PSA: Pokemon Go Has Full Access To Your Google Account Data

An anonymous reader writes: If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account. (You can check to see for yourself here.) Given the nature of the game, it's understandable for it to request a lot of permissions, as it needs your precise location, ability to access the camera and motion sensors, read and write the SD card, and charge you money when you run out of Pokeballs or eggs. But full access to your Google account is pushing it, even if Niantic or Nintendo has no malicious intentions. If you're concerned about these permissions, you can always sign-up using a Pokemon Trainer account, assuming the servers are permitting. Google describes full account access as such: "When you grant full account access, the application can see and modify nearly all information in your Google Account (but it canâ(TM)t change your password, delete your account, or pay with Google Wallet on your behalf). This 'Full account access' privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet."

Also

It's getting into iOS as well, not just android

http://arstechnica.com/gaming/2016/07/pokemon-go-on-ios-gets-full-access-to-your-google-account/

Not Android

[The+MAZZTer]

I personally checked mine, and other sources are also reporting, the Android version does not do this. It seems to be specific to the iOS version so it's probably a bug.

Not to worry

[JustAnotherOldGuy]

"If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account."

Oh, I'm sure that Google would never do anything bad while they're pawing through all your shit in an attempt to monetize everything you do.

I mean, so they have your email, phone calls, location history, documents, camera, pictures, videos, contact list, etc etc, but c'mon- it's Google, and Google has never done anything shady, amirite?

Oh, and how does an app grant itself all of these permissions? Aren't we supposed to have to do that? What's the point of having "permissions" if an app can just assign them to itself at will?

Why do you believe people don't care?

[jbn-o]

What's your backing for that assertion?

I ask this because I notice you've cited nothing backing up your claim, and it's quite a claim. And because people on /. make comparably grand assertions of people not caring about the Snowden revelations despite evidence to the contrary, and it's a good idea to back up one's statements from something substantial.

Glenn Greenwald, Edward Snowden, and Noam Chomsky addressed this at a recent talk on privacy and spent some time debunking the notion that the public doesn't care about privacy or that Snowden's revelations weren't a big deal.

The host says around 32m44s that after Snowden's revelations were published by international news "Pew Internet Life Research shows that people were modifying their behavior -- they were self-censoring, they were curtailing their own speech.". Around 38m the host questions the point directly asking "Do people in general care?" to which we get variations on the theme of "Yes" ranging from Snowden's point that whether people care "isn't really that material even if it is the case [because] rights don't exist for the majority; rights exist to protect the minority against the majority.". He then explains that he thinks increasingly people do care because they only recently learned of the threat to their privacy and then he explains that threat in plain language.

Greenwald, by this time in the discussion, had already debunked the notion that people who say they have no secrets and therefore don't care: He offered them his email address and told them to send him the credentials of every personal (as opposed to work) account they have including the sensitive ones (I interpreted this to mean an account on, say, a cheat-on-one's-spouse site). To date, he said, nobody's taken him up on his offer. Here he points out that contrary to the naysayers who dismissed the Snowden revelations as a flash-in-the-pan that would go away in a few days, these documents have been headline stories "not just in the United States but in dozens of countries in multiple continents around the world precisely because people were so angry and offended at the intrusion into their privacy including people who might have said in the past 'I don't really care'." (43m43s). He cites a "massive increase in the number of people around the world who are now using encryption to protect the privacy of their communications, to the number of people who put pressure on the US Government in both parties to enact legislation limiting these programs [the NSA spying programs] but maybe the best evidence of all of how much people care about privacy is the behavioral change in Silicon Valley companies. The biggest ones -- Yahoo, Facebook, Apple, and Google, and Microsoft -- when I first read the archive that Ed gave me, one of the things that struck me the most is what full-scale collaborators these companies were in the surveillance state that the NSA had created. They were not only complying [and a Snowden leaked document from the NSA showing "Dates When PRISM Collection Began For Each Provider"] [...] to the extent the law required but even went beyond that." including building backdoors into their non-free, user-subjugating, proprietary software. Greenwald concludes, "And the reason they were such full-scale collaborators is because nobody knew they were doing it completely in the dark, nobody knew they were doing it, and there was no cost." (45m18s). Once this became known these companies changed their behavior due to fear of being seen as the collaborators they have been for so long. They know the pressures of their customer base and that they are seen standing up to the FBI, being "seen as aides and abettors of ISIS", etc. People won't use these companies' products and services if they know their privacy won't be upheld.

Noam Chomsky reflected on this from a historical p

Only If You Sign Up With a Google Acccount

[rsmith-mac]

One thing that TFS doesn't make clear here is that this situation only occurs if you sign up for Pokemon Go with a Google account.

The game supports two different account types, either a Pokemon Trainer Club account through pokemon.com, or a Google account. Because the game is incredibly, absurdly popular right now, Nintendo is throttling Pokemon Trainer Club account creation to prevent their servers from becoming molten silicon. Which is why so many people are signing up with their Google account.

It's signing up via a Google account that causes PoGo/Nintendo to have full access to said account. Which means that if you have already signed up via the Pokemon Trainer Club, or will do so in the future, you'll be fine. It's only users signing up via the Google account system that are getting their Google accounts linked in this fashion. So the straightforward solution is to only sign up for the game with a Pokemon Trainer Club account. Which admittedly isn't super helpful due to the aforementioned throttle on Pokemon Trainer Club account creation, but there is at least a workaround.

Otherwise the iOS-centric aspect of this is a bit unusual. Obviously iOS isn't giving PoGo access to your Google account, rather it seems to be a difference in how the two apps work. It appears that the Android version of the app doesn't try to request full permissions, only the iOS version does. Why? That's a good question...