Unless you live under a rock, you’ve likely heard of Pokémon Go, the augmented reality video game currently taking the world by storm. According to a recent Forbes article, the game can boast nearly more daily active users than Twitter.
Massive productivity losses aside, the game has the potential to do some serious damage. And I’m not talking about your coworker walking off a bridge because they can’t look up from the game for three seconds, although there’s no shortage of that going on, either.
So, what am I talking about? I’m talking about the excessive set of permissions requested by the game when enabled via Google OAuth – which is currently the only means of registering for the game.
When users enable the application, they endow the app with a range of privileges. In fact, the app appears to request “full account access.” This phenomena is not uncommon in the world of OAuth-enabled applications.
For instance, consider a calendar-enhancing application that skims your email for signs of a potential appointment and automatically creates an event. It would need your permission to read your email and create calendar events. Pretty straight forward.
The problem, however, is Pokémon Go may request a horrifyingly extensive set of permissions, including not only access to geolocation data, the camera, but more alarming permissions such as email content. In essence, Pokemon Go will know the name of your third-grade teacher and what you were doing at 2:46 p.m. yesterday.
If this illustration is an exaggeration, it is only a mild one. Let’s hope they’re keeping this data safe and away from the prying eyes of cybercriminals and governments. At least in the iOS version of the app, I do not even have the opportunity to review the access scope of the app as I can with other apps.
Note: While it appears the app requests full account access, the app – despite the UI – actually requests less than full account access, which will be corrected in future versions. Some of the permissions the app is requesting, however, may still be considered excessive.
The Corporate Cybersecurity Angle
While the potential of an app having excessive access is terrifying for individuals, the story is that much more horrifying when you consider the possibility of individuals signing up using corporate credentials for a non-work-related application, which happens (way) more than you might think.
In fact, CloudLock has already identified 8,000 users that have enabled Pokémon Go across 260 organizations. Which brings me to my next point.
How CloudLock Helps
With CloudLock Apps Firewall, security teams can identify all instances of corporate credential use in third-party cloud app enablement and then exercise control over the apps, including revoking the apps if they seem excessively risky and/or provide minimal business value.
CloudLock simplifies this process through the Community Trust Rating – our crowdsourced, peer-driven assessment of application risk – and our rule-based, policy-driven app control.
The Explosion of Apps
New Shadow IT risk vectors are coming into play in the form of connected third-party apps. In our most recent Cybersecurity Report, we dive into the nature of user-enabled cloud apps and their security implications.