Slashdot Mirror
PSA: Pokemon Go Has Full Access To Your Google Account Data (techcrunch.com)
An anonymous reader writes: If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account. (You can check to see for yourself here.) Given the nature of the game, it's understandable for it to request a lot of permissions, as it needs your precise location, ability to access the camera and motion sensors, read and write the SD card, and charge you money when you run out of Pokeballs or eggs. But full access to your Google account is pushing it, even if Niantic or Nintendo has no malicious intentions. If you're concerned about these permissions, you can always sign-up using a Pokemon Trainer account, assuming the servers are permitting. Google describes full account access as such: "When you grant full account access, the application can see and modify nearly all information in your Google Account (but it canâ(TM)t change your password, delete your account, or pay with Google Wallet on your behalf). This 'Full account access' privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet."
It's getting into iOS as well, not just android
http://arstechnica.com/gaming/2016/07/pokemon-go-on-ios-gets-full-access-to-your-google-account/
Like I would trust a Google account with any personal information anyway...
Niantic has had Ingress out for years - are the permissions for it the same on that device? Not an apple user and haven't noticed anything odd with permissions on Android, plus posting as Anon because I CBA to create an account at the moment.
nttp
People simply don't care. In all honesty, most people's lives aren't interesting or important enough to be worth anything to anybody, anyway. Harvest their data, try to sell them (more) crap they don't need, and that's about it.
I don't respond to AC's.
Pokemon is not part of the US Government spy coalition funded by US tax payer dollars.
My vote is for Pokemon.
I personally checked mine, and other sources are also reporting, the Android version does not do this. It seems to be specific to the iOS version so it's probably a bug.
"If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account."
Oh, I'm sure that Google would never do anything bad while they're pawing through all your shit in an attempt to monetize everything you do.
I mean, so they have your email, phone calls, location history, documents, camera, pictures, videos, contact list, etc etc, but c'mon- it's Google, and Google has never done anything shady, amirite?
Oh, and how does an app grant itself all of these permissions? Aren't we supposed to have to do that? What's the point of having "permissions" if an app can just assign them to itself at will?
Just cruising through this digital world at 33 1/3 rpm...
On iOS, you at least have granular permission control over an app's access to the things under iOS's jurisdiction, such as network, location, contacts, and whatnot. But the Google bits seem to be all or nothing, unfortunately.
It seems to be a bit weird, since Niantic is supposedly not part of the Google-verse anymore. But old habits die hard, I guess... or else they're still doing favors for their former overlords. Stockholm Syndrome, maybe?
#DeleteChrome
Just looked at pokemon go on the appstore I see it offers in app purchases from $0.99 to $99.99.
When I first heard about it I just assumed it was $25 or something and you just had the app to play with considering its nintendo and thats how console games ususally work.
Is it like the other micropayment games where it is technically possible to win without paying but would take several years because of the way the game is weighted?
Minimum threshold fixed. Thanks!
If you're putting shit out there for Google then it's already compromised... iOS or not.
Google is not trustworthy. Any rational person already knows this.
one does not have a Google account? Does it sign you up for one or does it go apoplectic when it can't find your information?
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
So what you are saying is that it is nothing more than a device to gain access to your private data at google. And because all of that data is now records owned by a third party, they are free to legally sell it to the government.
So does my Chromecast app...
Do you use your Gmail address with any services other than Slashdot? At a minimum, just having your /. account tied to your Gmail account means that they could reset your /. password and take over your account. If you have any other third-party accounts tied to that Gmail address, they can be compromised too.
In the modern world, there are few things that need to be more tightly protected than your email account (which is sad, considering the pathetic state of email security). It's the key to getting into far too many other things.
Additionally, something like this could be used to spam all your contacts with messages (possibly containing malware, or at least malicious links) that appear to come from you. I figure it's been long enough since ILOVEYOU for people to have forgotten some of the more salient lessons there; I'm seeing an uptick in advertisements for scam sites being spread that way on social media.
There's no place I could be, since I've found Serenity...
We suspect that a pokémon is about to access your account. Please change your password and ready your poké balls as soon as possible.
Yodlee.com wanted user name and password of all your financial and bank accounts.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Niantic's first game, Ingress, is quite similar. Run around in the real world, GPS on, game constantly updating Google/Niantic's servers about where you are. Niantic is a Google enterprise, btw., and here's the kicker: once you're hooked on the game and you are about to level up to level 3 (maybe 15 hours of playing or so), you are required to "verify" your account to be able to continue playing, by giving Google your phone number to get a "confirmation SMS", effectively linking your real person to all past and future movement data of where you have been, at what times, during what days. How's that for creepy and treacherous? If this isn't the equivalent of having a GPS tracker on your person, I don't know what is. Boycott that shit. Surely Pokemon Go is the exact same stuff? Just one step further, with your phone letting "them" see what you see, in addition to engaging a shitload of more people to keep track on.
