In June, we unveiled our Q2 Cloud Cybersecurity Report, “The Explosion of Apps,” which highlighted the exponential growth and security risks of third-party apps connecting to corporate networks. Just a few weeks later, a new app was launched and is seemingly unstoppable: Pokémon Go. In less than a month, an estimated 26 million users have installed the app in the US, with more than 75 million installs across Apple and Google platforms globally, breaking all mobile gaming records. This phenomenon has sent users out of their homes and offices to participate in the game, where they are spending more time than they do browsing Facebook, Snapchat, Twitter or Instagram (Source: SensorTower).
While the security vulnerabilities associated with the game have been widely publicized—the U.S. government was concerned about the national security threat posed by the game to issue guidelines for playing the game to military and intelligence personnel—CloudLock went one step further to identify the implications for corporate networks. What we found was that employees are granting access to corporate environments, despite these warnings, and are opening backdoors to their organization’s most sensitive databases via the app—information that can easily be exploited by cybercriminals.
Why is Pokémon Go a bad idea?
Pokémon Go is authorized to act on behalf of the user through an OAuth connection. When launched, this OAuth connection allowed the app, and by extension the vendor, Nintendo to:
- View, edit, collect or delete anything related to the user’s Google account: documents, photos, emails, search history, location, contacts, and calendar.
- Send emails, analyze navigation history, and exfiltrate and externalize user’s data through programmatic API access.
- Collect personal data alongside geotagging functionality and camera access.
It is also reported that there are several knockoff apps that mimic the original, but leak excessive data.
To understand the impact of Pokémon Go on corporate SaaS platforms, we analyzed more than 900 corporate environments. Surprisingly, the major security issues that made mainstream headlines did not deter employees from handing over their corporate credentials to Nintendo, exposing all of their corporate data and busting open gateways into corporate environments for cybercrime.
Here’s what we found.
- 44% of all organizations have employees who granted access to Pokémon Go using their corporate credentials
- On average, 5.8% of an organization’s employees have installed Pokémon Go
- Only 12% of affected institutions have banned the app
- Education, media and technology industries are seeing the greatest impact
Emphasizing two key stats here: 1 in 2 organizations have a Pokémon Go gateway into the corporate network, and there is a huge number of employees opening up these gateways – unwittingly exposing corporate data and systems to potential data theft and malware. In our analysis of organizations to understand the extent of the game’s popularity, we found a K-12 institution, a university and a retailer with 4,468; 2,238 and 2,011 Pokémon Go users, respectively.
Pokémon Go Is Not an Outlier
It is the norm. In our Q2 Cloud Cybersecurity Report, CloudLock CyberLab focused on the accelerating growth of connected third-party cloud apps, surfacing one of the riskiest cloud attack vectors. We identified 150,000+ unique apps connecting to corporate cloud environments, a number that increased by 30x in the last two years alone. We also found that 27% of connected third party apps are of high or very high risk and they need immediate attention from corporate security teams.
What does this mean for security teams?
Because the app is so popular and continuing to gain momentum, organizations should take action immediately. Implementing a high-level strategy as well as a specific Application Use Policy that outlines how they will whitelist or ban applications is critical. As the pace of disruption has increased exponentially, apps have a huge reach within corporate environments, spreading more and more quickly. Automating workflows (identifying, whitelisting, banning, and revoking apps), and taking action in real time has become more important than ever. A super admin account should never be used to grant access to a third-party app due to the possible enterprise-wide implications.
Download our full report to learn more about the implications of Pokemon Go in corporate environments.