Understand Permissions and Evaluate Risk Carefully
In the early days following the U.S. launch, a number of stories broke about an apparent privacy overreach within the iOS version of the Pokémon GO app, which asked for full access permission to the user’s Google account. According to Google Support, with this level of permission “the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).”
Developer Niantic quickly indicated that the permission level was configured in error and released an update that backed down the access requirements. They also issued a statement claiming that, despite the permission level that was initially granted to the app, “Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.”
The storm of privacy concerns that erupted about this permission is one that, frankly, should extend much further than Pokémon GO, and it should be a lesson to mobile device users everywhere. Every app comes with a set of permissions and, in many cases, the permission levels that are requested are well outside of the scope of necessary with regard to app functionality. It’s critical that you review and consider the permissions you would grant to an application before you download it, particularly if you have private data (e.g., corporate email, calendars, and contacts) on your device.
Application permissions have been on our radar for a long time, and recent work by two of Wombat Security’s founders are designed to help users identify apps and settings that are outside of the scope of “normal” or that could impact personal and data privacy:
- Jason Hong and a team of researchers from Carnegie Mellon University launched PrivacyGrade in early 2015. This website helps users identify potentially risky Android apps. The apps are rated based on a proprietary privacy model that “measures the gap between people's expectations of an app's behavior and the app's actual behavior.” (Check out Jason’s blog post for more details.)
- A personalized privacy assistant is being developed by Norman Sadeh and researchers at Carnegie Mellon University. The assistant makes privacy setting recommendations that users can accept or reject. A recent field study showed that users approved almost 80 percent of the recommendations made by the privacy assistant and that the tool helped them feel more comfortable about their settings.
Make Physical Safety and Security a Priority
You might wonder how physical safety and mobile devices mix — though that’s less likely if you’ve heard some of the stories about Pokémon GO players crashing their skateboards and wandering into ditches. Mobile distractions — including texting while driving (and walking, for that matter) — are certainly nothing new, but augmented reality games like Pokémon GO are likely to take the idea of “smartphone injuries” to a new level. (I wonder if there’s an ICD-10 code for that?)
But beyond the caution to “be aware of your surroundings” (my dad would be so proud!), it’s important to recognize that mobile features and functionality on devices themselves could very much impact your personal safety. Case in point: several armed robberies were committed in Missouri when thieves used the PokeStops geolocation feature to identify an area that individuals were likely to visit, taking advantage of their distraction and relative isolation when they arrived.
This is just one more example of the dark side of technology. Social check-ins, GPS tagging, and similar convenience features also have hidden dangers. When you publicly telegraph your comings and goings to cybercriminals and other scammers, you open yourself to mobile security and physical security risks. With social apps and social sharing on the rise, it’s important to keep your personal safety in mind as your cyber persona navigates through the real world.
Subscribe to the Proofpoint Blog