There are two sets of permissions at play here.
The first set relates to the app's access to your phone's hardware: GPS location, camera, photos. Being an augmented reality program, GPS location is an obvious need - it needs to know where you are to be able to let you play the game. (Whether that information is used in other ways... suffice to say that if you're that paranoid, don't play the game.) The camera is also reasonably obvious (throwing pokeballs at Pokemon overlaid on the real world kinda requires access to the camera.) Photos: if you want to take a photo of a Pokemon as you're trying to catch it, where else are they going to be stored?
So those are reasonable, or at least explainable, and they're asked for as the app needs them - if you don't use a particular feature (at least on iOS), it won't ask for the permissions required for it.
The second set of permissions relates to the app's access to your Google account - the one you use to login to the game. That's where the issue lies: the app asks for full access to your Google account when you sign up, and by giving Google your account name and password, you're granting that access. Nowhere does it make it clear that this is the access the app asks for. That's the issue here - the permissions that the app wants for access to your Google account are too broad, and there is no clear explanation as to why it wants those permissions. Sure, there's a privacy policy. How many people actually read those things, let alone understand them in depth?
It's probably just lazy programming on somebody's part. But frankly, for something that's discretionary in nature, I'm not really willing to cut them that level of slack.
It's no big thing really. Just make up a burner account for spam like this, and make all payments with prepaid cards.
“He’s not deformed, he’s just drunk!”
Having not really been aware of this new game, I was observing and feeling a bit strange about what seemed to be a larger amount of cell phone users in parks, riding bikes, driving cars.
Good Times.
so what happens if they reset my slashdot password? the people working there will sit around posting as me?
Since when have iPhones got SD cards? Do you think maybe the writer has noticed the extravagant permissions on Android and assumes that they're the same on iPhone?
So you've been giving your life's data to Google for convenience but somehow you feel cheated that someone else wants access too. Is Google special? Yes! Should you trust them? No! Is there a price to be paid for convenience? Yes!
Seriously why should anyone care about this?
I say all Apps should have access to Gmail accounts, it would be more democratic that just the mighty Google hoarding all your personal data...
Google are pretty hypocritical to talk about software being able to read a persons email....
What's your backing for that assertion?
I ask this because I notice you've cited nothing backing up your claim, and it's quite a claim. And because people on /. make comparably grand assertions of people not caring about the Snowden revelations despite evidence to the contrary, and it's a good idea to back up one's statements from something substantial.
Glenn Greenwald, Edward Snowden, and Noam Chomsky addressed this at a recent talk on privacy and spent some time debunking the notion that the public doesn't care about privacy or that Snowden's revelations weren't a big deal.
The host says around 32m44s that after Snowden's revelations were published by international news "Pew Internet Life Research shows that people were modifying their behavior -- they were self-censoring, they were curtailing their own speech.". Around 38m the host questions the point directly asking "Do people in general care?" to which we get variations on the theme of "Yes" ranging from Snowden's point that whether people care "isn't really that material even if it is the case [because] rights don't exist for the majority; rights exist to protect the minority against the majority.". He then explains that he thinks increasingly people do care because they only recently learned of the threat to their privacy and then he explains that threat in plain language.
Greenwald, by this time in the discussion, had already debunked the notion that people who say they have no secrets and therefore don't care: He offered them his email address and told them to send him the credentials of every personal (as opposed to work) account they have including the sensitive ones (I interpreted this to mean an account on, say, a cheat-on-one's-spouse site). To date, he said, nobody's taken him up on his offer. Here he points out that contrary to the naysayers who dismissed the Snowden revelations as a flash-in-the-pan that would go away in a few days, these documents have been headline stories "not just in the United States but in dozens of countries in multiple continents around the world precisely because people were so angry and offended at the intrusion into their privacy including people who might have said in the past 'I don't really care'." (43m43s). He cites a "massive increase in the number of people around the world who are now using encryption to protect the privacy of their communications, to the number of people who put pressure on the US Government in both parties to enact legislation limiting these programs [the NSA spying programs] but maybe the best evidence of all of how much people care about privacy is the behavioral change in Silicon Valley companies. The biggest ones -- Yahoo, Facebook, Apple, and Google, and Microsoft -- when I first read the archive that Ed gave me, one of the things that struck me the most is what full-scale collaborators these companies were in the surveillance state that the NSA had created. They were not only complying [and a Snowden leaked document from the NSA showing "Dates When PRISM Collection Began For Each Provider"] [...] to the extent the law required but even went beyond that." including building backdoors into their non-free, user-subjugating, proprietary software. Greenwald concludes, "And the reason they were such full-scale collaborators is because nobody knew they were doing it completely in the dark, nobody knew they were doing it, and there was no cost." (45m18s). Once this became known these companies changed their behavior due to fear of being seen as the collaborators they have been for so long. They know the pressures of their customer base and that they are seen standing up to the FBI, being "seen as aides and abettors of ISIS", etc. People won't use these companies' products and services if they know their privacy won't be upheld.
