Pokemon Go at Work: Is It Putting You and Your Company's IT Security At Risk?

Harold Aguirre
by Harold Aguirre 27 Jul, 2016

:: By Harold Aguirre ::


Gotta Catch Em All! 


That's the slogan for Pokemon Go; now the biggest mobile game in U.S. history. Whether it's a fad or here to stay, Pokemon has the entire world GO-ing absolutely crazy. 


If you grew up in the 90's or 2000's you probably heard of Pokemon well before the app was launched. Even if you had no prior knowledge of it's existence, by now you've probably crossed paths with someone playing the game or seen a post pop up on one of your social media feeds. 


As the slogan says, the aim of the augmented reality game is to capture the Pokemon on your mobile device. Just how many exactly? All of them - if you can.  



It's all about how much time and money players have to spend catching them. Unfortunately, the game has already claimed countless addicts who just can't get enough. People are walking around playing on their mobile devices from school, church, malls, parks and even from work. Anywhere they can capture, train or battle their Pokemon. 


Pokemon Go At Work

Naturally, if this game is all about spending time to capture the Pokemon, then there should be some concern with employees playing the game while at work. How exactly are they using their time at work? Being productive and completing work-related tasks or catching fictional virtual characters?  


The use of paid work hours isn't the only concern with employees using the app at work. There could actually be a considerable IT security risk associated with playing the popular game while at work. 


When Pokemon Hunters use iOS devices to download the app, they are given the option to either sign in from the Pokemon Trainer Club or conveniently sign in using their Google account. This generally intended to speed up the registration and sign-in process for app user. However, by doing so with Pokemon Go, they give the game's developer Niantic Labs access to all of their account information. Very few users actually read the security permissions, and if they do, the only way to restrict access to their information is to deny access entirely. 


The main concern and the initial cause of a wave of panic from IT security professionals is that with 'full access', Niantic could send and receive emails, access calendars, delete files from Google Drive, and perform a host of other actions using the user's account. 


If your employees are using iOS/Apple devices and your company uses Gmail as its business email platform or for any other collaboration projects, they could be leaving your company's doors open to cyberthreats. 


To take things a step further, even if Niantic Labs doesn't use the information, there is always the possibility of their system being hacked, giving attackers full access to users' sensitive information. Now this is assuming that gamers are playing the game using their own personal Google accounts. Imagine if they were to use their corporate email addresses to sign into the game. That would give the game developer and would-be hackers full access to business emails, files, maps, calendars, passwords and more. 


How did this happen? And who's to blame? 

Normally, apps only require basic information like name, age, location and gender to complete sign the sign-up process.


According to Niantic, they 'unintentionally' used an outdated, unsupported version of Google's shared sign-in functionality when they created the app. 


They claim that Google's 'full access' message is very misleading since in reality, they only have access to basic user information. To add, they say that they have never collected more than the ID and email address information of any user. The good news is that Google and independent security researchers have corroborated both of these claims.  


Who's to blame? Google or Niantic? 

Niantic quickly issued a public statement recognizing their error and assured everyone that they are working with Google to quickly fix the problem. Some say that it is Niantic's negligence in using an outdated version of the functionality, while others say that Google, the bigger more security-focused company should not have allowed the developer to use the old version. 


Regardless of who is to blame, some are skeptical since although Niantic was spun out of Google about a year ago, it is still a relatively unknown company with little history. 


Sideloading the App

Just when everyone thought there was no need to panic, security firm ProofPoint pointed out that there are other ways that cybercriminals could hack into and take control of users' mobile phones. 


The first official releases of the Pokemon App were in New Zealand and Australia on July 4, 2016, with a subsequent release in the U.S. on July 6. As word of the game's release quickly spread like wildfire throughout the stratosphere, people began looking for backdoor/illegitimate ways of sideloading the app onto their Android devices. Since the game was not released at the same time around the world, hackers saw the opportunity to release a malware-imbeded version of the app that if installed, gives them complete access over the victim's mobile device. 


Although ProofPoint didn't provide an exact number of devices that they think are are infected by the fake Pokemon app, they do recommend anyone who downloaded their app from a third-party provider to take steps to check if their device is infected. 


What does all of this imply for you and your business's IT security? 

It will be difficult for any company to fully protect their IT systems from cyber threats, but where the Pokemon Go App is concerned, they should attempt to regulate employees' usage on any devices that could potentially link back to the company's systems. This doesn't only go for Pokemon, but any non-work related app that involves the use company devices. 


Additionally, they should try to completely restrict employees from using company emails to access the app.  


As fun and viral as the Pokemon Go App may be, there still needs to be a certain level of attention paid to securing sensitive personal and company information. One that note, now go out and Catch Em All, just not at work nor using an illegitimate copy of the app.


Harold Aguirre is a self-acclaimed techie who has been working in the e-learning development industry for more than five years. As a freelance writer, he focuses on how modern education and training are being revolutionized by technology. His aim is to help educators and trainers to create more engaging and enriching learning experiences. More of his work can be seen on this eLearning company blog.