How many of your employees or contractors installed the popular Pokémon GO app on their dual-use mobile device over the past week? The game seems like harmless fun, but there are Pokémon GO security risks. As of July 8, at least five percent of Android devices in the U.S. had downloaded the app according to web and app analytics company SimilarWeb. The company also reports that Pokémon GO downloads have exceeded downloads of the Tinder app and may soon collect more daily active users than Twitter. But why should CISOs and security professionals care whether employees spend their spare time hunting Pokémon? Because every app an employee installs on a mobile device that they also use to connect to the corporate network and handle sensitive data can put an enterprise at risk. CISOs and data security professionals all over the world wrestle with the challenge of gaining visibility into the devices that connect to their corporate network, the apps installed on those devices, and vulnerabilities in or permissions granted to those apps. At first, Pokémon GO appeared to be a highly visible example of an app’s overzealous requests for permissions. Even if claims of what the app could access or what functions it could perform as a result were exaggerated, I’m glad it received attention. It helps increase general awareness of the potential risks of over-permissioned apps. The security community jumped at the chance to get to the bottom of the issue, and Niantic Labs, developer of Pokémon GO, admitted the mistake and said they will rectify the situation. That sounds, to me, like a win. But here’s what I hope CISOs, security professionals, and developers will take away from this case:
- The apps installed on employees’ mobile devices may include vulnerabilities you’re not aware of and ask for permissions they don’t need that grant them access to corporate data stored and transmitted by dual-use devices.
- If you develop apps, you need visibility into every nook and cranny of every app “ you need to validate what permissions your apps request and determine whether your apps contain vulnerabilities that might put your users at risk.
Update – July 13, 2016
On July 12, Niantic Labs pushed an update to the Pokémon GO app in the Apple App Store. That update, version 1.0.1, “fixed Google account scope.” Upon re-installing the app, I was prompted to give Pokémon GO access allowing it to know who I am on Google and view my e-mail address. I then confirmed what access Pokémon GO had to my Google account at https://security.google.com/settings/security/permissions, which was basic account information instead of the full account access it had on Monday.
How many permissions are too many?
Last week, Systems Architect Adam Reeve reported that Pokémon GO was granted full access to his Google account without explicitly asking for permission. Reeve said, “And they have no need to do this – when a developer sets up the “Sign in with Google’ functionality they specify what level of access they want – best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.” Google itself explains full account access as “the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).” I understand why this fact concerned Reeve.
Information security vendor Trail of Bits set out to separate fact from fiction in a blog post by identifying the actual permissions requested by the app and what those permissions actually do. CEO Dan Guido wrote that the app using the OAuthLogin scope caught his attention but that some of the permissions requested by Pokémon GO can’t actually be provided to the app:
It’s not possible to use this OAuth scope from Google’s own OAuth Playground. It only gives various “not authorized” error messages. This means that the OAuth Playground, Google’s own service for testing access to their APIs, is unable to exactly replicate the permissions requested by Pokémon Go.
Now how or why this occurred isn’t yet exactly clear, but in a statement to Gizmodo, Niantic Labs did say it was an error and that they’d be taking action:
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Ari Rubinstein, senior security product security engineer at Slack, also analyzed the app, the OAuth token provided to the app, and what services the app has access to as a result. In his conclusion, Rubinstein states the following:
It appears that using this token in the way that was initially suggested would still be difficult with this grant as the type of use for it is not programmatic (unless there is another hidden api somewhere to grant api tokens). Omitting this scope seemed to make the auth known as “Basic user information” instead of “Full account access”, and is likely what Niantic will do to update the client.
Counterfeit, malicious versions of Pokémon GO
Another security concern brought to the surface by Pokémon GO is counterfeit versions of the app in markets where the app is not yet available (outside the U.S., Australia, and New Zealand). Attackers take advantage of people’s anticipation in those markets by continually publishing new, malicious versions of the app. Data security company ProofPoint has found a fraudulent version of Pokémon GO on an unofficial Android app store that also contains the DroidJack remote access tool (RAT). Users in countries where Pokémon GO hasn’t yet officially launched may “sideload” the app from unofficial sources and put themselves at risk.
The popularity of Pokémon GO led to increased scrutiny of the app. What concerns me even more, though, are less popular apps that don’t receive the same attention (whether from the organization developing it or CISOs trying to manage mobile risk at their organization). After all, we find that one-in-four mobile apps contains at least one high-risk security flaw. Mary Meeker stated in her Internet Trends 2016 presentation that on average in the U.S., users install 37 apps on their device (not including pre-installed apps). That means it’s possible that each mobile device in the U.S. has at least nine apps installed upon it that include high risk security flaws or issues that expose corporate data or information that can be used for illicit purposes such as social engineering attacks. CISOs and data security professionals need to establish processes and technology that give them visibility into the devices that connect to the corporate network, the apps installed on those devices, and the vulnerabilities and other risks associated with those apps. Even seemingly harmless apps might go over the line in requesting permissions and could potentially put an enterprise at risk. Development organizations and product management teams concerned about quality need to make sure the apps they develop undergo thorough security testing throughout the development process and prior to deployment. It seems Niantic Labs was not aware of the app requesting more permissions than necessary. Developers should also focus on only using and requesting the minimum privileges needed for their app to function – and be explicit as possible in informing users about what permissions they seek. Users must not let their desire to use an app supersede their better judgement. Don’t blindly install apps from unofficial app stores, and don’t blindly accept the permissions requested by an app. Users should double check what apps have access to their Google and other accounts to make sure they’re comfortable with the permissions granted, and revoke that access if they’re not. Users can review what apps have what access to their Google account at https://security.google.com/settings/security/permissions.