« Find your energy vampires | Main | Free trade as straw man »

Pokemon Go - cybersecurity threat?

Pokemon_go_logo- Dave Nelson, CISSP, is president and CEO at Integrity.

It seems harmless right? Just a way to burn off a little steam.  Simply download this little app and go capture some Pokemon.  Whew…don’t you feel better now? Great, glad to hear it. By the way, all of your company’s servers have just been compromised and your email system was hacked.

Yes, it is just that simple. Mobile apps are a real threat to the information security of every organization. According to Verizon’s 2016 Data Breach Investigation Report, data breaches from mobile devices such as smartphones were not a significant threat last year. However, there are known exploit packs available and as smartphones increasingly take on daily computing functions, it is only a matter of time until a major data breach occurs due to a smartphone hack.

There are three areas of concern when using mobile apps. First is the proliferation of fake apps. Because apps are often restricted by device type, operating system version, country of origin, etc., there are many fake apps in the app stores. These applications are often filled with malware and malicious tools. Users who are not paying attention or have problems downloading the original app can end up welcoming this malware into their mobile phone.

A second problem is how users authenticate to the application. When the app allows users to use their Apple ID, Google ID or Microsoft ID, the manner in which the permissions for those logins requires close inspection. For instance, when released, the Pokemon Go app allowed users to login using their Google ID.  The app requested far more permissions than needed, which gave the creators of Pokemon Go full access to your Google Mail, Drive, Calendar, Docs and other site features. Wow…talk about an invasion of privacy and huge security breach. If your company uses Google products for any of its confidential data, you effectively gave the folks at Pokemon Go full access to your confidential information.

The last concern I want to cover is the permission level of the mobile app itself. Does it have the ability to access protected storage? Can it access stored credentials on the device? Can it record keystrokes, voice commands, search strings, etc. All of these could send confidential data back to an application developer and give them full access, not just to the device itself, but potentially to your internal network or virtual private network (VPN) used for remote access. Whoops again…

As you can see, there are real dangers from mobile apps. To date, there have not been many reports of data breaches from this threat angle, however, it’s simply a matter of time. Organizations need to remain vigilant in restricting access for Bring Your Own Device (BYOD) programs and implementing strong controls for mobile devices such as smartphones and tablets. Don’t let the Pokemon capture you or your company.

Email: dave.nelson@integritysrc.com Dave-Nelson-2015

Twitter: @integritySRC | @integrityCEO

Website: https://integritysrc.com

Comments

The comments to this entry are closed.

« Find your energy vampires | Main | Free trade as straw man »

Technorati Bookmark: Pokemon Go - cybersecurity threat?

This site is intended for informational and conversational purposes, not to provide specific legal, investment, or tax advice.  Articles and opinions posted here are those of the author(s). Links to and from other sites are for informational purposes and are not an endorsement by this site’s sponsor.