Stop playing Pokemon GO now and fix this privacy hole [UPDATE]

Chris Burns - Jul 11, 2016, 2:44 pm CDT
2
Stop playing Pokemon GO now and fix this privacy hole [UPDATE]

Signing in to Pokemon GO with a Google account is not safe – not at the moment, anyway. Security researchers have discovered this morning that the app seeks (and is granted) an unusual amount of access to players’ Google accounts when they first sign up and in to the game. This access is unprecedented outside of Google’s own apps – there’s no good reason for Niantic to need this much access to your account. None we’ve heard yet, anyway.

Of note: we’ve sent a request for clarification to Niantic and are waiting to hear back. Stay tuned. Also of note: it does not seem to matter whether you’ve signed up for this app with Android or iOS at this point – this has to do with Niantic’s digital handshake with Google at login.

UPDATE: Niantic got back to us with this response and good news.

SEE THIS: download Pokemon GO here, avoid hackers and malware

What happens when a player signs up for Pokemon GO with a Google account is odd. It’s not immediately apparent what you’ve done – and most players will likely go their entire life of playing this game without noticing what’s happened.

But the potential for mayhem is large.

User security at Google is, thankfully, wide open as it needs to be to detect this sort of app permissions fiasco. Have a peek at this Google Security Settings page with your account logged in and you’ll find a list of “Apps connected to your account.”

Find Pokemon GO on this list and click it or tap it.

You’ll find that this app has “Full account access” – it most certainly should not have this level of access.

fullaccess

ABOVE: Google’s description of Full Access.

Unless you’ve got some awfully odd apps on your list besides Pokemon GO, you might only have one or two that have Full Account Access, one of which will probably be Google Chrome.

The good thing is that you can (REMOVE) Pokemon GO from the list and it seems to have no negative repercussions on gameplay. It’s likely this access is used by Niantic to gain information on users to gain a better understanding of their userbase, as is outlined in their Privacy Policy.

privacy

ABOVE: A segment of Niantic’s Privacy Policy for Pokemon GO

Of note – the Pokemon GO app does not ask for full permission to your phone’s hardware. If you open your iPhone’s settings, for example, to find what the app has access to, you’ll find the following.

locationmotion

Not a lot.

Location (while using the app), Motion and Fitness, and your camera. No big deal. It’s the Google business we’re worried about.


Must Read Bits & Bytes