What’s the risk?Pokémon Go requests Full Access to your Google account, which includes everything from access to your emails (read, write, send and delete) to your Google Wallet. While Nintendo has issued a statement saying that they are not harvesting this information, and will change the permissions to the application soon, the simple fact is that the application has unrestricted access to everything in your Google account. And I mean everything! Now, if you use your Google account for business, and decided to play the game with the same Google account, you have potentially exposed everything in your business to Nintendo. While the risk is realistically low that something will happen, the unintentional consequences of unknowingly allowing a third party potential access to your business is quite high. Think of it this way. If you have a brick and mortar business, would you leave the backdoor of the building unlocked and let someone know it was unlocked? Of course not. Well, Pokémon Go does exactly that for cybersecurity. It leverages social media login capabilities of Google+ to create an account and exposes everything in Google+ to them. You have effectively given permissions to a third party for everything you store in Google – from your calendar to text messages.
How to reduce the risk of allowing a third-party to access your account?Unfortunately, you are now aware of the risk and must remove Pokémon Go privileges from Google Security until this can be properly fixed. Until Nintendo patches the application’s permissions, you best bet is to:
- Remove Full Access and avoid playing the game. Simply click on Pokémon Go and Remove access. See below for a screenshot on how to disable this.
- Create a secondary Google account with minimal information in order to play the game.
- If you have an MDM deployment, prohibit employees from loading the game.
- Do not use the “Lore” feature in the game. This has been associated with physical robbery crimes and exposes the user’s information to other Pokémon Go players.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.