Noam Chomsky reflected on this from a historical p
Digital Citizen
Probably not as hard as whining about it.
God spoke to me
I solve this problem like this:
* GMail for Personal
* private domain name + email for all Biz related stuff
That makes no sense. If you've got the ability to set up a domain name and an email server, why don't you use that for your personal account too?
See that "Preview" button?
One thing that TFS doesn't make clear here is that this situation only occurs if you sign up for Pokemon Go with a Google account.
The game supports two different account types, either a Pokemon Trainer Club account through pokemon.com, or a Google account. Because the game is incredibly, absurdly popular right now, Nintendo is throttling Pokemon Trainer Club account creation to prevent their servers from becoming molten silicon. Which is why so many people are signing up with their Google account.
It's signing up via a Google account that causes PoGo/Nintendo to have full access to said account. Which means that if you have already signed up via the Pokemon Trainer Club, or will do so in the future, you'll be fine. It's only users signing up via the Google account system that are getting their Google accounts linked in this fashion. So the straightforward solution is to only sign up for the game with a Pokemon Trainer Club account. Which admittedly isn't super helpful due to the aforementioned throttle on Pokemon Trainer Club account creation, but there is at least a workaround.
Otherwise the iOS-centric aspect of this is a bit unusual. Obviously iOS isn't giving PoGo access to your Google account, rather it seems to be a difference in how the two apps work. It appears that the Android version of the app doesn't try to request full permissions, only the iOS version does. Why? That's a good question...
It would lock you out of your Slashdot account. You get to decide how important it would be to have to abandon your current /. account and have to set up a new one.
Google makes an app that gets full access to your Google account... and this is news?
Is someone forgetting that until recent niantic wasn't even a separate company?
I would think a degree of separation for starters. A person with malicious intent that gets hold of his GMail address doesn't get to know the domain name of his more important email address.
-=This sig has nothing to do with my comment. Move along now=-
Google have always told me what they intend to do with my data. I've been shown no evidence they have ever done anything else with it.
They don't pass it on to third parties, but use it to show me ads on behalf of 3rd parties. Big difference.
However MS (ie Windows 10) wants my data and does not explicitly say what data it wants and who it may share it with. Do you see a difference ?
If Nintendo have access to your email they should say why so you can decide.
my son is waiting http://kgnexportshouse.com/
... when you hire Team Rocket to code your app.
The title is very careful not to mention Apple or iPhone, but does mention Google. Very obviously written by a iFan
So the game that was made by Google (or a subsidiary) has access to all the information that they had before? Better post a scaremongering topic about it!
From Niantic:
"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."
"How fine you look when dressed in rage."
iOS version of Pokémon Go is a possible privacy trainwreck [Updated]
No user data has been accessed, and Google and Niantic are working on fixes.
by Andrew Cunningham - Jul 11, 2016 10:00pm EDT
Update: Niantic has confirmed in a statement that the Pokémon Go app requests more permissions than it needs, but that it has not accessed any user information. Google will automatically push a fix on its end to reduce the app's permissions, and Niantic will release an update to the app to make it request fewer permissions in the first place. The full statement:
"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.
It cannot read your email. That was some idiot misreading the description of the access rights, and tons of blogs reposting his story. He has since admitted that he didn't actually know if it was true and subsequently admitted that he was wrong.
I signed up with a brand new google account that I only created specifically for the game. Problem solved.
It is an iOS problem, and the summary mentions SD card? would be pretty nice if I could put an SD card into my wife's iPhone.
I remember my Linkedin account to show in my own profile page full emails that it should not even know. When I saw them exposed (to me only, I hope...), I began a saga of disassociating my email from a series of things, Linkedin the first one. My recommendation: Do not use the Import contacts from Linkedin, Facebook, etc. They are accessing to the full contents of e-mails, when the only thing they should do is a one-off shoot to do exactly what the user is expecting: Import contacts. Period.
Suggestions on how to protect your privacy are "Flamebait"?! Oh, that's fucking rich!
Link in the activate g-mail in the my accont (michalu23) please send again.(michalurabn489@gamil.com)