Concerns Arise Over Pokémon Go Granting Full Access to Players' Google Accounts [Update: Fix Incoming]

[MacRumors]

Pokémon Go is experiencing a momentous launch week, with an estimated 7.5 million downloads and nearly as many daily active Android users as Twitter in the United States. The rollout has not been entirely smooth, however, as the game has indirectly been at the center of crimes, robberies, and even car accidents.

Pokémon Go has full access to your Google account (Image: Ars Technica)​

Now, an even bigger potential concern has arisen, as systems architect Adam Reeve has discovered that Pokémon Go grants full access to a user's Google account linked during the iOS sign-up process. Players can alternatively link a Pokemon.com account, but the website is currently experiencing issues for many users.

When granted full account access, Pokémon Go developer Niantic is theoretically capable of viewing and modifying nearly all information stored in your Google account, including your Gmail messages, Google Drive documents, Google Maps navigation history, search history, and personal photos stored on Google Photos.

Now, I obviously don't think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness. But I don't know anything about Niantic's security policies. I don't know how well they will guard this awesome new power they've granted themselves, and frankly I don't trust them at all. I've revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there's no way it's worth the risk.

It remains unclear what information, if any, Niantic is actually collecting from users, but the permissions are concerning given the company's history.

Niantic was formed by Keyhole founder John Hanke in 2010 as an internal startup at Google, until it was spun out as an independent entity in October 2015. Google then partnered with The Pokémon Company and Nintendo to invest up to $30 million in Niantic, so it has a remaining interest in the company.

Google is known to collect and track data from its users, fueling the privacy and security concerns. Niantic told Ars Technica that it has "no comment to share at the moment" about the issue, prompting some players to uninstall the game until the potential privacy implications are addressed.

Pokémon Go is available as a free download on the App Store [Direct Link] in the United States, Australia, and New Zealand, but anyone can install the app now with a U.S. iTunes account. The game is expected to expand to the U.K. and additional countries in the near future. Read more about Pokémon Go here.

Update: Niantic tells The Verge that the company did not intend to request full Google account access and will issue a client-side fix to reduce the number of permissions.

"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."

Article Link: Concerns Arise Over Pokémon Go Granting Full Access to Players' Google Accounts [Update: Fix Incoming]

 

[eniaczz]

whatever, I don't care about my google account. I only care about Pokémons!!

 

[BigMcGuire]

Ingress does the same thing??? (Pic from my account below):

For those that don't know, Niantic used to be a Google company. Ingress and Pokemon Go are from the same company - Niantic.

 

[skitidetdu]

So much trouble for such little s**t

 

[CrystalPepsi]

Sadly, 99.9% of users will just click OK and be on their way to finding virtual critters.

 

[pnoyblazed]

gotta catch em' all!

 

[Arcus]

I figured that most people have more than one google account. One for "real life" and others for stuff like this.

 

[iosiseasy]

I'm actually more shocked that Google allows developers access to all user's account goodies.

 

[keysofanxiety]

If you primarily use a Google account, I don't think Nintendo stealing your data should be the pinnacle of your privacy concerns.

 

[doctorwhofan98]

This is poor development. I know that deciding which permissions they'll need would take some time, but the amount of data that they now have access to is beyond ridiculous; there are really no excuses in my opinion, as there's no valid reason for their access to Gmail, Photos and Drive, even if it's just potential access.

 

[kcirtap00]

Shouldn't Google's default level of access just be basic access? It really should prompt you if anything higher is required. I mostly blame Niantic for poor coding/security practices but Google is at least partly to blame here IMO.

 

[doctorwhofan98]

I figured that most people have more than one google account. One for "real life" and others for stuff like this.

I really think you're overestimating the general public. Pretty much everyone I know would just accept the conditions without reading them, and I don't know anyone with multiple accounts. If the developer had malicious intent, they'd have a lot of power right now.

 

[JackieInCo]

I figured that most people have more than one google account. One for "real life" and others for stuff like this.

No they don't. People rarely think situations like this, especially the audience this game is targeting.

 

[Karma*Police]

The real risk is in giving so much personal information to a company in the first place, whether it's Google, FB or even Apple.

Search, messages, photos, my exact whereabouts 24/7/365, contacts, calendar... anyone who fully trusts Google with all of that personal data is playing with fire. Even if Google has good intentions, there are plenty of people/groups that don't.

And anyone who says they have nothing to hide haven't seen their own data.

 

[Alenore]

People realized that yesterday, and most don't care.

Ingress does the same thing???

Mine shows the usual restricted access.

 

[YegorH]

Pokémon? Concerning? I just wonder who gives a s**t... Really!

 

[snebes]

I figured that most people have more than one google account. One for "real life" and others for stuff like this.

This. People should be doing this. Use Fake info too

 

[BigMcGuire]

People realized that yesterday, and most don't care.
Mine shows the usual restricted access.

Comments on the Ars Technica article seem to indicate it might be a bug - inheriting permissions if you have other Niantic games installed (as I do - Ingress). http://arstechnica.com/gaming/2016/...ull-access-to-your-google-account/?comments=1 Interesting.

You're correct by saying that most people don't / won't care.

Edit: Deleting Ingress in my Google Account permissions and signing back into the app - it's set to Basic now.

I deleted Pokemon Go - readded and it, without asking, gave Pokemon Go full account access.

 

[Jeremy1026]

Guess what boys and girls. Google and Niantic don't give a @#$! about you as an individual. Niantic might find out that Home Depot sends you a lot of spam, but thats pretty much it. None of us are big enough fish to matter to Niantic as people.

 

[noanker]

This. People should be doing this. Use Fake info too

While a good practice the problem is that Google can ID you from if you log in from the same IP you access your general Google account from, linking your 'alias' with your primary Google account. Other methods of tracking you include HTTP referrer, cookies...even your browser's unique 'fingerprint.'

 

[tmanto02]

I figured that most people have more than one google account. One for "real life" and others for stuff like this.

Yes, i'm sure many of the savvy tech forum browsers (including myself) are knowledgeable enough to know to set-up multiple throw away accounts, however I reckon the vast majority of Gmail users use one account for all purposes.

Edit: Further to this - Yesterday, Nintendo's shares sky-rocketed by 25% due to the success of Pokemon Go. It will be very interesting to see what happens once this story breaks in mainstream media...

 

[Zwhaler]

Is this Pokémongorumors.com?

 

[joueboy]

I care less on my Google account they're all junk anyway, mostly when I'm forced to sign-up with email. What else you hide anyway once you start using internet, social media and forums there's nothing hide.

 

[applesith]

Crap. That stinks. I should really create a separate Google account that I don't care about. But I'm level 10 and not starting over. Fingers crossed for a fix!

 

[snebes]

While a good practice the problem is that Google can ID you from if you log in from the same IP you access your general Google account from, linking your 'alias' with your primary Google account. Other methods of tracking you include HTTP referrer, cookies...even your browser's unique 'fingerprint.'

It is not Google you would be hiding from. It is all the companies that want access to your google data for no good reason.