Pokemon GO: Security Nightmare for BYOD

Sue Marquette Poremba
Slide Show

How to Minimize the Impact of BYOD and Improve Security

If you didn’t think your company needed to put a BYOD policy in place, the popularity of Pokemon GO may change your mind. The app has been available for a week, and, at least for now, users are spending more time per day playing the game than they are using popular social media sites like Facebook and Twitter.

The app is also a security and privacy nightmare, and that, combined with the popularity, should have businesses concerned about how chasing Squirtle could put corporate information at risk.

First, there is the Android malware problem. Because the app was only released officially in a few countries, not surprisingly, mirror apps were created, and with mirror apps, there is always a greater risk of malware built into the app. This is what appears to have happened, and hackers are opening a backdoor into smartphones through these third-party sites, as Fortune explained:

The exploit was discovered by the security firm Proofpoint. Proofpoint researchers found a version of the Pokémon GO program that included a remote access tool, or RAT, called Droidjack, which they say can give an attacker ‘full control over a victim’s phone.’

In an email statement, Tim Erlin, director of IT security and risk strategy for Tripwire, said that cybercriminals are after any angle that helps them gain a foothold on your devices and that leads to a popular app not available everywhere becoming a near-perfect target for crafting and delivering malware. Proof, yet again, that the bad guys will take advantage of any means possible to gather data, even if it means going through an innocent game.

Second, there is a flaw that means, when users sign in through their Google account, the app has access to everything in those Google accounts – email, documents, pictures, etc. – without permission. As Javvad Malik, security evangelist at AlienVault, explained to me in an email comment:

Mobile apps are notorious for requesting excessive permissions – something that users should scrutinize whenever installing a new app. However, in this case, it appears as if it was a failing on behalf of Google in allowing an app to not only request admin privileges, but do so without displaying a prompt to users. It’s an issue that apparently Google is seeking to fix as soon as possible. However, it does beg the question whether or not other not-so-popular apps have been able to sneak under the radar in the past.

If you have more than one employee in your company, chances are someone is playing Pokemon GO on their personal smartphone, and that same phone is used for business data transactions. Malik made a good point. We know about the problems involving Pokemon GO, but what are the risks hiding in other apps? Are your BYOD policies able to meet these security challenges?

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.




Add Comment      Leave a comment on this blog post
Jul 14, 2016 6:27 AM Lori Lori  says:
The Android issue is legit, but requires the user to do some pretty "out there" stuff already, security-wise. If you've got people doing that, Pokemon Go is not your biggest problem. As for the Google sign-in "all permissions" think, they already publicly said that was unintentional, and have pushed an update out to remove that. Since apps like Google Chrome require and actually use the very same permission, again, Pokemon Go isn't actually your problem here. Companies should definitely be mindful of BYOD policies, but Pokemon Go isn't a "security nightmare". In fact, it's doing more for your employees' wellness than any gym reimbursement plan you might have in place. Be a progressive workplace and take advantage of that. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.