There has been substantial fanfare about Pokemon Go’s privacy settings and how that relates to personal information shared by the Pokemon Go apps. To help clear the air, the ReCon team decided to investigate. For context, ReCon is a system that inspects network traffic to identify personal information leaked by mobile apps (to sign up, click here). Our team installed the Pokemon Go app on our devices and interacted with the app, including moving about and collecting Pokemon (we swear it was just for research!).
What we found was what we would generally refer to as “run of the mill” tracking, most of which is necessary for the app to function. We saw no evidence of GMail e-mails being stolen, at least not directly from the device (though of course we cannot see what is accessed by Pokemon Go servers). We also found that the app sends data to different third parties on different platforms. This is not uncommon, and we expect that the third party providers are being used in large part to deal with the explosive growth of the user population and lack of resources to support them using Niantic servers. (By the way, Niantic is a company that was spun off from Google.)
Below are the details of personal information sent over the network, and the sites that received them. All traffic was sent via encrypted connections, and we identified the traffic contents using mitmproxy on a special ReCon instance used only for testing. For each line below, we specify the personal information on the left of the “>” and the destination site on the right. This is only an initial analysis---we found several messages exchanged in a custom format we have yet to decode, and we only interacted with the apps for a few minutes. We will update this page as we learn more.
Last updated July 14, 2016.
Unique Identifier > appload.ingest.crittercism.com
Unique Identifier > single.upsight-api.com
Unique Identifier > stats.unity3d.com
Unique Identifier > batch.upsight-api.com
Nickname, Unique Identifier > api.crittercism.com
Email, Unique Identifier > android.clients.google.com
Nickname > pgorelease.nianticlabs.com
*Note that we did not detect location information, though it was probably sent via connections that we could not decrypt.
Unique Identifier > batch.upsight-api.com
Unique Identifier > single.upsight-api.com
Unique Identifier > bootstrap.upsight-api.com
First name, Password, Email, Gender, Last name > accounts.google.com (This is during account creation)
Nickname > pgorelease.nianticlabs.com
Nickname, Email > api.crittercism.com
Location > api-glb-ash.smoot.apple.com
Username, Password > sso.pokemon.com
Date of Birth > club.pokemon.com