The popular Pokémon Go game raised major red flags for privacy and security advocates Monday, as security researcher Adam Reeve revealed Pokémon weren’t the only things captured by the app. For some users and their data, the app itself had gained some pretty epic Google account permissions — without their knowledge or consent.
According to Reeve , iOS users who signed up to play Pokémon Go with their Google Accounts unwittingly gave the app “full access” permission for the account. For most apps, Pokémon Go included, this level of access is unnecessary and poses a threat to both the users’ privacy and security.
Google support pages describes full access as a powerful permission that allows the application to “see and modify nearly all information in your Google Account.”
Slack security engineer Ari Rubinstein dug into the issue further to discover just what “full access” means. According to Rubenstein, full access gives the Pokémon Go game a special token that on its own isn’t a problem – it’s what Pokémon Go uses to authenticate players’ usernames for logins. . This token, however, can be exchanged with Google for an even fancier token called uberauth. With uberauth, the app gains the ability to open any of your Google properties (Gmail, Calendar, Google Docs etc.) and do things like create or edit documents or read and send emails.
In a statement on the Pokémon Go support page , Niantic fully acknowledged the mistake, assuring users it is working with Google on a fix:
“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”
Users who still feel uneasy about Pokémon Go having full access to their accounts, however, do have options. By visiting the Google account security page and scrolling down to connected apps and sites, you can see which apps have full access to your Google Account. If Pokémon Go is one of them, simply click the Manage Apps button, click on Pokémon Go and press the “Remove” button. This will remove all permissions for your Google account.
You won’t be able to access your progress on your old account if you do this, but you can wait until Google updates the privacy settings and return to the game once you’re comfortable. In the meantime you can create a new account through Pokemon Trainer Club or a dummy gmail address, but the progress won’t sync up if you return to your original login.
If you are an iOS Pokémon Go player and used your Google account to sign up for the game, this news is likely disconcerting. However, according to Security Mouse Lab founder and researcher Don Bailey, users can rest in relative ease.
“Google has and continues to verify that Niantic has not abused its access to Google user’s accounts,” Bailey told Newsweek . “Google isn’t a stupid company. They have exceptional security engineers and have set up a strict permissions model and system for monitoring application abuses. If Google is backing Niantic’s claim that no abuses have occurred, I believe them.”
- The Google Assistant can now help you find your lost iPhone
- What Pokémon Go Fans Should Know About Google Account Privacy
- Google is clamping down on Android apps that spy on your installed apps
- Supreme Court Rules For Google Over Oracle In Closely Watched “Fair Use” Copyright Case
- Google Fi's cheaper Simply Unlimited plan comes with a few limitations
- Google hits back at Sonos in patent fight with a countersuit
- Google Play Music receives its last update so you can finally hide the app
- A Pixel 6 with a Google chip is a bold move that we all want to see
- You should now be able to re-add your American Express cards to Google Pay
- New mum's crippling Google addiction that led her to try and take her own life
- Google Assistant 'Memory' wants to become your new Pinterest board
- Google's AR character selection now includes Pac-Man, Hello Kitty
- Google is adding a free VPN to its most expensive Google One plan
- Gmail and other Android apps crashing on phones: Here's Google's simple fix
- Google starts testing its replacement for third-party cookies on Chrome
- The Google WiFi app is being shut down to move users to Google Home
- Google to help fund efforts to bring vaccines to more people
- Google is turning its U.S. offices into COVID-19 vaccination sites
- The first Pixel feature drop for 2021 is here with a better bedtime routine and underwater photography
- Google rolls out a new data saving mode in Meet's Android app
Here's what Pokémon Go players should know about Google permissions have 868 words, post on www.newsweek.com at July 12, 2016. This is cached page on Europe Breaking News. If you want remove this page, please contact us.