Pokemon Go players should be aware of security concerns, but don’t need to panic ditch their phones just yet.
Pokemon Go is at the centre of a bit of an Internet furore today, after concerns were raised about its app permissions on iOS.
The drama hinges on the fact that some but not all iOS Pokemon Go players have had to grant the app “full account access” to their Google identities in order to play. This seems a pretty rigorous permissions requirement for an AR game, and people started to get very worried about it after Adam Reeve, an employee of information security firm RedOwl, wrote a blog post suggesting the app was able to read your email, send email as you, access and delete your Google Drive documents, look at our search and Maps history, and access all your Google Photos files.
Clearly, Pokemon Go developer Niantic has no justification in enabling such an enormous security and privacy breach for a locations-based game like Pokemon Go; even if you trust the developer not to look at or use your data, it opens a huge hole for malicious activity should Niantic itself be breached. The thing is: it looks like it hasn’t.
Speaking to Gizmodo, Reeve said he was not 100% sure about the claims he’d made and has never built an app requiring Google permissions; he just inferred from Google’s descriptions, which make no mention of such activities.
The site then contacted Trail of Bits CEO and cybersecurity expert Dan Guido, who said that a lot of what Reeve had claimed might be wrong. He passed on a statement from Google as to what “full account access” means – which confirms it does not grant the permissions described above.
“Specific actions such as sending emails, modifying folders, etc, require explicit permissions to that service (the permission will say ‘Has access to Gmail’),” Google said.
The full report is really worth a read if you’re worried about app security and Pokemon Go. I’d also suggest taking a look at what apps you’ve already granted similar access to; many apps and games have hefty permissions requirements, and full account access is not that uncommon. Many of us just click through that screen without reading it at all, which is bad practice.
Pokemon Go has also raised concerns about locations tracking data – every time you use the app, you’re adding to Niantic’s history of your movements. That’s also true of most locations-based apps of course, and also pretty much everything you do on the Internet; unless you’re unusually careful with your privacy and security settings, Google or Apple or both probably know more about you than you do. Isn’t this fun?
Update: Niantic has issued a statement on the matter saying the request for full account access is an error and will be fixed. Per Kotaku:
We recently discovered that the Pokemon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokemon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokemon GO’s permission to only the basic profile data that Pokemon GO needs, and users do not need to take any actions themselves.
Update 2: The Google permissions update has been applied for iOS users, as promised by Niantic. Update 1.0.1 also fixes an issue where trainers would need to enter their username and password repeatedly after a force log out. The Pokemon Trainer Club account log-in process has also been stabilized.
A crash issue has also been solved, but the main takeaway is the fact the team “fixed the Google account scope.” The update doesn’t seem to be live on Google Play just yet as far as we can tell, but the update is noted on the App Store. Thanks, Engadget.