The authentication protocols of Pokémon Go pose serious iOS & Android security risks to users after Android app security testing.
The research from Adam Reeve, a Principal Architect at RedOwl, showed that Pokémon Go had complete access to his Google account, with some differences between between iOS and Android.
The problem comes from authentication via using a Google account to sign in (the Pokémon.com website had to stop new sign ups over the weekend). The authentication process skips over the usual permissions notice and redirects to the login screen.
This gave Pokémon Go full access to your Google account such as “Read all your email; Send email as you; Access all your Google drive documents (including deleting them); Look at your search history and your Maps navigation history; Access any private photos you may store in Google Photos.” Reeve described this as due to “epic carelessness”.
On the iOS version the app gained total control over the Google account, the Android security issues raised were a bit different, with control over videos and pictures, reading and using accounts on the device, reading and modifying the SD card, using Google Play’s billing features and tracking location.
The panic over the iOS and Android security issues subsided with a statement from Niantic detailing that this was a mistake and the production of a client side fix.
It’s fascinating to see so many people download and use an app without checking the permissions. this is almost a worst case scenario, however, Niantic and Nintendo hope to make money through legal methods with app, as opposed to digitial identity theft.
Pokémon Go has also spawned a lot of malware copies for users outside the countries where it had it’s initial release, creating further iOS and Android security for users.
There are, in addition, physical risks with users drawing others to remote locations to rob them.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.