Categories & Search

Pokémon GO Exposes Risks of Bring-Your-Own-Device (BYOD) Policies

There’s no denying it: Pokémon GO is a phenomenon.

The smartphone game, in which players use their mobile device camera and GPS to capture, battle, and train virtual creatures, was released in the United States on July 6th.  In a month, it has shot to the top of the App Store charts to become the biggest mobile game in U.S. history.  Within just days of its release, Pokémon GO already had surpassed app giants like Twitter and Tinder in number of downloads and active users, with more than 25 million users playing each day.

But with its popularity, Pokémon GO has raised potential data security concerns.  In particular, the app poses issues for businesses with bring-your-own-device (BYOD) policies, in which employees use their own computers, smartphones, or other devices for work purposes.

BYOD is quickly becoming the norm in the workplace.  Current estimates indicate that more than half of employers have adopted a BYOD policy, with numbers increasing steadily each year.  Employees see BYOD as an effective tool for improving productivity—yet employers consistently rank security risks as the top concern in determining whether to adopt a BYOD policy.

Pokémon mania likely won’t alleviate those security concerns.  Of course, some apps installed on a personal device used for work pose a potential risk.  But there has been much attention paid to the issues with Pokémon GO due to its meteoric popularity and the fact that the app requires smartphone access (including the camera and location data) to enable gameplay.

In the few weeks since its release, several data security problems with Pokémon GO have been reported.  First, users noticed a flaw that allowed the app full permission to a user’s Google account when the user was signed in with a Google login ID, giving the app had full access to the user’s entire Google profile, including emails and search history.  The game’s developer, Niantic, Inc., reports that it has now corrected this error, and it is not yet clear whether any unauthorized data was accessed through the loophole.  But this security flaw raises the specter of a data breach risk and underscores the dangers inherent in nascent apps.

Additionally, perhaps unsurprisingly given its popularity, there have been malware issues associated with imitation Pokémon GO.  Since the game is only currently available in the United States and a few other countries, developers have churned out several knock-off apps.  Some of these copycats have been reported to contain dangerous malware that could allow hackers to access users’ personal correspondence and other information or remotely gain full control of the victim’s phone.

Businesses should be watching the Pokémon GO phenomenon closely.  With the continued ascendance of BYOD plans, Pokémon GO won’t be the last time that an app craze creates anxiety for businesses and IT personnel.