PSA: Pokemon Go Has Full Access To Your Google Account Data

An anonymous reader writes: If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account. (You can check to see for yourself here.) Given the nature of the game, it's understandable for it to request a lot of permissions, as it needs your precise location, ability to access the camera and motion sensors, read and write the SD card, and charge you money when you run out of Pokeballs or eggs. But full access to your Google account is pushing it, even if Niantic or Nintendo has no malicious intentions. If you're concerned about these permissions, you can always sign-up using a Pokemon Trainer account, assuming the servers are permitting. Google describes full account access as such: "When you grant full account access, the application can see and modify nearly all information in your Google Account (but it canâ(TM)t change your password, delete your account, or pay with Google Wallet on your behalf). This 'Full account access' privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet."

All fun and games until your account gets stolen.

[cbhacking]

Do you use your Gmail address with any services other than Slashdot? At a minimum, just having your /. account tied to your Gmail account means that they could reset your /. password and take over your account. If you have any other third-party accounts tied to that Gmail address, they can be compromised too.

In the modern world, there are few things that need to be more tightly protected than your email account (which is sad, considering the pathetic state of email security). It's the key to getting into far too many other things.

Additionally, something like this could be used to spam all your contacts with messages (possibly containing malware, or at least malicious links) that appear to come from you. I figure it's been long enough since ILOVEYOU for people to have forgotten some of the more salient lessons there; I'm seeing an uptick in advertisements for scam sites being spread that way on social media.

Is it as treacherous as Ingress?

[carlhaagen]

Niantic's first game, Ingress, is quite similar. Run around in the real world, GPS on, game constantly updating Google/Niantic's servers about where you are. Niantic is a Google enterprise, btw., and here's the kicker: once you're hooked on the game and you are about to level up to level 3 (maybe 15 hours of playing or so), you are required to "verify" your account to be able to continue playing, by giving Google your phone number to get a "confirmation SMS", effectively linking your real person to all past and future movement data of where you have been, at what times, during what days. How's that for creepy and treacherous? If this isn't the equivalent of having a GPS tracker on your person, I don't know what is. Boycott that shit. Surely Pokemon Go is the exact same stuff? Just one step further, with your phone letting "them" see what you see, in addition to engaging a shitload of more people to keep track on.