You’re probably already watching your IT staff like a hawk to make sure they’re not stalking Pokémon on your dime. But should you also worry that their slacking is also a security risk?
If your Pokémon hunters—er, employees—are using iOS devices and your organization uses Gmail as a business email platform, the answer is…well, maybe.
It all came to light late last week, shortly after the release of the now phenomenally popular Pokémon GO mobile game. Adam Reeve, a Tumblr blogger who works for a security analytics firm, raised a red flag to users when he posted that players using iOS devices who sign in through their Google accounts grant game developer Niantic Labs access into all of their account data. For iOS users, there’s no option to edit these permissions—the only option is to revoke access entirely.
That’s a big problem, particularly if you rely on Gmail as your business email platform. Google’s Gmail is a popular business email system due to its many features, portability and—ironically, in this case—security capabilities. Should Niantic Labs get hacked, your data could be vulnerable. The result of Pokémon GO players granting Niantic Labs access to their Google accounts is that someone at the game developer potentially could read all email, send email as the user, access all Google Drive documents, access search history and Google Maps history, access and reset passwords, access all photos, and do various other nefarious things.
Is your security-minded brain reeling yet? It should be. But there’s hope yet: Niantic Labs has flagged the problem as a mistake and is taking steps to fix it. Here’s some of the company’s statement to the media on the issue:
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Can you trust Niantic Labs’ statement, and its security policies? There’s no indication that Niantic Labs is actually planning to do anything with the data, or that it actually accesses user data at all, especially if the access to Google accounts indeed was erroneous. But although the company itself was spun out of Google last year, it’s a relative unknown, so it’s difficult to know if its security practices are sound. And if you’re concerned about privacy and IT security, as most smart people are, the whole scenario is downright scary.
The best bet for IT administrators is to carefully regulate usage of the Pokémon GO game by employees on any devices that link back to company IT assets, and completely restrict any employee from using a business-related email account to access the game. You don’t need employees trying to catch Pokémon while they’re on the clock anyway—and as cool as augmented reality may be, it sure isn’t worth the risk of opening up your IT world to hackers.