If you didn’t think your company needed to put a BYOD policy in place, the popularity of Pokemon GO may change your mind. The app has been available for a week, and, at least for now, users are spending more time per day playing the game than they are using popular social media sites like Facebook and Twitter.
The app is also a security and privacy nightmare, and that, combined with the popularity, should have businesses concerned about how chasing Squirtle could put corporate information at risk.
First, there is the Android malware problem. Because the app was only released officially in a few countries, not surprisingly, mirror apps were created, and with mirror apps, there is always a greater risk of malware built into the app. This is what appears to have happened, and hackers are opening a backdoor into smartphones through these third-party sites, as Fortune explained:
The exploit was discovered by the security firm Proofpoint. Proofpoint researchers found a version of the Pokémon GO program that included a remote access tool, or RAT, called Droidjack, which they say can give an attacker ‘full control over a victim’s phone.’
In an email statement, Tim Erlin, director of IT security and risk strategy for Tripwire, said that cybercriminals are after any angle that helps them gain a foothold on your devices and that leads to a popular app not available everywhere becoming a near-perfect target for crafting and delivering malware. Proof, yet again, that the bad guys will take advantage of any means possible to gather data, even if it means going through an innocent game.
Second, there is a flaw that means, when users sign in through their Google account, the app has access to everything in those Google accounts – email, documents, pictures, etc. – without permission. As Javvad Malik, security evangelist at AlienVault, explained to me in an email comment:
Mobile apps are notorious for requesting excessive permissions – something that users should scrutinize whenever installing a new app. However, in this case, it appears as if it was a failing on behalf of Google in allowing an app to not only request admin privileges, but do so without displaying a prompt to users. It’s an issue that apparently Google is seeking to fix as soon as possible. However, it does beg the question whether or not other not-so-popular apps have been able to sneak under the radar in the past.
If you have more than one employee in your company, chances are someone is playing Pokemon GO on their personal smartphone, and that same phone is used for business data transactions. Malik made a good point. We know about the problems involving Pokemon GO, but what are the risks hiding in other apps? Are your BYOD policies able to meet these security challenges?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.