Slashdot Mirror

← Back to Stories (view on slashdot.org)

PSA: Pokemon Go Has Full Access To Your Google Account Data (techcrunch.com)

Posted by BeauHD on from the Pokemon-Master dept.

An anonymous reader writes: If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account. (You can check to see for yourself here.) Given the nature of the game, it's understandable for it to request a lot of permissions, as it needs your precise location, ability to access the camera and motion sensors, read and write the SD card, and charge you money when you run out of Pokeballs or eggs. But full access to your Google account is pushing it, even if Niantic or Nintendo has no malicious intentions. If you're concerned about these permissions, you can always sign-up using a Pokemon Trainer account, assuming the servers are permitting. Google describes full account access as such: "When you grant full account access, the application can see and modify nearly all information in your Google Account (but it canâ(TM)t change your password, delete your account, or pay with Google Wallet on your behalf). This 'Full account access' privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet."

56 of 104 comments (clear)

  1. People don't care by DogDude · · Score: 4, Insightful

    People simply don't care. In all honesty, most people's lives aren't interesting or important enough to be worth anything to anybody, anyway. Harvest their data, try to sell them (more) crap they don't need, and that's about it.

    --
    I don't respond to AC's.
    1. Re:People don't care by Calydor · · Score: 1

      Yeah, I'm sure having access to a long list of reply notifications from Slashdot, not even containing the reply itself (really, can we get that sometime?) is going to be really, really valuable to a spammer.

      --
      -=This sig has nothing to do with my comment. Move along now=-
  2. Not Android by The+MAZZTer · · Score: 4, Informative

    I personally checked mine, and other sources are also reporting, the Android version does not do this. It seems to be specific to the iOS version so it's probably a bug.

    1. Re: Not Android by Rosyna · · Score: 1

      If you deny the permission on Android, the Pokémon GO will then ask you to log in manually with Google account credentials. That process also creates the OAuth token with the overzealous scope.

      The fact is, all it is trying to do is activate a single sign on authentication method.

    2. Re:Not Android by dwillden · · Score: 2

      Google no longer owns Niantic.

      --
      I'm too lazy to compose a creative sig.
  3. Not to worry by JustAnotherOldGuy · · Score: 4, Informative

    "If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account."

    Oh, I'm sure that Google would never do anything bad while they're pawing through all your shit in an attempt to monetize everything you do.

    I mean, so they have your email, phone calls, location history, documents, camera, pictures, videos, contact list, etc etc, but c'mon- it's Google, and Google has never done anything shady, amirite?

    Oh, and how does an app grant itself all of these permissions? Aren't we supposed to have to do that? What's the point of having "permissions" if an app can just assign them to itself at will?

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Not to worry by cbhacking · · Score: 2

      Well, the app has to request that you sign in to grant it access, and you have to do that. It can't *just* assign the permissions to itself; you do have to do something too.

      With that said, I certainly *thought* that Google would tell you just what permissions it is granting to what entity (app, in this case) and require you to approve that grant before actually giving access. Apparently that's not always how it happens, though (at least, not for ex-Alphabet companies, or something).

      --
      There's no place I could be, since I've found Serenity...
    2. Re:Not to worry by Nemyst · · Score: 1

      Do you even know how this sort of thing works? The app requests for those permissions when you install it, as with anything else, and granting it full access is going to be explicitly mentioned. They can't magically get into your Google account from iOS. More to the point, this is Nintendo and Niantic, neither of which are affiliated with Google (Niantic has been independent for almost a year). All this has to do with Google is that the app is requesting full access.

    3. Re:Not to worry by DahGhostfacedFiddlah · · Score: 1

      Is that how it works? "App has permissions it was explicitly granted" isn't a great headline.

      I was sort of hoping someone on /. would explain this. I've read three different puff pieces, and I still have no idea how these permissions were granted. Have people been tapping "Grant all rights to my Google Account", and being surprised by the result?

      --
      Last post!
    4. Re:Not to worry by Dutch+Gun · · Score: 1

      I'd guess the surprise is more of a "why does this app need access to everything on my phone?" nature. At least on Android, you get a list of permission the app asks for, and you have to approve that before you install it. If it updates and requests new permissions, you have to explicitly approve those as well. I'd imagine iOS works the same way, but I don't have an iPhone, so can't say for sure.

      So, yeah, it's up to the user to decide if they want to approve the app with those permissions or not. I saw a shopping list app that wanted access to my location data and contact lists, plus a few others. Seems excessive, right? It likely is able to recognize when you're at the grocery store and share your lists with family members, so it probably actually needed those permissions. I still didn't want it, because I knew I'd never need those features. Found one that asked for no permissions at all, like I'd expect.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    5. Re:Not to worry by JustAnotherOldGuy · · Score: 4, Insightful

      Do you even know how this sort of thing works?

