The widespread popularity of the augmented reality app Pokémon Go has turned the app into a cultural phenomenon, but security researchers say the use of corporate email accounts or devices by players may create security challenges for organizations.
According to cloud platform provider CloudLock, the first release of the Pokémon Go app, which launched in the United States in early July, requested full access to users’ Google accounts (which were used to register player accounts) through an OAuth connection. This permission, which most users granted without reading the registration screen or considering potential security implications, allowed the app to access to all of the information synced to a user’s account, including contact, calendar and files stored on the device.
While there is no evidence Google user accounts were breached, and the requested permissions were reduced in a subsequent update, current versions of the game continue to collect users’ location and personal account data.
Potentially more concerning, according to CloudLock, is the fact that a number of employees use their corporate log-in credentials to access their game accounts. CloudLock examined 900 corporate cloud environments and found the following potential vulnerabilities:
- Of the 900 organizations examined, 44 percent had employees who granted access to Pokémon Go using corporate credentials.
- On average, about 5.8 percent of an organization employees had Pokémon Go installed on devices accessing cloud environments.
- If the user’s device is hacked, the use of corporate credentials may expose the organization’s network and data to unauthorized access and exploitation.
In addition, companies with global operations need to be aware of the fact that in nations where the game has not been released, a number of counterfeit versions of Pokémon Go have been uploaded to unofficial app stores. At least one of these counterfeit apps has been found to contain a remote access tool designed to harvest data from a compromised handset.
To help mitigate the risk associated with mobile apps, organizations need to think about the types of apps they allow to access their networks, and to monitor networks and cloud environments for unexpected activity that may indicate unauthorized access.