Even if you have been living on Mars this past month it's likely that even you have heard of Pokemon Go, the new augmented reality game that has swept the globe. It’s the most successful game in US mobile history and is likely to be around for a long time.
Although the Pokemon TV show, card game, multitude of video games and enormous array of toys and merchandise have been around for about 20 years or so, this new app has captivated users and revolutionized the genre of augmented reality games. A quick trip to the local store will probably mean you have walked past several people who are hopelessly glued to their mobile device or tablet, paying scant attention to the world surrounding their screens, hooked on catching Pokemon. There have been plenty of news stories about the dangers of Pokemon, as people have caused car accidents and inflicted physical damage on themselves walking down a street and not paying attention to the real world around them. However, there are further risks that Pokemon Go has inadvertently created, especially in the workplace.
Playing Pokemon Go at Work
Obviously your boss might be concerned about your falling productivity at work if you are spending half your time catching Pokemon in the office. But this is only part of the problem, as fears are growing about the IT security risk that Pokemon carries.
There are two ways for Pokemon players to log into the game using iOS devices. One way is to sign in from the app directly or to go via their Google accounts. This latter option is generally viewed as a more straightforward way to log in, but it is this option that presents a potential security threat. Logging in via Google opens the door for the the game’s developer, Niantic Labs, to access all of the information associated with that account. Of course, in the office, Google accounts are often linked to all of the company’s information too. It is possible for the user to deny access to the developer, but a tiny percentage of users actually review the security permissions in place.
The most pressing worry for IT security experts is that full access rights to Google accounts could mean that Niantic Labs have complete permission to perform any number of functions within their users’ accounts, from accessing calendars to deleting files. It isn’t necessarily Niantic themselves who pose a threat to your company’s data, but any number of hackers and cyber terrorists. And it isn’t just your own personal account that is being put at risk, but potentially an entire company’s. If a user is using a corporate Google account to log in to Pokemon, then it is like leaving a key in the door of your office overnight and inviting thieves to come in and steal everything.
Who Is at Fault?
Often it is only standard data that is required to log in to an application, such as name, date of birth, and sex. Niantic admitted that when they synched their login process with Google, they used an older, less protected version of Google’s sign-in platform. Niantic believe that Google’s ‘full access’ doesn’t really mean that in reality, as it is only name and basic information that is ever provided. Moreover, they claim that only user IDs and email addresses are the only information they have ever gathered from users. Fortunately, both Google and independent third parties have backed up these claims.
Niantic quickly admitted their error and have stated they are taking steps to rectify the problem alongside Google. Some critics have pointed the finger squarely at Niantic, saying they should have used a more rigorous version of the log-in functionality, while others feel that is the responsibility of Google themselves, the much bigger and more prestigious partner, should never have allowed the outdated version to be used in the first place.
The Dangers of Sideloading
After the initial fears that the game was vulnerable to cyber criminals seemed to have died down, a second threat emerged that could also jeopardize IT security and allow hackers access to both individual and corporate information.
When the game was officially released in Australasia in July 2016 and swiftly resulted in a global phenomenon, many users from countries where the game had not yet been released tried to find illegal ways of sideloading the app onto their devices. Cyber criminals saw the opportunity to create a virus-riddled version of the app which would grant complete access to the mobile phone where the illegal version had been sideloaded.
Security experts ProofPoint, who first sounded the alarm, advise anyone who downloaded the app via these means to take steps to ensure their device hasn’t been infected in some way.
What Are the Consequences?
The dangers of cyberterrorism are never going to completely go away, and it would be impossible for any company to completely eliminate the risks they pose. What they should do, however, boost business network security and attempt to regulate employee activity on corporate devices that could potentially cause problems for the business at large. This is especially relevant when employees are using corporate accounts to access apps that may leave commercial data vulnerable to hostile external sources.