The massively popular Pokémon Go game, released just a few days ago, obtains full access to a Google account when it’s chosen as an authentication option while setting up the app in iOS. Android is unaffected. While the iOS app also allows using a Pokémon Trainer Club account, the option to create a new club account is unavailable at this writing, apparently due to system overload.
Update: A Pokémon Go update is now available, which includes a fix for the Google account data access. After installing the update, the game will say that it has access to only your Google user ID and email address.
In a statement late Monday, the game’s developer, Niantic, said that it was an error to request that level of access, and the app only made use of a Google account’s name and associated email address. The firm is updating the app to reduce what permissions are requested, and said Google will automatically reduce its app permissions. Niantic’s complete statement appears at the end of the article.
Adam Reeve, a principal architect at analytics firm Red Owl, posted a warning on his personal blog on Friday about this Google account issue. Most apps request a minimum amount of account access (or “basic profile information,” as Google terms it) to provide a link, partly because of frequent blowback from users, pundits, and sometimes regulators when apps ask for too much.
Pokémon Go in iOS silently requests full access to a linked Google account.
In confirming Reeve’s report in iOS through testing, when the Google account option is selected, the app presents a standard Google in-app login, including requiring a second factor if that’s enabled. However, neither the app nor Google’s login process discloses that the app gains full access. Visiting a Google account’s Connected Apps & Sites link reveals the app’s access status. (In Android, authentication happens without granting access, confirmed in testing and with several Android users. Only local permissions for contacts, camera, and other features are granted, with separate prompts for each.)
Revoking access doesn’t disable the app.
Access can be revoked without disabling the app, however. In the Connected Apps & Sites settings, click the Pokémon Go Release entry, click Remove, and then click OK. The game will continue to function, although it’s possible it may request authentication again at a later point.
Why this could be troubling
Full access allows an app or website to act effectively as if it were the account owner, including access to email, contacts, and Google Drive files. (A request to Google to clarify the extent of full access received no response.) Full access isn’t inherently a security flaw, but it does open Niantic’s users to risk should its systems be compromised either by an internal or external party. And it gives the company a rope by which it could hang itself, if it should choose to exercise this high level of access, such as sending Gmail on behalf of users.
Sign up for CIO Asia eNewsletters.