      Well hurr durr no, these new-fangled computin' machines are a consarn mystery to us techo-n00bs.

      The article says, "you may have noticed that the app grants itself full access to your Google account"...

      If it asks for those permissions, then it isn't granting itself a goddamn thing, now is it?

      So, either the article is wrong or the app grants itself full access.

      Out of curiosity, what part of "grants itself full access" sounds like "the app requests for those permissions when you install it"?

      --
      Just cruising through this digital world at 33 1/3 rpm...
    6. Re:Not to worry by Dutch+Gun · · Score: 1

      I'd guess contacts are so you can trade or play with your friends? E-mail/messages as well, I suppose. I don't have the game, so that's just speculation.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  4. The good and the bad by 93+Escort+Wagon · · Score: 1

    On iOS, you at least have granular permission control over an app's access to the things under iOS's jurisdiction, such as network, location, contacts, and whatnot. But the Google bits seem to be all or nothing, unfortunately.

    It seems to be a bit weird, since Niantic is supposedly not part of the Google-verse anymore. But old habits die hard, I guess... or else they're still doing favors for their former overlords. Stockholm Syndrome, maybe?

    --
    #DeleteChrome
    1. Re:The good and the bad by whoever57 · · Score: 1

      But the Google bits seem to be all or nothing, unfortunately.

      Android 6 allows the user to deny or grant permissions on a more fine-grained level.

      --
      The real "Libtards" are the Libertarians!
    2. Re:The good and the bad by cbhacking · · Score: 2

      This isn't about app capabilities on your phone. This is about third-party API access to your Google account. It's all online, viewed and managed through a browser and used (or abused) via web services. It has nothing to do with your phone (except that apparently the iOS and Android versions of the app request different permissions to your Google account, and apparently the iOS version is unreasonably greedy).

      --
      There's no place I could be, since I've found Serenity...
  5. micropayments? by sims+2 · · Score: 1

    Just looked at pokemon go on the appstore I see it offers in app purchases from $0.99 to $99.99.

    When I first heard about it I just assumed it was $25 or something and you just had the app to play with considering its nintendo and thats how console games ususally work.

    Is it like the other micropayment games where it is technically possible to win without paying but would take several years because of the way the game is weighted?

    --
    Minimum threshold fixed. Thanks!
    1. Re: micropayments? by Lokni · · Score: 1

      Its the same as Ingress the only other game out there based on location data. Great tool for getting people to move around and explore. But no real point eyond bragging rights over stats.

    2. Re:micropayments? by Sowelu · · Score: 2

      If you live in an area with a lot of pokestops (read: 'densely populated area'), free items flow like water, and if you're at all careful to keep some pokeballs around, you won't get caught needing more. If you live in an area without many of them, then you might run into pokemon a lot more often than you run into places to naturally recharge your items, and running into that rare critter you want might make you desperate enough to spend money for more pokeballs on the spot.

      Much like Ingress though, it's helpful to go into it expecting that equipment shortages are just part of the game (because they are). Much like Ingress, if you're a heavy player, it's probably worth five bucks to buy extra item storage. And unlike Ingress, if you have powerful enough monsters, or live in an area where people slack off, you can hold onto a gym and get free in-game money to buy premium stuff without spending a cent.

      In Ingress, aside from maxing out your storage capacity, the only time people usually spent real money was to boost portals for large groups to use, and not everyone did that (go out drinking with a dozen players, and one or two of them boost the portals the bar is sitting on). I expect the same thing to happen here, except that Lure modules have been really frequent in town, a lot more frequent than the Ingress equivalent. I'm not sure if that's because they are cheaper, or because the game is less viciously competitive (so you don't need to plan how to keep the enemy team from taking advantage). Either way I don't think money is going to be a huge thing...again, unless you live so far out in the boonies that you run into wild pokemon way more than you run into pokestops. Me, I'm constantly having to throw away pokeballs because my inventory gets too full.

      I have a feeling that some businesses are going to try and monetize this game for their own purpose. It's like $15 to keep a portal boosted up with Lure modules for a whole day, and if you're lucky enough to control access to it (like, can only reach it from inside your restaurant), you could probably introduce some new customers who might otherwise go somewhere else? It's one form of advertising, at least.

    3. Re:micropayments? by xvan · · Score: 1

      Wait until pokemon trading gets enabled.

  6. What if. . . by smooth+wombat · · Score: 1

    one does not have a Google account? Does it sign you up for one or does it go apoplectic when it can't find your information?

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    1. Re:What if. . . by cbhacking · · Score: 1

      What do you mean, when "it" can't find your information? If you don't have a Google account, you can't sign into the app using a Google account. Since the only other way to sign into the app is using a service that no longer allows new account creation, you won't be able to use the app at all until you create a Google account.

