Originally published by App Developer Magazine.
By Mike Cobb, Director of Engineering at DriveSavers
Pokémon Go, the smartphone game that became an overnight worldwide sensation, may be more than the latest technology must-have. The cute augmented reality app could actually provide cybercriminals an entry point to your business and personal files.
Company security directors were already wringing their hands over employees who mix their work and private information on the same phone. Now, with the Pokémon Go phenomenon, comes another threat—malware added to the treasure hunt game’s software may give hackers remote control access to everything onboard. On August 4, the BBC reported that Iran had become the first country to ban the game, citing unspecified “security” risks.
However, Pokémon Go isn’t the first mobile application to provide hackers an entry point to access files. Developers are asking for far greater power over a user’s device than in the past and many programs have the right permissions to access all sorts of info. Hackers can use that to their advantage. Even common programs like free flashlight apps have been known to hide malware that detects when a banking app snaps a picture of a check, then sends that check image someplace the user did not intend it to go.
Earlier this year, a security firm found that between 75 and 80 percent of the top free apps on Android or iPhones were breached. This number increases to 97 percent among the top paid apps. Almost any type of malware can be disguised as an add-on to Pokémon Go and installed, or even as Pokémon Go itself, and it’s likely the game’s popularity that made it a target for cybercriminals.
In today’s “there’s an app for that” culture, what can be done to prevent wrongdoers from using popular mobile programs, like Pokémon Go, to access business and personal files? There’s a role that consumers, app developers and IT departments can each play.
IT Managers: Outline Device Policies
The level of restrictions that need to be put on apps should be clearly outlined in a company’s BYOD or company device policy. Also include preferred browsers, app stores and security tools.
In addition, IT managers can prevent cybercriminals from using gaming and other apps to access files on BYOD or company-owned devices by blocking unverified servers. This may prevent the download of any apps that are not specifically allowed by IT.
Developers: Only Sell in Trusted Stores
App developers can help make sure that consumers are downloading the correct program by also taking advantage of Google Play and the AppStore. Developers should only use trusted stores to sell their products and users should only load software from trusted stores.
Developers can find ways to make it harder for hackers to make use of their software, but most things can be “spoofed.” Google, Android, Apple and all the legitimate developers will continue to help each other try and stay ahead of malware so they can have the best and most trusted platforms and applications. It’s a continuing process and taking advantage of trusted app stores is one small piece.
IT Managers: Make Sure Users are Downloading the Correct App
With Pokémon Go, many problems were traced to game downloads from third-party sources, where mal-intentioned software writers have posted tainted code posing as authentic gameware. These copycat apps and add-ons have similar names, but no direct connection to the game and may lead users to an entirely different and unsafe location. The Wall Street Journal reported that suspect software has been removed from the Google online marketplace, but more such apps are being developed and sold even through trusted marketplaces every day. Any download from anywhere needs to be effectively vetted before installation.
For users looking to add new apps and avoid malware, the best place to start is by only downloading programs from Google Play (on an Android) or the AppStore (on an iPhone). Both of these stores review apps before making them available for purchase and have been successful at weeding out most (but not quite all) malware. Advise company users not to download apps from any third-party stores.
Educate company users on the value of knowing the maker of an app before downloading anything. For example, Pokémon Go is made by Niantic Inc., so any downloads of Pokémon Go or related add-ons should be made by Niantic Inc. If someone finds an app on Google Play or the AppStore that appears to be correct, but the maker doesn’t match what they’ve read or heard about, we recommend not downloading it.
Consumers: Pay Attention to Your Permissions
Some download requests want blanket access to everything on a user’s system. Users should always review what information the app really needs before downloading anything from any source. Be extremely wary of requests for personal information, like an email account or access to contacts.
In the case of Pokémon Go, the app uses your camera and location to play the game. However, if the app were to ask for something that doesn’t make sense or something the user isn’t comfortable allowing, we recommend saying “no” and deleting the app.
Trouble? Power Down.
An important note for IT departments to share with people at their companies: If an app causes trouble, remove the phone’s battery to stop it from functioning. If the affected phone is an iPhone with a battery that cannot be removed, hold down the Home and Power buttons at the same time until the device turns off.
After powering the phone on again, immediately delete the troublesome app. Often, these malware apps do not show an icon on the home screen, so it may need to be found in settings and deleted from that location.
If the harmful app cannot be deleted, a factory reset may be necessary. Hopefully, the phone will have been backed up prior to the reset. IT should regularly advise backup strategies for important data in case of malware, damage to a device or other data loss situations.
About the author: MIKE COBB, DrivesSavers
Mike Cobb has a B.S. degree in Computer Science from the University of California, Riverside. Since joining DriveSavers in 1994, Mike has worked on all aspects of engineering as well as heading the Customer Service Department for several years. Prior to joining DriveSavers, Mike gained invaluable experience creating mirroring and compression products while working at Golden Triangle Software in the early1990’s.