Pokémon Go on iOS packs possible privacy problems, fix coming soon

By Scorpus
Jul 11, 2016
Post New Reply
  1. Pokémon Go users on iOS have noticed a potentially devastating privacy issue when logging into the app using your Google Account. In what developer Niantic describes as an "error", the app gives itself full access to your Google Account when logging in, without informing you or asking for your permission.

    Typically, when apps use Google to sign in, they ask for just a small subset of permissions. An email app, for example, might ask to access contacts and send emails as this would be necessary for the app to work as advertised. There is rarely a need for an app to have full account access, which is what Pokémon Go gives itself on sign in.

    Full account access means that, theoretically, Pokémon Go could access your private photos, delete documents from Google Drive, access your search history, modify your account information, send emails and more. There are some things it can't do – like change your password, delete your account, or use Google Wallet – but this doesn't stop 'full access' being a dangerous permission to give an app.

    Developer Niantic released a statement moments ago that clarified what Google information Pokémon Go actually accesses. The company states that a "client-side fix" is in the works, although there's no word on when the update will be released. Niantic's full statement is below.

    We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.

    However, if you are worried about this privacy issue before the update is released, you can revoke Pokémon Go's account access from this page, and create a Pokémon Trainer Club account to use the app instead (although the site is under heavy load).

    Android users don't have to worry: Pokémon Go does have the ability to log in via a Google account, but it doesn't give itself full account access on the platform.

    Permalink to story.

  2. psycros

    psycros TS Evangelist Posts: 1,794   +1,201

    The big question that jumps to mind first is who's really to blame: Google or Apple. I strongly suspect its both. Apple has no real incentive to protect Google's interests, even when it means leaving users of both companies' products exposed to unnecessary risk. We *know* how Google feels about your privacy - they'll do anything to get at your most sensitive info and sell it to anyone and everyone. The next questions that need asked are: "Did the Pokemon app really only collect email and username, and was there any kind of data-sharing deal between Nantic and Google?" As I alluded, Apple isn't blameless here. An app gained full access to the biggest collection of user accounts on Earth and there were apparently NO safeguards. Apple can't leave this unaddressed. Could an app have requested the same level of access to your iTunes account as well and gotten it?
  3. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,259   +878

    If it asks the user for FULL permission... why is it to blame a company when the user gives FULL permission?

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...