Pokefan Alert—augmented reality apps like Pokémon Go are rooted in the REAL WORLD (not a virtual one)—a real world with many very real dangers.
Pokémon Go players are walking into traffic, being lured into remote locations to be robbed, and last (but in no way least), they’re being duped into using counterfeit (tampered) Pokémon Go apps.
What’s the harm? The “Gucci” handbag I bought off the street doesn’t seem like a threat.
Given the central role of mobile devices in every aspect of our lives, counterfeit apps such as counterfeit medications or car parts pose a significant threat to public and personal safety. A mobile app with malware can take over your phone, your credentials, and your identity (way more toxic than a handbag with a fake fashion logo)—and, when considering something as wildly popular as Pokémon Go, mobile apps are also at least as lucrative a target for cutthroat criminals.
This is not a hypothetical—researchers at Proofpoint have already found hacked versions of Pokémon Go on Android—and there’s no reason to believe that there’s not an all-out race within the criminal hacker community to exploit the tremendous popularity of this (and any other) wildly popular app.
It’s actually not too difficult to avoid counterfeits. Do not be tempted to side-load Pokémon Go directly from a download; do not be tempted to go to a secondary app marketplace (other than Google Play or the iStore)—even if you’re in a region where Pokémon Go hasn’t been officially released. It’s simply not worth it.
You cannot passively ignore the responsibility that comes with any success that may come your way – the more popular (or mission-critical from a business perspective) your work becomes, the more attractive your code becomes to attackers. If Willie Sutton were alive today, he wouldn’t rob banks; he’d be a hacker “because that’s where the money is.”
Application security and risk management (being a part of the “real world”) are not much different from any other flavor of security and risk management—to be effective, security controls need to be proportionate, layered, and consistently applied.
For consumer apps like Pokémon Go (and line-of-business apps, too), this means understanding how hackers attack and setting up material obstacles at every turn—impeding (if not deterring) exploits and (when attacks succeed, as they will from time to time) enhancing prosecution and punishment.
I have no personal knowledge of the precautions the authors of Pokémon Go have taken during their development process, but let’s hope they have implemented a layered approach designed to halt, delay, or at least discourage a would-be hacker at every step in their journey.
The following graphic outlines a typical Android hacker’s journey; the steps they will likely take on one side and the traps and controls that can trip them up on the other, such as Android obfuscation and anti-tamper technologies.
Whether for selfish reasons (you don’t want to be the guys whose app screwed everything up), or ethical obligations (you know that you owe it to your user community), or legal risk (the courts are far from settling what kind of liability comes with deploying unsafe software ripe for exploitation) – there can be no doubt; app owners must bake effective risk management and security controls (devsecops) into every facet of their application’s lifecycle; from design through deployment and deprecation.
For more information on managing application risk and securing intellectual property across mobile, on-premises, and cloud-based development investments, contact solutions@preemptive.com or visit DashO.