Editors' pick: Originally published July 15.
Millions of people are eagerly scouting for their targets in Pokemon Go to catch them from their smartphones amid crowds in parks and other common public areas. This has spurred many novice players to download other games, yet they have neglected to verify one crucial detail before playing - the security of the app.
The trust people place in their mobile apps is misplaced, and consumers are only increasing the risk of having their personal data hacked.
"The silver lining of the Pokemon Go insecurity is that it has opened people's eyes to the risks that mobile apps can present," said Marie White, CEO of Security Mentor, a Pacific Grove, Calif.-based security awareness training provider. "Although we've learned to be suspicious of emails, that same suspicion doesn't extend to mobile apps - just the opposite. People implicitly trust their mobile apps."
"Pokemon Go places humans in their wild, childlike state of intense self-focus, imaginative bending of reality and simultaneous co-playing," said Dom Sagolla, a San Francisco-based editor of Tech Wild and CEO of DollarApp, a mobile application development company. "If I had one hope for this game, it would be to see it used for social good such as 'rare Pokemon sighted near polling places.'"
Giving Rights Away in Mobile Apps
Installing apps arbitrarily means people can be forfeiting their privacy details and giving companies their personal information. Players should assume the responsibility for the security and privacy of their data, said White.
"They should look carefully at the rights that they are giving to mobile apps prior to installing them and decline to install or even uninstall those apps that put them at risk," White said. "Consider Pokemon Go and whether users really want to give the software full rights to their Google account including the ability to read and send email, see and even modify calendar events or see their search history and access photos - probably not."
"Malware in Disguise"
The pressure from development teams to release games to the public and monetize them has led to shortcuts occurring, such seeking access to a user's personal account information in Google or Facebook, said Nathan Wenzler, principal security architect for AsTech Consulting, a San Francisco-based independent security consulting company. These games do not need access to social media accounts in order to function.
"This is similar to the recently reported security issue found in Pokemon Go, but it's certainly not the first game to default to full access in this way," he said.
The trend has led to a large rise in the number of malicious programs which are available in application stores like the Google Play store for Android devices. These games are downloaded by "casual players who may no clue about the security risks and implications," Wenzler said.
Players mistakenly assume that because these games are often hosted by well-known companies, there are no security risks or otherwise they would not be sold.
"With the speed of the market and the hundreds of thousands of apps available, it's nearly impossible to ensure 100% of the applications available are secure or are not malware in disguise," he said.
Skip Signing On Via Social Networking
Free computer games were always a technique for hackers to lure players in since they were bundled with malware and an easy way for criminals to steal data, said Joe Carson, head of global strategic alliances at Thycotic, a Washington, D.C.-based provider of privileged account management solutions.
The elimination of having players create a profile and log-in for each app has resulted in companies turning to social media such as Google+, Facebook, Twitter or LinkedIn to shorten the process, but this intensifies the risk.
"Could Pokemon Go be the largest surveillance app to date?" he said. "Access to your location information, camera, photos and your email occurs in one simple app download. We have seen a number of major high profile cyber incidents related to such incidents, such as the recent LinkedIn data disclosure and even Twitters own CEO's account being hacked."
Players should avoid using social log-ins, especially if they are utilizing the same email for other personal information.
"Use the option to create an account and use a password manager to create a strong unique password for each service," Wenzler said. "Check apps that use full access and remove them if you do not trust such apps with your personal data."
Since Google probably has a lot of your personal data, giving a Google app more information may not be a "big deal," said Alex Hamerstone, a compliance practice lead at TrustedSec, a Cleveland, Ohio-based white hat hacking and cybersecurity company. Allowing a third party or unheard of smaller publisher access to data should be a concern, he said.
Android Users at Greater Risk
Consumers who use an Android-based phone compared to an iPhone are at greater risk for security problems because Android is less restrictive when it comes to approving apps, said Jason Glassberg, co-founder of Casaba Security, a Redmond, Wash.-based cybersecurity company. This does not mean iPhone users should be complacent since on multiple occasions, "both criminal hackers and security researchers have been able to slip risky apps into the app store," he said. "If you have a jailbroken phone, keep in mind that you're more exposed to potential malicious activity, since jailbreaking the device undermines the mobile operating system's security features, too."
Future of Gaming
The industry needs to revamp its current strategy and software developers who are legitimate should build their applications without requiring complete access to a user's personal account information, Wenzler said. Companies hosting these apps need to test them and provide "at least a cursory level of protection against malware posing as a game or other application," he said. "With the billions of mobile devices in use across the planet, the potential target audience to exploit is too large for this issue to be ignored."