      --
      There's no place I could be, since I've found Serenity...
    2. Re:What if. . . by fustakrakich · · Score: 1

      you won't be able to use the app at all until you create a Google account.

      Right, so what's the problem? Make an account just for Pokemon and other spammers. People are getting excited for nothing.

      --
      “He’s not deformed, he’s just drunk!”
    3. Re:What if. . . by Anonymous Coward · · Score: 1

      You can also login using your Trainer ID (Nintendo account). If you don't have either of those then on iOS I presume it tells you to go create one. On Android...how would you even be using the phone?

    4. Re:What if. . . by apoc.famine · · Score: 1

      I have a "phone account" for google. It's tied to nothing but my phone. When google needs an account for most services, that's what it gets. I also have several gmail accounts. I have one tied to the mail app on the phone, so I can access my personal email on my phone, without directly tying that account to the rest of google's services.
       
      The problem comes when google decides that since there are two google accounts available to two different apps on the phone that it can pick whichever one it wants to send and receive email via. So I try to send an email, and my mail app is suddenly sending on the empty phone google account. If someone replies to that, it goes only to my phone, not to any of the other devices I use to access gmail.
       
      Google does not respect having multiple accounts on the same device. That's the problem.

      --
      Velociraptor = Distiraptor / Timeraptor
    5. Re:What if. . . by fustakrakich · · Score: 1

      Well, In my case, I do seem to be able to decide for myself which account my mail goes out. If the app doesn't send from the address that was registered on installation, maybe that's where the lawyers come in. But something tells me that you give permission when installing the app. If enough people deny it, the developers might react. I still see the problem as self inflicted.

      --
      “He’s not deformed, he’s just drunk!”
    6. Re:What if. . . by Actually,+I+do+RTFA · · Score: 1

      You sign up for a free account non-Google account at pokemon.com (it was intermittent for 4 days because of volume, but it's live now) and you can login to that account instead. It works on iOS and, I think, Android. And it has no access to your Google account.

      --
      Your ad here. Ask me how!
  7. Re: Scare tactic? by TroII · · Score: 4, Funny

    Pok©mon GO

    Wait, they released a new Jamaican version of Pac-Man??

    --
    "If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
  8. Calea and 3rd party databases by Lokni · · Score: 1

    So what you are saying is that it is nothing more than a device to gain access to your private data at google. And because all of that data is now records owned by a third party, they are free to legally sell it to the government.

    1. Re:Calea and 3rd party databases by cbhacking · · Score: 1

      Hmm... diabolical, if true. I suspect it'd get them sued *hard* if it came out that they were doing this, though. Requesting more access than you need is a security risk and a reason to distrust the app. Abusing that unreasonable level of access is an existential risk for a company, and a financial (and possibly even criminal; you could arguably make something stick via CFAA) risk to the people responsible for that decision.

      --
      There's no place I could be, since I've found Serenity...
  9. All fun and games until your account gets stolen. by cbhacking · · Score: 4, Interesting

    Do you use your Gmail address with any services other than Slashdot? At a minimum, just having your /. account tied to your Gmail account means that they could reset your /. password and take over your account. If you have any other third-party accounts tied to that Gmail address, they can be compromised too.

    In the modern world, there are few things that need to be more tightly protected than your email account (which is sad, considering the pathetic state of email security). It's the key to getting into far too many other things.

    Additionally, something like this could be used to spam all your contacts with messages (possibly containing malware, or at least malicious links) that appear to come from you. I figure it's been long enough since ILOVEYOU for people to have forgotten some of the more salient lessons there; I'm seeing an uptick in advertisements for scam sites being spread that way on social media.

    --
    There's no place I could be, since I've found Serenity...
  10. Is it worse than yodlee and its progeny? by 140Mandak262Jamuna · · Score: 1

    Yodlee.com wanted user name and password of all your financial and bank accounts.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  11. Is it as treacherous as Ingress? by carlhaagen · · Score: 3, Interesting

    Niantic's first game, Ingress, is quite similar. Run around in the real world, GPS on, game constantly updating Google/Niantic's servers about where you are. Niantic is a Google enterprise, btw., and here's the kicker: once you're hooked on the game and you are about to level up to level 3 (maybe 15 hours of playing or so), you are required to "verify" your account to be able to continue playing, by giving Google your phone number to get a "confirmation SMS", effectively linking your real person to all past and future movement data of where you have been, at what times, during what days. How's that for creepy and treacherous? If this isn't the equivalent of having a GPS tracker on your person, I don't know what is. Boycott that shit. Surely Pokemon Go is the exact same stuff? Just one step further, with your phone letting "them" see what you see, in addition to engaging a shitload of more people to keep track on.

