Pokémon Go sideloading could be ticking time bombJuly 21, 2016
Don Duncan, NuData sales engineer
The introduction of the popular Pokémon Go mobile app has had many unintended consequences in the world of security this month. This is a hugely popular app that crosses multiple demographics and geos with everyone from curious kids to nostalgic adults installing it. This popularity that makes it such a tempting target and could make it a great vehicle for hackers aiming to harvest data after it is sideloaded and compromised versions are used. It’s this precise scenario that has many security experts worried. Unlike the OPM breach where data was harvested from a central location this data could come directly from the user.
Application stores typically perform security reviews of all apps. Due to high demand from users, this Pokémon Company app is being deployed at a staggered pace across the globe. As an example, Japan’s release was postponed today due to the anticipated server capacity needed to meet the demand being driven by the partnership tie-ins with McDonalds’ 3,000 restaurants. Canada only just gained access to it in the past week.
It’s very popularity makes it inevitable that many users will bypass application stores and install the Pokémon Go app on their own from less reputable sites without knowing how trustworthy their version of the application is. There are already reports of suspect Pokémon Go APKs (package file formats used for installing Android mobile apps and middleware) including a recently discovered DroidJack found on Android requesting additional application permissions from a backdoor (sideloaded) version. This is concerning because many users typically do not question the rights these mobile applications are asking for when they install. And they definitely should – especially when downloading from sites not associated with a reputable application store.
These sideloaded versions with additional permissions can provide access to your SMS, contacts, and much of your personal or networked information on your phone. The potential is practically a ‘green field’ for data harvesting, and it should be noted that although there hasn’t been an associated link to a Pokémon Go exploit as of yet it can, and likely will be, a means for future ATO (account takeover) attacks once the data is harvested and processed.
In a world where sites, web or mobile, rely on the standard userID/password combination to unlock the account, this type of harvesting has profound implications. Especially where these devices are not only used for personal but business purposes, it adds additional risk to the network that IT security professionals lose sleep over.
However, the good news is that account credentials simply don’t have to matter in a world where access can be denied even if you have the right keys – even if they are stolen. Passive behavioral biometric analysis cuts the legs right out from underneath hackers who invest so much time in getting creds because it uses the whole range of online behavior as the keys, not just a single-point UN/PW or geolocation.
Bad guys can’t replicate a genuine user’s behavior and will be flagged as suspicious – denied! Behavioral biometrics (BB) use own natural, intricate, and multifaceted online interactions can work in our favor to prove who we are without divulging any personal data. Our accounts can be locked and even if the bad guys do get our personal data it’s worthless to them.
Want to read more posts like this? See our full blog here.