Pokémon GO gets full access to players’ Google account

Pokémon GO, the mobile augmented reality game that has become hugely popular in record time, brings with it a lot of unexpected dangers.

Its popularity has been exploited by malware peddlers and scammers, but the game’s creators (Niantic Labs) have also inadvertently put users’ security and privacy at risk by failing to limit the permissions the app receives when users sign into it with their Google account.

The problem was first spotted by Adam Reeve.

After downloading and running the game, he was asked to log in. As he couldn’t create a separate account for it at the time, the only other option was to log in with his Google account, so he did.

The app did not note which permissions it asks, but Reeve proceeded anyway. After he logged in, he went to check which permissions the app was granted, and was shocked to see that it received full access to his Google account.

This means that the app, and the company behind it could read his emails and send emails in his name, access his search history, all the documents in his Google drive, photos in Google Photos, etc.

“What’s more, given the use of email as an authentication mechanism (think ‘Forgot password’ links) they now have a pretty good chance of gaining access to your accounts on other sites too,” he noted.

He posited that this situation was the result of “epic carelessness,” and not an attempt by the company to actually access players’ Google accounts.

Niantic effectively confirmed his theory with a public statement, saying that the problem was only found in the iOS version of the game, but made sure to note that the game only accesses players’ Google user ID and e-mail address.

“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access,” they explained. “Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”

With that problem out of the way, users still might want to know what information the app collects about them.

If they went through the game’s Privacy Policy carefully, they might already known, but too few users actually do that.

BuzzFeed reporter Joseph Bernstein has helpfully read through it and summarized the information.

“According to the Pokémon Go privacy policy, Niantic may collect – among other things – your email address, IP address, the web page you were using before logging into Pokémon Go, your username, and your location,” he noted.

“It also may share this information with other parties, including the Pokémon Company that co-developed the game, ‘third-party service providers,’ and ‘third parties’ to conduct ‘research and analysis, demographic profiling, and other similar purposes.’ It also, per the policy, may share any information it collects with law enforcement in response to a legal claim, to protect its own interests, or stop ‘illegal, unethical, or legally actionable activity.'”

This should not come as a surprise, as most mobile/location apps collect similar info, and through the Privacy Policy legally regulate the sharing of this data with other parties and law enforcement.