Updated: Playing Pokémon Go Comes With a Big Security Risk
Update 2 (July 12): A new update to Pokémon Go has arrived on the App Store. Version 1.0.1 fixes the access issue and offers other small fixes.
Update: In a statement to Ars Technica, Niantic says that no other data besides basic account information has been accessed and that a future update will completely fix the issue:
“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.
Original Story:
In just a few days, Pokémon Go has apparently become bigger than anything – including porn – on the Internet. But there seems to be a significant security risk for anyone playing with their Google credentials.
Full access
First discovered by Adam Reeve from security firm RedOwl, anyone who plays with their Google log-in information grants Niantic and the game itself full access to your account.
Here’s more from Reeve’s blog post:
Let me be clear – Pokemon Go and Niantic can now:
Read all your email
Send email as you
Access all your Google drive documents (including deleting them)
Look at your search history and your Maps navigation history
Access any private photos you may store in Google Photos
And a whole lot moreWhat’s more, given the use of email as an authentication mechanism (think “Forgot password” links) they now have a pretty good chance of gaining access to your accounts on other sites too.
And they have no need to do this – when a developer sets up the “Sign in with Google” functionality they specify what level of access they want – best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.
That’s definitely a big cause for concern. For comparison, Niantic’s first game, Ingress, only requests basic Google account access.
Currently, providing Google credentials is the only way to play the game. The game does say you can sign-in with a Pokemon Trainer Club account, but anyone who tries to do so is given an error message.
If you're concerned
Unfortunately, there’s not much you can do if you want to start playing the game or continue catching Pokémon.
If you want to revoke the game’s access to your Google credentials head here and then select “Connected apps & sites” under the “Sign-in & security” section.
I agree with Reeve that the security issue is probably more due to carelessness than actual bad intent by Niantic. But hopefully the company will address the issue soon, especially with it becoming so popular.
