Pokémon Go seems to have taken the world by storm. A free-to-play location-based “augmented reality” game developed by Niantic Labs, allowed people of all ages to use their smartphones to explore and capture Pokémon in the wild, whether at the park or at the office. It has had mixed reception. Some praise it because it gets people outside and active, but others say its caused accidents, or been a nuisance. Regardless of its criticism, its amassed more than 21 million players in the US alone. But we want to know, is it secure?
The game itself was developed using Unity, for iOS and Android. The gameplay mechanics are fairly straightforward. Create an avatar, go outside and wander around until you find some Pokémon to catch. The world you wander in is the real world, the game tracking your location via GPS. The virtual world however is riddle with animation cycles of rustling leaves indicating wild Pokémon are nearby to catch. When you encounter a Pokémon, the game activates your rear camera and gyroscope and displays an image of a Pokémon as if it were in the real world. There are also locations in-game known as Pokéstops and Pokémon Gyms that correspond with real life locations, be they monuments, buildings, public art installations and other landmarks. The game is a lot of innocent fun, but with the massive amount of people using it coupled with the constant transmission of possibly sensitive data like location information, it could be open season to those with malicious intent.
With this in mind, we wanted to understand what kind of data the game sends, where to, how, and how accessible this information is. We decided to run the game’s traffic through a proxy, just to see if we’d get anything, and maybe poke around the application files to see if there was anything interesting.
Using an iPad and a Nexus 9 that has its traffic filtered through a proxy to compare any differences between iOS and Android, we got started. First making accounts was fairly easy, being allowed to sign in through your Google account, although you’re also able to create a Pokémon GO account. From there on it was avatar creation, and then finally you set out into the world to find some Pokémon to catch. We tested all the functions of the game for an afternoon, wandering around catching Pokémon, finding landmarks, trying out all the menus and dialogs and purchase options. Although we didn’t travel far, we still caught some Pokémon and got a few Pokéballs from a Pokéstop nearby.
Once the fun was over, we started looking at what the game actually sent, to whom, and how. The game obviously tracks your location data and uses your camera, but it also has access to your files and contacts. All transactions were handled by the Google Play Store or the Apple App Store and thus really outside the scope of our search.
The bulk of communications occurs between you and Niantic Lab’s servers. It’s all encrypted information posted fairly often but its contents remain a mystery. More minor transmissions are simply what amounts to telemetry data for marketing or improving the game such as OS versions, locale, connection type as well as information about your avatar like player level, item amounts and XP accumulated.
Unable to find any sensitive data, we looked into the application files of the game on our Nexus, but once again turned up short, finding the more mundane items such as assets and attributes. An SQLite database turned up, but it was simply just for holding the telemetry data. Lastly found was just images downloaded from the Pokéstops nearby.
It was hard to find anything suspicious or vulnerable in how Pokémon GO handled data, at least client-side. Any sensitive information transmitted appears to be only sent to Niantic labs and is always encrypted. However, what happens to that data after Niantic receives it is at their discretion.
One thing that we did note, however, was that when using google login on iOS, the application requested more access than necessary. Specifically, the iOS app requested full access to your google account. This means that the application could read all of your emails and even send emails that would appear to come from you. The application could also access any documents or other data that might be stored in your google drive – basically anything you can do through google, the application had the ability to do.
Niantic Lab’s has since issued an update to resolve the access issue. To take advantage of this and keep yourself safe, 1) you need to log out of the application and 2) then log into your google account from your phone or desktop. 3) Once logged in, click on your name and choose “my account.” 4)Under “sign-in & security,” choose “connected apps & sites.” 5) Choose “manage apps” and click on Pokémon GO. 6) Click on “Remove Access”.
Once complete you can log back into the application and it will request access to basic profile information, as it should have in the first place. We noted that this behavior only exists in the iOS app not the android app. Also, based on our testing, it did not see that the app was doing anything nefarious with google data but we appreciate that they have updated their application to better meet security best practices.
Relax your data is safe, now go find some Pokémon.
P.S. Sadly, we have no advice for what to do about server crashes, but we feel your pain.