Pokémon Go has effectively taken over the world. Since its release on July 6th, the app has been downloaded an estimated 7.5 million times, generated a revenue of $14 million, and the average daily usage of the app has exceeded Snapchat, Tinder, Instagram, and Facebook. Even professional baseball stadiums are opening up their stadiums and granting people access to the field, just to catch all those Pokémon who have been teasing us while we watch the games. You can’t hide on the field forever, Pikachu!
I’ll admit it, the concept is brilliant. Niantic, the developers of the game, have essentially bridged two worlds together, using mobile devices’ location-based services and augmented reality technology to bring Pokémon’s to earth. In doing so, Niantic has inspired nostalgia among the Pokémon crowd, allowing millennials all over the world to relive their childhood memories in a fun, interactive, high-tech way.
But, it’s not all pretty.
Bring Your Own Device (BYOD)
BYOD policy allows employees the convenience of using personal devices for work and always having access to company email and data. However, if not managed properly, BYOD can pose great security concerns. IT departments must identify all applications employees are using to interact with corporate data to ensure that all data is protected. If an employee loses or has a device stolen, IT departments need remote wiping capabilities. The mixing of personal and business data can result in an employee unknowingly installing malware as a part of a personal installation. These are only a few of the threats of BYOD. Luckily, these threats are commonly known around the world, and IT departments have been fighting them for years.
Unfortunately, there’s a new security concern in town. Enter Pokémon Go.
How Pokémon Go Increases the Risks of BYOD
At this point, it’s safe to assume that a handful employees in your company are playing Pokémon Go. Did you see someone recently pacing outside with their eyes glued to their phone? They probably weren’t just nervous for a presentation they were about to give. Sorry to break it to you, but they were playing Pokemon Go. But, we’re not here to talk about how Pokemon Go can distract your employees – though it is a valid concern. Instead, let’s discuss the IT security concerns Pokémon Go poses to your company.
Fake App Downloads
To all the Android users out there, beware of fake versions of Pokémon Go. Over the past week, online stores have been selling tampered versions of the game. Once installed, the malware allows hackers to assume ultimate control over your device. From there, if your device is part of a corporate network, this infection could give hackers access to your company’s emails, applications, and data. These infections have only been found in third-party sites, so to ensure you and your company’s security, stick to the Google Play store.
As mentioned earlier, stolen devices are a big risk in BYOD. Earlier this week, there were multiple reports of robberies committed by clever teenagers who lured Pokémon Go players to a spot using a “lure module”. So, next time you’re on your way to capturing that Pokémon you’ve been searching for forever, remember to be aware of your surroundings…and maybe take a friend. A game may not be worth compromising your personal (and corporate) safety.
Access to Your Google Account
This is quite possibly the risk that’s gotten the most media attention. It was recently discovered that if users opted to sign in to Pokémon Go through their Google account, then the game’s developers would have access to your entire Google account. Adam Reeve, a player of the game, discovered this issue and immediately posted about it to the online community. Below is an except from his post. Luckily, Pokémon Go has publicly stated that they’re in the process of fixing the issue, but millions of downloads have already been made, so the data is out there.
I started the game, hit the Google button, and was redirected to log in. Normally you’d see a little message saying what data the app is going to be able to access – something like ‘This app will be able to view your email address and name’. For some reason that’s not shown in this case, but I went ahead and logged in anyway. Then on a whim I went to see which permissions it was granted. It said: ‘Pokémon Go has full access to your Google account.’ Let me be clear – Pokémon Go and Niantic can now:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more
The implications of this issue for IT security are dangerous, especially for the many businesses build on Google applications. In the hands of a not so nice third-party, could be company emails, files, and other types of data stored within employee Google accounts.
But It’s Still a Great Game
The goal of this post is not to discourage anyone from indulging in the wonders of Pokémon Go. It’s simply to raise awareness about various security risks the game may pose for your company. Our advice? Proceed with caution. But definitely proceed. Good luck catching!