WASHINGTON—There already are signs at the National Holocaust Museum and at Arlington National Cemetery asking visitors not to play the Pokémon Go mobile augmented reality game while they are there.
There are reports that some of our nation’s lawmakers were seen playing Pokémon Go on the floor of the U.S. House of Representatives. There have been several armed robberies here of Pokémon Go players by criminals who used the game’s features to attract users, who were relieved of their smartphones and other valuables.
But the Pokémon Go phenomenon is not specific to Washington. It has become an international craze to the point that it’s now the lead story on some television network news programs. To some extent, the game, which has been available for only a week, seems fairly harmless and even seems to have some benefits—it’s getting people outside to walk around in search of Pokémon characters.
But for your company Pokémon Go has a more sinister side. The game has a huge potential as a cyber-security risk, malware vector, safety hazard, on-the-job time-waster for your employees and a waste of your company’s computing resources. Worse, the game may become a gateway into your company’s data stores and it can introduce malware that spreads within your network.
According to Chester Wisniewski, senior security advisor at Sophos, Pokémon Go brings threats from two different areas to people who play the game. If those people are your employees, they can bring those threats into your company. One of the most insidious is the fact that a spinoff of Google’s parent company Alphabet is the force behind the game and is handling the location and points-of-interest data for the game.
Niantic Labs uses Pokémon Go to gather information about its users so they can play the game successfully, but the company also has the ability to use that information for other purposes. “It’s an app that’s designed to track you,” Wisniewski pointed out. “Alphabet knows where you’re at,” he said.
Problems at Niantic Labs have added to the security issues with Pokémon Go. Wisniewski said that because of the company’s scalability problems, millions of users are forced to download the app from third-party Websites, where some of the software contains malware along with the game.
One version of the malware, called DroidJack, is able to gain access to anything on your Android phone, including all of your email, your contacts and your text messages. In addition, this malware can access your keystrokes, on-board microphone and camera.
Pokémon Go Brings Physical, Data Security Threats to Your Company
So far this malware doesn’t affect versions of Pokémon Go for iOS devices and it doesn’t affect versions from the Google Play store, but because the app is only available in five countries, users elsewhere have to go to third-party sites. However, even users in places where the official download of Pokémon Go are available apparently are downloading it from third-party sites, either because their Android devices don’t work with the Play store or because of performance issues.
Either way, the malware is a significant problem, especially for employees who keep critical or proprietary information on their phones where Pokémon Go or the malware can find it. But that’s not the only threat to the enterprise.
John Reed, senior executive director for Robert Half Technology, warns that games such as Pokémon Go can hurt productivity if employers aren’t careful about its use. “Any productivity loss would be on a case-by-case basis—sometimes mobile games can create a false sense of urgency for users, but employees can find a balance between their responsibilities and entertainment,” Reed said. He noted that allowing the use of games such as this during downtime, such as lunchtime and breaks, can actually encourage creativity.
But then there’s the other side of security, which is keeping people out places where the public isn’t allowed to wander. The New York Times has reported an influx of people in its building in search of game characters. Several federal buildings in Washington have reported visitors entering because of the game, rather than because they were on government business.
The problem with a game that’s exploded in popularity in the way Pokémon Go has is ‘people and companies not involved with the game don’t know what to expect. In addition to the privacy concerns, the potential for malware and the problem of physical intrusions, people are simply showing up out of nowhere and then leaving in response to the game.
One action companies can take, Wisniewski said, is to set policies for what apps can be run on mobile devices that also contain company data. He suggests making it a requirement that only apps obtained from the app stores of the phone company can be used. Neither Apple’s App Store nor the Google Play store allow malware-infested apps, and while there have been occasional problems, it’s still a safer way to get apps than finding them in the wild.
And while you’re setting mobile app policies, it’s also probably important to require security software for mobile devices as a way to reduce the likelihood of malware infections that can threaten your network’s integrity.