This is a special guest post from Nick DeLena, Senior Manager of IT Audit & Security at OCD Tech, a Division of O’Connor & Drew, P.C., one of the most well-respected regional accounting, tax and business/IT consulting firms in New England.
If you’ve been to the Common recently you might have thought you were on-set at an episode of the Walking Dead. Hundreds of people, ambling around with their arms outstretched, seemingly possessed. They’re not zombies, they’re playing Pokémon Go! Few mobile apps have gone viral as quickly as this game. Niantic, Inc., the developers, have pulled off an ingenious feat that blends augmented reality (adding on virtual elements to the real world), physical activity, and a form of captive marketing where business owners can pay to turn their stores into “PokéStops” to attract highly distracted customers.
Unfortunately, there have been some missteps along the way. The first version of Pokémon Go requested full access to your Google account, which granted the developers free reign over your Gmail, photos, calendar, Google Maps location history, and every other Google product you might use. Google says, “full account access’ privilege should only be granted to applications you fully trust.” The developers offered a mea culpa once the news broke and promised the issue would be resolved eventually.
Even if we assume it was a genuine mistake, we should take it as a teachable moment. Smartphones have become an integral part of our lives. We use our phones to conduct banking, keep in touch with loved ones, and stay on top of work, among many other activities. Because of this, smartphones have become a target of hackers. By some estimates, 1 in every 5 smartphones has some form of malware installed. Android devices have long been the favorite target of malware makers. Because of the fragmentation of the Android platform, with each manufacturer, like Samsung, Motorola, HTC, and others, free to create their own variations, it becomes very difficult for Google to get Android users on the latest version of the software, which often includes many security updates. The most they can do is give the latest software to their partners and wait for them to push the software to their customers. What’s worse, Motorola recently announced they won’t commit to making monthly security patches available to their customers’ phones. In a statement, they said “because of the amount of testing and approvals that are necessary to deploy them, it’s difficult to do this on a monthly basis.” If I owned a Motorola phone, it would have just gone in the trash. These problems aren’t just limited to Androids either. Windows Phone has long been vulnerable (but statistically irrelevant) and this past year has seen malware with names like XCodeGhost and AceDeceiver released for Apple’s iOS platform.
Where does this leave us? Vulnerable. We have to pay attention to what we’re installing. We have to buy phones from providers that are committed to mobile security. And from an enterprise perspective, we need to ensure mobile security is part of our risk assessment process.
Let’s focus on mobile security so the phrase “Catch ‘em all!” continues to refer to Pokémon, not malware.