When a new mobile app goes viral you have a goldmine. Consider Pokemon Go. Nintendo more than doubled its stock price in a few weeks thanks to the popularity of the new game that superimposes Pokemon virtual reality on gamers’ reality. However, with new apps such as Pokemon Go there are unanticipated security risks as well.
As with many popular applications, Pokemon Go offers different options to register to play. You can sign up directly or use your Google credentials. Here’s the snag. Adam Reeve of RedOwl discovered that if you use your Google credentials, you basically provide access to your Google account, including email, calendar, even Google Docs. Essentially, you are granting complete control over your Google assets.
According to Niantic, the software company that developed Pokemon Go, the Google security problem has been addressed, but this form of user authentication is commonly used. How often have you run into a new application or service and are asked to share your Google, Facebook, or LinkedIn credentials to set up an account? Normally, the objective is to allow you to share your activity on your social media channels, and to promote whatever service you are subscribing to. However, you could be granting access to more personal data than you bargained for.
New Security Woes for Organizations
Why do the security gaps in online games like Pokemon Go matter to corporate security? There are many reasons. One out of every four mobile apps contain at least one high-risk security flaw, and research shows that on average users install 37 apps on their devices other than those that are pre-installed. That means that, statistically, there are more than nine apps on each mobile device that could contain security weaknesses.
First, consider the proliferation of bring your own device (BYOD). How many of your mobile users are installing unmonitored games on dual-purpose mobile devices that they use for work? Opening unauthorized applications and accounts on their mobile hardware could mean they are opening a door to enterprise resources. It’s important to understand the permissions controls you grant with any type of software. With new and “cool” applications such as Pokemon Go, the tendency is to bypass the licensing and permissions settings because people are anxious to play. That single mistake could prove even more costly later.
Then there is concern about counterfeit applications. Pokemon Go, for example, is available in fewer than 70 countries, and the popularity of the game is driving demand for counterfeits in other markets, including malicious versions. ProofPoint has discovered an unofficial version of Pokemon Go in the Android app store that includes the DroidJack remote access tool, which provides unlimited access to anything on your Android device. Users could easily download malicious software hidden in counterfeit apps that could put themselves, and their companies, at risk.
Even with these potential threats, there is no reason why new apps such as Pokemon Go should threaten your personal security, or your company’s network.
Mobile device management (MDM) software can give IT managers and CISOs control over company-owned mobile devices, allowing IT to dictate what applications are allowed and which ones are not. MDM isn’t a complete solution, however, since not all MDM platforms can detect malware. For added protection, combine MDM with added security software for every mobile device that has access to the company network. The added security should be able to inspect and quarantine suspicious apps in the cloud, before it can be downloaded.
Employee training and security policies and procedures also are essential. Employees need to be aware of the risks of downloading unauthorized apps to their handheld devices, and how to maintain the security of the network. Be sure they understand what to look for in counterfeit apps and unauthorized app stores.
Third-party security experts also can be invaluable. Work with a security consultant to establish policies and procedures and to set up malware filters and anti-virus systems. An independent expert can help you design a secure mobile data infrastructure, and even set up hosted platforms that can serve as a buffer or safety zone between mobile users and the company network. And independent security consultants can help design a more secure enterprise infrastructure as well as providing services such as remote network monitoring, analysis, and remediation.
You can’t stop employees from downloading the latest app or using their mobile hardware in ways you may have never considered. However, you can protect yourself from unwanted malware by setting up protocols and security filters between users’ mobile devices and your network. If you implement the right precautions now, you’ll be ready when the next big mobile app craze hits the market.