ANALYSIS: Pokemon Go presents security, privacy and productivity challenges for IT departments
In between the latest acts of the political turmoil that has engulfed the UK since the EU referendum, you may have heard about a little app called Pokémon Go.
In what is a watershed moment for augmented reality (AR), the Niantic Labs-developed application is now the number one grossing app in the US, Australia and New Zealand – the only countries it has been released in so far – and is on course to generate $1 billion a year according to App Annie.
It has been the subject of numerous headlines – not least when one player found a dead body in a river in Wyoming – but its popularity is already causing headaches for IT departments, even though a UK release is not expected for a couple of days.
Physical and cyber security
Because Pokémon Go isn’t officially available in the UK, the only way to play the game is to side load it onto an Android device. This involves installing an APK, an Android Installer File, manually rather than going through Google Play – a method advertised by numerous websites.
Even though Google Play isn’t as heavily curated as Apple’s App Store, bypassing the marketplace entirely poses security threats. The game’s popularity has naturally attracted the attention of cybercriminals and security firm has already found malicious APKs that attempt to install malware onto victims’ devices.
“Even though this APK has not been observed in the wild, it represents an important proof of concept: namely, that cybercriminals can take advantage of the popularity of applications like Pokémon GO to trick users into installing malware,” said researchers. “Just because you can get the latest software on your device does not mean that you should.”
Having policies in place to prevent side loading is essential.
And it’s not just cybersecurity that’s a problem – physical security is too. Armed robbers in the US reportedly placed items in certain locations to lure players into a trap before mugging them. Ignoring the possible physical and psychological effects, the cost of losing a device and the data contained, unless it is encrypted and backed up, could be significant.
Then there’s the issue of privacy. Pokémon Go requires users to sign in with a Pokemon.com account or a Google account. This isn’t unusual but if a Google account was used to log in, the application did not prompt users to explain the permissions it required and instead gained full access.
This meant the app would be able to send and receive emails, access files and possibly even gain access to other accounts using the ‘forgot password’ links.
“Normally you’d see a little message saying what data the app is going to be able to access – something like ‘This app will be able to view your email address and name’,” said Adam Reeve who discovered the issue. “For some reason that’s not shown in this case, but I went ahead and logged in anyway. Then on a whim I went to see which permissions it was granted (you can see for your own account right here). To say I was a little stunned is putting it lightly.”
The issue appeared to only impact the iOS version of the game rather than Android, but Niantic has since fixed the problem and claimed it only ever logged user IDs and email addresses.
“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access,” it told the BBC.
“Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.”
But the issue highlights concerns about the amount of data applications are able to access and how privacy must be protected.
Given the excitement Pokémon Go has caused in the TechWeekEurope towers and on social media, an app that requires users to spend so much time and effort capturing Pokémon in certain areas of a real life map is likely to have a negative impact in terms of productivity.
The use of the camera and location services will have a drain on battery, and downloading and using the app could impact office networks.
As with Euro 2016 live streaming, preventing employees from doing something will have a negative effect on morale, but the consumerisation of IT and the freedom employees are afforded in a Bring Your Own Device (BYOD) world means Pokémon Go isn’t something IT departments can ignore.
After all, if BBC Radio 4’s Today programme feature it, it must be big.