Corporate professionals have called on organisations to ban the installation of Pokémon Go on both corporate-owned, business-only (COBO) devices and "bring your own device" (BYOD) which had direct access to sensitive corporate information and accounts.
The professionals who deal with Information Technology Asset Management (ITAM) designed to keep phones, tablets, and other devices secure in the workplace, warn the game could lead to data breaches, plus encouraging bad behvaiour.
Dr. Barbara Rembiesa said: "Frankly, the truth is that Pokémon Go is a
nightmare for companies that want to keep their email and cloud-based
information secure. Even with the
enormous popularity of this gaming app, there are just too many questions and
too many risks involved for responsible corporations to allow the game to be
used on corporate-owned or BYOD devices.
"We already have real security concerns and expect them to become much more severe in the coming weeks. The only safe course of action here is to bar Pokémon Go from corporate-owned phones and tablets, as well as employee-owned devices that are used to connect to sensitive corporate information."
Dr. Rembiesa highlighted that a possible concern are data breaches. When the game was released a user discovered that Pokémon Go allowed Niantic Labs, the game's creators, to access their entire Google profile, including their history, past searches and anything else associated with their Google Login ID.
This has since been corrected, but for COBO devices the result was, by definition, a data breach, said Dr. Rembiesa. It is unclear of the extent of data breaches that took place prior to the changes, what happened to the information accessed, and how that information was stored and/or destroyed. Further, there is nothing that would prohibit Niantic Laboratory from once again seeking access to all or some of this information.
Furthermore, there are now reports that some versions of the Pokémon Go app available from non-official app stores may include software enabling cyber crooks to remotely control the user's phone or tablets. The online security firm Proofpoint has already detected knockoff Android copies of Pokémon Go in the wild containing a remote controlled tool (RAT) dubbed DroidJack.
Dr. Rembiesa stated that Pokémon Go must be considered a "rogue download," which is any software program downloaded onto a device that circumvents the typical purchasing and installation channels of the organisation.
Rather than simply banning Pokémon Go, corporations should also use this as a learning opportunity to encourage maximum employee understanding of the rationale against rogue downloads, particularly the security risks they represent.