Pokemon Go is taking over the world. An “augmented reality” platform where you hunt pokemon characters using your phone and GPS coordinates. Many voice concern over privacy and safety.
I recently talked about those concerns on Channel 4 News:
The attention focused on security and privacy distracts from three other areas worthy of discussion. In some cases, the solutions might be more challenging and less obvious. That’s precisely why we can use the Pokemon Go craze to advance the dialogue in our organizations. Here are some of the areas to tackle:
Fake Applications
Due to the overwhelming success of the app so far, there have been a high number of fake, or malicious, applications being released. These applications are billed as being the real Pokemon Go application, but instead are malware used to gain access to the user’s device. These fake apps are found on 3rd party sites, not typically in the official app stores.
My questions to the organizations out there:
- Have you thought about how these rogue applications could be created in response to your applications?
- What effect does that have on your organization and your users?
- Are there any controls you can implement that would help stop that type of behavior?
I’m fascinated with exploring if/how this could be stopped. I am not sure there is a way for an organization to completely block fake apps disguised as their own. It may be possible to issue takedown orders, but that could get out of hand pretty quickly. It also requires you to be tracking all of these apps that pop up. Maybe the best we can do is reinforce with our users where to get the official application and not to download it from 3rd party sites.
One of the factors that made fake apps so popular with Pokemon Go is the fact that the app was not released to everyone at one time. This leads to users looking for a way to get access before it is available to them.
Scams
Popularity brings scams. Whether it is phishing, vishing, smishing or any other type of scam, we may want to start thinking about the possibilities before the release. While we cannot stop scammers from taking advantage of our popularity, there may be some ways to reduce some of the risk.
Take this example from Pokemon Go. Not long after the release, there were reports of phishing emails going around indicating that due to the popularity of the game it would no longer be free. The user’s account would be locked if they didn’t go to a website and start paying $12.99/mo for access. This could lead to stealing of credit card information or user credentials.
Three questions to guide the conversation:
- How do you communicate to your customers/users?
- How does your business model affect the types of scams available?
- How do customers contact the organization for concerns, and are you ready for it?
This isn’t a new technique. Rumors of Facebook going to a pay service have spread for a long time. None have been true from what I can tell. However, this gives us an example of the types of scams that may be used. It allows us to consider how we can handle this type of communication if it were to happen. I wonder how the communication would happen if an app did decide to switch to a monthly service. Would the notice come from within the application? Would the company release information on their official site? How would the user’s know?
Legal
Inevitably, organizations that provide products and services are under heavy legal scrutiny. Of course there are the obvious issues that come up all the time. With Pokemon Go, we are going to see some interesting cases attempting to make the game and its creators liable for a myriad of incidents. We have already seen in the news incidents where players were caught trespassing in a zoo, shot at in their car, and even automobile accidents.
Three questions to consider:
- How involved is the legal group during the creation of an application?
- What do your terms of service cover regarding liability concerns?
- Is your legal group ready to respond to raised concerns?
While none of these events have brought legal suit against the game or its creators, these are things that should be considered with such an interactive offering. Reducing liability through a terms of service may be the first step, it may not be a complete solution. I am no lawyer, but do believe that this is another area that should be fully understood when analyzing the risk of an application. What are you doing to be prepared if legal action is taken?
Next Steps
There are a lot of things to consider when we create new applications and services. Some of these things can be solved, while others cannot. It is impossible to think of all the different things that could go wrong. However, if we look at the things that occur for other applications, we can see new ways to view our own applications and procedures. Maybe no changes will be made, but at least we will have considered some of these topics, rather than being blind to them.
Jardine Software helps companies get more value from their application security programs. Let’s talk about how we can help you.
James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.