The Pokemon Go phenomena is real. Players of the mobile device augmented reality “scavenger hunt” app are out on the streets in droves hunting down Pikachu, Psyduck, Bulbasaur, Charmander and other elusive Nintendo based cartoon characters. Chances are you or someone you know is playing the game…don’t lie, you’re playing it aren’t you? The mobile game developed by Nintendo partner Niantic has caused Nintendo’s stock to jump 36% adding $7 billion to its market cap.
This week, news broke that the app may actually contain a gaping hole in its security settings that allows the developer (Niantic Labs) to read and send Google emails, view, edit, delete docs in Google Drive, and see Google browser history details. Apparently, Niantic used an outdated Google shared sign-services version during the development of the app in order to make the account creation more convenient for players. Niantic by-passed the step that allows users to customize the permissions in the app and simply warned players that the app had “full access” to their accounts.
Don’t rush to delete the app. Your Pokemon hunting days are not yet over. Niantic has confirmed that the wording “full access” is misleading and only basic data such as user ID and email are being collected and that Google will soon change the app so it notes that it is only collecting “basic” Google profile information.
Last week I published the blog “Is your Mobile Device Putting Your Company at Risk?” noting that this very scenario could lead to a major cyber breach. Many mobile applications will contain security vulnerabilities or exploitable holes in their development allowing hackers a way into your network or access to your or your clients confidential data.
As I also mentioned in that prior blog, mobile security practices must be included in your cyber risk mitigation strategies.
Click here if you’d like help with structuring your Cyber Risk program or to request more information about The ALS Group.