Pratima H
CA, USA: Meteoric – the word - finally gets the right place to describe something really befitting. It’s no news how Pokemon Go has risen from just another game to a phenomenon. So much so that for millions of people who do not happen to be in the countries where it has been officially rolled out, there are already avenues to download it; even if it means tampering with app-permissions, fiddling with jail-break tricks and putting one’s smartphone (and oneself) in a vulnerable alley.
Now that’s an individual decision, risk and prerogative. But what if this individual walks in and out of a corporate castle and is hardly bothered about the moats of security that keep its IT sentinels occupied?
When millions of people are downloading apps it can seem innocuous at the surface, because hey, they are just having some fun grabbing monsters on the go. Yet, these monsters can turn into formidable Piranhas – not just because they are small but because this 'being small' makes them scarier than many huge, visible dragons.
They can swim in unnoticed and nibble quietly at things that matter. They can cause more harm than ever imagined for the sheer reason that they come in, yes, hordes.
Labelling apps and games as horror subjects is tempting. After all, there is enough screech and background music to paint them so. Copies of the game outside legitimate channels; side-loading-tutorials for the application on Android; grey-market versions available as APK files on some websites; countries like Iran banning the app; Google removing an emerging ilk of sneaky apps (like Pokémon Go Ultimate or Guide & Cheats for Pokémon Go from Play) etc are just signs that the game-fever is already confronting its flip side. We have not yet mentioned how the game-makers can potentially use all the GPS data and other information (someone warned about some new users having to allow Google account access to download the game) that is close-knitted with using the game.
There are even security researchers, like the ones from Proofpoint who have mentioned worrisome and malicious accessories like remote access tools (DroidJack) capable of usurping control over a victim’s phone. Such infected Android versions are indicative of what may follow soon.
Speculations also exist on whether the app entails a remote access tool that would allow so much control to attackers over a phone that the server may pick up connections from infected devices and follow them with commands
What makes these small creatures all the more creepy is the rising number of counterfeit apps in third-party app stores which once downloaded cannot just install spyware and spam on the given phone but also rake in precious data.
People can lose their discretion when they want to try out what the big deal is all about and an official version is still on its way – they may even jailbreak a phone or bite the bait of bootleg apps that many developers are baking fast or hurriedly (and recklessly) swipe past important steps like app-permissions.
If that’s not enough there are many hack guides, tutorials and tips that are piggybacking the craze to get past the otherwise huge-stone walls.
Industry players cite how Hacks by groups like OurMine have proven Pokemon Go to be more than just a cute time-waster. With BYOD and corporate-owned devices used to play, the app could provide cyber criminals and entry point to both business and personal files.
What happens to officially vetted and corporate-nod-done apps here that the proper regimen of enterprise app stores and IT procedures encourage? Should IT be already paranoid about a scenario where, thanks to an illicit download or malware, a compromised device after entering a corporate network, puts the entire castle at risk?
Are hot games really the evil creatures they are being painted as? What’s the real background sound that IT should tune into?
Mike Cobb, DriveSavers' Director of Engineering demystifies the ghostly air a bit and explains how game downloads from third-party sources are often to blame, but that doesn't mean that both users and IT departments can't take measures to prevent these types of security risks.
Here’s why IT should be spooked about Pokemon Go already or not?
Is the threat posed by Pokemon craze new/one of its kind? What is distinct about it this time when we think of BYO Apps culture? Any precedents that one can relate to?
No, this is not a new threat other than the immediate and widespread adoption of this Pokemon application. The more downloaded an app is, the bigger it is for being a target. I think that the best distinction is that it became so downloaded so fast. It might be a record, but I don’t know that.
Any specifics as to what makes this threat serious, infectious, and difficult to rein in? How much of this can be attributed to indiscreet downloads?
I don’t think I can answer this with anything of that due to the sheer magnitude of the number of users. Even if you tell everyone to delete the infected app due to not downloading from a reputable source, there will be a certain percent that won’t do that. Also, even if they have an infected app that can be fixed with an update to the OS on the phone, there will be another percent of people that won’t do that, making it so hard to rectify the problem with everyone.
The indiscreet downloads would be near 100 per cent of the problems, other than zero-day threats that may not have been discovered yet.
Why would the usual control, security and compartmentalisation policies on BYOD not work in this case?
Policies will be broken with either something that a user deems necessary for work or for games. Unless there is 100 per cent control of the device from IT, there will be a risk due to employees.
Does the threat landscape differ for native apps, hybrid apps, gaming apps, P2P, UberforX model of apps?
All of the threats will be similar and those threats depend on the access that is given to the apps from the developer and the user. Then it’s the popularity of the app for it to become a good vessel to possibly gain access to customer data.
What precautions and post-damage measures can you suggest for both corporates and individuals?
When it comes to precautions, it’s important for companies to not only create good procedures and policies for all of their devices, but to have constant training for their workers and then follow-up to be sure that they are backed up and secure.
What's your reckoning of the big picture of security, especially with rise of zero-day vulnerabilities, high-profile hacks and cases like Apple's recent patch?
With more and more devices connecting with others and with those devices holding more important intellectual and personal data, we are seeing a massive effort to create safer products with more updates to combat the found vulnerabilities. With that said, there are going to be many, many people that won’t be able to keep their devices safe without help from IT enforcing constant changes to their computing world. Many people around the world are going to be in for a bumpy ride with their data and their identity until these problems get figured out.