Mere weeks after its launch, you would be hard pressed to find someone with access to the internet or social media who hasn’t heard of the latest app trend sweeping across 30 countries worldwide: Pokémon GO. Boasting more daily users than Twitter and higher engagement rates per day than Instagram, Snapchat, or Whatsapp with more than an hour daily spent within the app – an unheard of feat for a gaming app – it’s (unofficially) considered the most successful mobile app to date.

But we here at SAC view all things cyber with a healthy dose of wary skepticism, especially when it comes to the mobile domain. While we fully support anyone who wants to “catch ’em all” (we even have a few trainers on-staff!), we ask that you take the following precautionary steps before stepping out into the wild.

 

Download the official Pokémon GO app (from Niantic) from the Google Play or Apple App Stores.

Within days of the US release of the app, fake mirror apps began popping up. These apps disguise themselves as the real thing in an attempt to trick users into downloading them and usually contain malware. Researchers at Proofpoint found one such app that contained a remote access tool (RAT) called Droidjack that allow the attacker to take “full control over a victim’s phone!”

EDIT: PokéVision is a third party map plugin that makes it easier to determine exactly where specific Pokémon will be spawning and for how long. There’s a bit of debate going on about whether it’s cheating and a quick way to make the game boring, or if its advantages outweigh any downsides. Some say that it helps in planning excursions, letting you head in the best direction for the greatest haul of Pokémon and get around the “three step” bug that drives everyone mad. Since you can enter an address to scan, you can also leave your GPS off until you arrive at that location (which means no geotagging along the route!). But there’s a bigger risk involved: since it runs on Niantic API, it’s possible the developers could block it for giving players an unfair advantage, or block your account if they discover you’ve been using it. Currently there’s no app for PokéVision, but it can be used in a mobile browser.

 

Keep your phone’s system & the app itself up-to-date. Install anti-malware software if you haven’t done so already.

There are several reasons that it’s important for you to regularly patch the OS and any apps you’ve downloaded. Hackers are very good at finding holes in the framework that the developers didn’t foresee. Sometimes an update is released to combat a spreading threat or to mitigate one from happening, but either way it’s common sense that you would want to fix it.

Apps also experience bugs that the developers didn’t anticipate, or features that users find disagreeable. In the case of Pokémon GO, the iOS version originally gave the app the ability to see and modify full details of your Google account and its credentials. Once users discovered this and were (rightly) outraged, Niantic issued a statement saying they had patched the security holes.

 

Use a “throwaway” Gmail account solely for the purpose of playing the game or create a Pokémon Trainers Club account. Ensure your password is strong.

The app uses Google accounts for authentication purposes and tracking, so if you’d like to put some distance between your true personal life and possible security risks, we recommend creating a “throwaway” account completely unrelated to you. It would be better still to create a Pokémon Trainers Club account even though this might prove to be a difficult and tedious process; the servers couldn’t handle the number of people wanting to sign up and they were forced to place a restriction on the number of people who could create an account each day.

If your organization uses Google apps, never use your professional work account for Pokémon GO or any other games!

 

Use a trainer name that isn’t associated with your name or known aliases.

At the moment, players are unable to see one another within the game or any information about others playing around them, but this functionality may be added in the future, and it’s better to err on the side of caution. There are already two exceptions: users can see the reigning trainer name and their Pokémon’s names at gyms, as well as the names of trainers who place lures at Pokéstops. Just think… do you want something personally identifiable to be seen by random strangers or worse, criminal hackers? If you’ve already named your trainer, no fear: you can still change it by a request to support.

 

Be aware of the real possibility for related crime.

Bad guys exist in both the cyber and physical domain, and both types are always looking for the next easy target. There’s already a growing string of crimes related to Pokémon GO players. In California, a teenage girl was stabbed and her friend was hit with a pipe by a group of muggers while out searching for Pokémon at 2AM. A man was assaulted and robbed by a group of people in Delaware who he believed were also playing the game. In Missouri, four teenagers were arrested as suspects in a string of robberies (10-11); they had been using the lure feature in the app to attract potential victims.

Use common sense. Don’t get so sucked into the game world that you forget to pay attention to the world around you! Always travel with a buddy or remain in your vehicle with the doors locked when visiting gyms and Pokéstops. Remember that often you can interact with these places from a distance.

 

Stay alert to your physical surroundings. Look up from your screen while moving. Never drive while playing.

To piggyback on the last point, there’s a startling number of injuries and accidents that have been happening from sheer user absentmindedness. Hours after the game went live in Japan, a student fell down a set of stairs and lost so much blood from a head wound that an ambulance was called. A man was arrested at a military checkpoint in Indonesia after accidentally entering a base. In California, two men tracking a specific Pokémon fell more than 50 feet off a cliff onto the beach below and sustained moderate injuries, despite signs that clearly warned the bluff was unstable. A Maryland man slammed into a cop car because he was playing the game while driving.

Even though many aspects of the game require you to pay attention to what’s happening on the screen, you should not do this while moving. Look up!

 

Pay close attention to what’s in the frame during a capture when using augmented reality (AR).

Although you may be excited about the cool new Pokémon you just encountered, take an extra second to note what’s in the foreground and background of the frame. Never photograph or share screenshots that include reflective surfaces, personally identifiable information (faces, vehicle license plates), or location markers (street signs, notable buildings and landmarks, your house). Also be aware that the location coordinates where the picture was taken are likely embedded in the picture’s metadata!

It’s best to turn AR off when playing Pokémon GO at work or around your home! To turn AR off, click on the Pokémon you want to catch, then click the switch labeled “AR” in the top righthand corner of the screen. All this does is take away the surroundings shown through your camera and replace them with an animated grass backdrop; it also makes the Pokémon easier to capture!

 

Know that the app currently has an infamously shady 20-page long Privacy Policy.

When you accept the privacy policy attached to Pokémon GO, you are basically giving Niantic the right to do whatever they wish with the data they’ve collected from you, which includes a wealth of location data taken from geotagging.  They can turn it over to law enforcement or sell it to whomever they wish. They can share it with third parties who “may not have agreed to abide by the terms of this Privacy Policy” or store it off-shore in foreign data centers that may have different (read: lax) privacy laws.

Germany’s Federation of German Consumer Organizations (VZBV) has threatened to sue Niantic unless they make drastic changes to the Pokémon GO’s user terms and privacy policy by August 9th. US Senator Al Franken (ranking member on the Senate Privacy, Technology, and the Law Subcommittee) sent a letter to Niantic with targeted questions about the app’s privacy policy and asked for a list of service providers with access to user information in return, requesting a response by August 12th.

 


 

Nothing is ever 100% secure, but such a popular piece of software is at a particularly high risk; it looks like a data goldmine to criminals, a hacker’s paradise! Already hacker group PoodleCorp has hit Pokémon GO servers with a DDoS attack, and are threatening to do it again on August 1st. Gary Miliefsky, current CEO of cybersecurity firm SnoopWall and advised the US DHS in the early 2000s, has said, “When they hit 25 to 20 million records, they’re going to be breached, and they’re at 10 million right now.”

But if you take each of the items above seriously, you can be assured that in the likely event of an attack, you’ll be much safer than the users who were careless and any damage to you will be greatly minimized. Simple common sense and informed awareness can assure that your experience remains positive.

Now get out there and fill up your Pokédex!

Kayley Melton

Director of Digital Strategy at SAC
Kayley manages our growing footprint on the web and develops marketing strategies to both keep us current & help us reach more people who might benefit from our message. A professionally trained artist and verifiable “weird girl,” she has 5 pet-children, cooks unbelievably good food, and can out-lift you at the gym.