimize the security risks that come with some apps? Here’s a refresher on how to safeguard private information.
Read the Fine Print
Ari Rubinstein, a Silicon Valley security engineer, recommends paying close attention to the scope of access that apps request during installation — or to look up the details online — and say “no” if the demands make you uncomfortable.
If you are unsure about the permissions you have already granted, check them on iOS by clicking on Settings and scrolling down for a list of apps that you can examine and change individually. On Android, click Settings and click Apps under the Device Settings, then choose an app and select Permissions.
Permissions are not the only things to worry about; you also need to know what kinds of data an app is collecting from your phone. Information about those is typically contained in an app’s privacy policies, which are often available within the settings of an app, or searchable online. If you cannot find the disclosures, or you are unable to understand their legalese, consider holding off until you learn more.
Regularly Audit Third-Party Apps
Because apps often use platforms like Facebook and Google to authenticate accounts, Mr. Rubinstein suggests regularly checking the access you have granted through the settings of these systems.
With Facebook, go to your account settings and click on Apps to examine and revoke access. With Google, go to Privacy and Security Settings and click on Connected Apps and Sites to see or change the apps connected to your account.
“Most likely users have apps that they never use that put them at a similar risk” to that from the Pokémon app, he said.
Continue reading the main story