Unless you‘ve been living under a rock, you‘ve probably heard something about the latest mobile gaming phenomenon, Pokemon Go.
Pokemon Go is an augmented reality game where players wander the streets in real life looking for little monsters to appear on their smart phone screens.
I‘ve been following the stats on the meteoric growth for the past few days, but it wasn't until last night that I caught on to just how big of a deal this craze has become. I was walking down the street and saw ~50 people walking aimlessly while staring at their phones. I glanced over a few shoulders and yes, they were all playing Pokemon.
So I decided to have a go myself to see what all the fuss was about. I signed up for the app and the first thing I noticed was that the only option for sign up was using a Google account. I proceeded to do so, but was also curious about the level of permission that the app requests. As it turns out, it requests Full Access to your Google account. This means that as soon as you connect to Pokemon Go, they can access/read/write/send all of your emails, photos, calendar, contacts and files.
Why is this a concern?
The big issues here are:
- The game is growing so fast that in its first week it has grown bigger than Tinder and it‘s on track for more daily users than Twitter.
- You can only sign in with Google
What this means is that you have massive adoption for an app - not just at tech early adopter level - and it's highly likely that many people will sign in with their Google Apps for Work account.
If you‘re a Google Apps administrator this is your worst nightmare. You now have an untrusted app with full access to files, email and contacts etc inside your organization.
How do I detect if anyone has installed it?
As a Google Apps administrator you can monitor Third Party apps that have been granted access to your Google account.
It's slightly tedious but to do this you would go to your Google Apps Admin console and select "Users". Then select one of your users, click the menu section for "Security" and then look for the "Authorized access" section.
If the user has authorized Pokemon Go you will see it in this list.
At this point, if you are seeing Pokemon Go I would recommend clicking the "Revoke" link. This will remove access immediately and cut off any access that the Pokemon servers have to your data.
Is there a faster way?
So that process was a little tedious, but can you imagine doing it for every user in your account? Oh and you should probably do it every day for the next few weeks as the growth of this app doesn‘t appear to be slowing down.
This is where Google Apps & Google Drive monitoring platforms like ThisData really start to shine. If you sign up for a ThisData account we will scan your Google Apps for Work account and extract all of the users and all of the Third Party (aka ShadowIT) apps that have been granted access.
You will be able to simply search for 'Pokemon' in the Apps tab and see exactly which of your users have allowed this app.
Once again, if Pokemon Go is showing up in your ThisData account I would recommend that you shutdown access immediately. However, this time around its one click, one kill. Simply click the "Revoke Access for Everyone" button.
I can't tell you why Google has not enabled a feature like this; it saves an immense amount of time and provides significant security value.
If you want to scan your Google Apps for the evil Pokemon you can try ThisData for Free by signing up here.