The wildly popular app Pokemon Go is great fun and games for consumers, but not so much for businesses, partners say, expressing concerns over third-party application security as the app blurs the lines between consumer and enterprise technologies.
Over the weekend, the game, which allows players around the world to use virtual reality on their mobile phones to collect and battle Pokemon, experienced a server outage that one group alleges was due to a distributed denial of service attack. PoodleCorp has claimed responsibility for the attack, but their involvement has not been confirmed.
Last week, the concerns about the app's access to a user's Google Account emerged, prompted by a blog post by RedOwl Analytics Principal Architect Adam Reeve, who called it a “huge security risk." Original reports said the app gave full access to a user's Google Account, including the ability to send and read emails, but later clarification found that the company was only able to access profile information.
Allen Falcon, CEO at Westborough, Mass.-based Cumulus Global, said multiple clients have already asked him about the app and its security implications, particularly around access to Google data. Cumulus Global is a reseller of both Google Apps and Microsoft Office 365.
While the security concerns weren't as significant as originally thought, Falcon said Cumulus Global is still recommending that clients with regulatory compliance standards not allow employees to access the app, as access to email contacts could violate those conditions.
"Any organization that has regulated data that needs to be kept secure, an employee logging in with Pokemon Go would be violating that organization's compliance standards," Falcon said. "Our recommendation is always to monitor and manage third-party access to company data…and that you have policies in place that employees understand that they should not grant access to third-party apps."
Falcon said he hasn't heard as much concern from clients about the potential DDoS attack over the weekend.
While he hasn't been involved in any particular client conversation around the Pokemon Go app, Steve Perkins, chief marketing officer at Denver-based Optiv Security, said the trend of potential app access to corporate data speak to a growing concern around corporate data privacy and protection from third-party applications.
"We just breached a whole new type of technology model that blurs into consumerism. I don’t think we've begun to understand the security threats and implications," Perkins said.
For a partner, there's a role not only in protecting clients whose employees use third-party applications, but also in third-party risk development, Perkins said. Partners like Optiv can help developers make sure their applications meet certain standards for data privacy and protection, to avoid concerns like this altogether in the future, he said.
"We're going to be more focused on understanding the implications and consequences of businesses that serve out and support that type of technology so when they go and build something like that, they will consult security companies to think through data privacy and protection and general privacy issues," Perkins said.