As millions of people rush to join the Pokémon Go augmented reality game, questions are being raised over how secure the app is, given the amount of sensitive personal information it collects.
Microsoft programme manager and engineer Dennis Delimarsky noted that it is possible for attackers to directly connect to Pokémon Go application programming interfaces on shared networks such as public Wi-Fi.
An attacker in a so-called Man In The Middle position on such networks could observe, capture and modify the data Pokémon Go sends and receives, lure players to wrong locations and otherwise abuse the game.
This is because Pokémon Go doesn't use the certificate pinning security feature for the game's HTTPS traffic to and from Niantic servers that prevents impersonation.
Attackers could potentially gain access to a large amount of sensitive personal information via Pokémon Go.
When it comes to vacuuming up players' personal data, Niantic has adopted a "catch 'em all" approach. Tests by New Zealand Herald staffers show that the game demands full access to players' Google accounts on Apple iPhones.
Google says full access means applications can see and modify nearly all the information in user accounts.
This excludes changing the password for the account or deleting it, but allows read and write access to email, Google Drive online storage and other services.
The anonymous infosec tweeter behind the @SwiftOnSecurity account noted on Twitter that Pokémon Go bypasses Google's confirmation screen that is meant to be displayed after users log in.
In doing so, Pokémon Go hides that it asks players to grant full access to all parts of their Google accounts. Skipping Google's warning screen should not be possible for any app, SwiftOnSecurity noted.
Long-standing United States IT commentator Robert Scoble expressed concern about the game posing a severe privacy risk, as it "tracks our children".
The Herald has contacted Niantic for comment on the security and privacy concerns.