‘Pokemon No’—Mobile apps put personal information at risk
Apps that access users’ data leave some more worried than others, survey finds
By Roger Yu, ThirdCertainty
“Pokemon Go” lets you catch ’em all. But it demands as much.
The massively popular game app, created by Niantic Inc., has come under fire for its stringent terms of service. It considers users’ personal information it collects “to be a business asset” that can be transferred to a third party.
Beyond location information, it also wants access to your Google Play billing account, have the ability to delete the content of USB storage, and generally have full network access. You also are required to go through arbitration in a legal dispute unless you submit an opt-out request via snail mail.
But a majority of users may not care, according to a new IDT911 survey. (Full disclosure: IDT911 sponsors ThirdCertainty.)
Some risk accepted
A large swath of the mobile population is now accustomed to the price you pay—privacy and personal information—for the convenience and fun of smartphones. Consumers’ heightened knowledge and growing comfort with the ins-and-outs of smartphone settings also may be driving users to lower their guard about apps’ encroachment.
According to IDT911’s survey, 56.4 percent of U.S. mobile users say their attitudes about mobile data access will not be affected by the “Pokemon Go” phenomenon. That includes 40 percent who said they already are cautious about allowing access to data via mobile apps, and another 16 percent who are not worried about allowing access.
The survey asked a simple question: “ ‘Pokemon Go’ exposed users to privacy risks due to how much data the app accessed on phones. How do you feel about mobile apps that access data/other apps?”
The question was posed to 3,037 adults and generated 2,014 responses, a 66.3 percent response rate. The survey was weighted against the U.S. Census Bureau Current Population Survey for age, gender and region of the U.S. to be representative of the population.
Danger? What danger?
A majority of the survey’s respondents seemed nonplussed by mobile security challenges, but many may not be fully aware of new layers of scams emerging to exploit the app’s surge. The fact that the app is available only in the United States, New Zealand and Australia also has opened a door to scammers looking to exploit the demands of Pokemon fans in other countries.
“Imagine for a moment how much more secure our identities could be if we dedicated the same amount of time and effort to mitigating privacy risks as we do searching for a rare Pokemon,” says Adam Levin, chairman and founder of IDT911, and author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.
Eager Pokemon fans who are willing to look beyond authorized sources can stumble upon clone apps—including some that are infected. An altered and infected “Pokemon Go” app, with a remote access tool called “DroidJack,” has been found in online storage services, though it’s not in the Google Play store. Once downloaded, the malware enables scammers to access users’ personal information.
The internet also is rife with tutorial software and other “helpful” applications for “Pokemon Go” fans, which also can be sources of malware. Such tutorials typically are APK files, which are apps in the format used for the Android operating system. In trying to sideload APK files, users would have to modify their phone’s security settings, thus making them more vulnerable to malicious codes.
“ ‘Pokemon Go,’ albeit a massive success and the current ‘it’ game, is just the newest flavor of the month in the continually evolving sweet shop we call app stores,” Levin said. “From clone apps that infect devices with malware to third party-enabled keyboards like Bitmoji that have the power to record user keystrokes, consumers are enthusiastically permitting unfettered access to their highly sensitive data in exchange for reaching the next level, uncovering the newest clue, or obtaining an additional power supply for their favorite virtual character.”
Caution comes with age
The survey also found that users’ wariness about mobile security heightens with age. More than a third (34.4 percent) of millennials, or 18- to 24-year-olds, said they were not worried about allowing mobile app data access. Only 7 percent of the 55- 64-year-olds said the same.
More than 65 percent of millennials said they either already are cautious about mobile app data access or are not worried about allowing access. The percentage drops to 59.7 percent for the 25- to 34-year-old set, and about 55 percent for the 55- to 64-year-olds.
Men were less concerned than women. Nearly 19 percent of men said they’re not worried about allowing access versus 13.9 percent for women.
Still, there’s evidence to show that consumers are aware of the price they pay for smartphone usage. More than a third (39 percent) say they will be more cautious when it comes to allowing apps to access their data. One in five (22 percent) say they are much less likely to give apps permission due to privacy risks.
“Every time a data-seeking app goes into craze phase, and invariably privacy and security issues bubble to the surface, it provides us with a critical opportunity to educate mobile users on how to best protect themselves and avoid being the ones caught,” Levin said.
Read more stories about apps and mobile security:
Threat of ransomware growing for mobile phones
As mobile banking explodes, financial institutions beef up app security
Emerging exposure: Rising use of cloud apps creates data leakage pathways