    1. Re:Is it as treacherous as Ingress? by Sowelu · · Score: 1

      It sucks, because there are both ethical and seriously unethical uses for that kind of data collection. I don't necessarily want it in anyone's hands, but a "white hat" statistician could use it to really help urban planning / civil engineering / etc without hurting anyone in the process. Kind of like medical data that way.

      You have to be seriously naive to think that people collecting this info are on your side, but I know I'd be annoyed if I worked with the data for good purposes and had no way to avoid this kind of stigma.

    2. Re:Is it as treacherous as Ingress? by Nemyst · · Score: 1

      Niantic hasn't been part of Google/Alphabet for almost a year.

    3. Re:Is it as treacherous as Ingress? by dwillden · · Score: 1

      It is not run by Google. They spun it entirely free from the parent. The effects were seen in the Ingress game and back story as resources were cut.

      --
      I'm too lazy to compose a creative sig.
  12. Re:All fun and games until your account gets stole by known_coward_69 · · Score: 1

    so what happens if they reset my slashdot password? the people working there will sit around posting as me?

  13. WTF? by Anonymous Coward · · Score: 1

    Since when have iPhones got SD cards? Do you think maybe the writer has noticed the extravagant permissions on Android and assumes that they're the same on iPhone?

    1. Re:WTF? by Yvan256 · · Score: 1

      And what does Google accounts have to do with iPhones?

  14. After Giving Google your data you now want what? by nicoleb_x · · Score: 1

    So you've been giving your life's data to Google for convenience but somehow you feel cheated that someone else wants access too. Is Google special? Yes! Should you trust them? No! Is there a price to be paid for convenience? Yes!

  15. Why do you believe people don't care? by jbn-o · · Score: 4, Informative

    What's your backing for that assertion?

    I ask this because I notice you've cited nothing backing up your claim, and it's quite a claim. And because people on /. make comparably grand assertions of people not caring about the Snowden revelations despite evidence to the contrary, and it's a good idea to back up one's statements from something substantial.

    Glenn Greenwald, Edward Snowden, and Noam Chomsky addressed this at a recent talk on privacy and spent some time debunking the notion that the public doesn't care about privacy or that Snowden's revelations weren't a big deal.

    The host says around 32m44s that after Snowden's revelations were published by international news "Pew Internet Life Research shows that people were modifying their behavior -- they were self-censoring, they were curtailing their own speech.". Around 38m the host questions the point directly asking "Do people in general care?" to which we get variations on the theme of "Yes" ranging from Snowden's point that whether people care "isn't really that material even if it is the case [because] rights don't exist for the majority; rights exist to protect the minority against the majority.". He then explains that he thinks increasingly people do care because they only recently learned of the threat to their privacy and then he explains that threat in plain language.

    Greenwald, by this time in the discussion, had already debunked the notion that people who say they have no secrets and therefore don't care: He offered them his email address and told them to send him the credentials of every personal (as opposed to work) account they have including the sensitive ones (I interpreted this to mean an account on, say, a cheat-on-one's-spouse site). To date, he said, nobody's taken him up on his offer. Here he points out that contrary to the naysayers who dismissed the Snowden revelations as a flash-in-the-pan that would go away in a few days, these documents have been headline stories "not just in the United States but in dozens of countries in multiple continents around the world precisely because people were so angry and offended at the intrusion into their privacy including people who might have said in the past 'I don't really care'." (43m43s). He cites a "massive increase in the number of people around the world who are now using encryption to protect the privacy of their communications, to the number of people who put pressure on the US Government in both parties to enact legislation limiting these programs [the NSA spying programs] but maybe the best evidence of all of how much people care about privacy is the behavioral change in Silicon Valley companies. The biggest ones -- Yahoo, Facebook, Apple, and Google, and Microsoft -- when I first read the archive that Ed gave me, one of the things that struck me the most is what full-scale collaborators these companies were in the surveillance state that the NSA had created. They were not only complying [and a Snowden leaked document from the NSA showing "Dates When PRISM Collection Began For Each Provider"] [...] to the extent the law required but even went beyond that." including building backdoors into their non-free, user-subjugating, proprietary software. Greenwald concludes, "And the reason they were such full-scale collaborators is because nobody knew they were doing it completely in the dark, nobody knew they were doing it, and there was no cost." (45m18s). Once this became known these companies changed their behavior due to fear of being seen as the collaborators they have been for so long. They know the pressures of their customer base and that they are seen standing up to the FBI, being "seen as aides and abettors of ISIS", etc. People won't use these companies' products and services if they know their privacy won't be upheld.

    Noam Chomsky reflected on this from a historical p

    --
    Digital Citizen
  16. Re:and Chromecast too by southernmike · · Score: 1

    and Google have shares in both.

  17. How hard is it to make an extra gmail account? by GoodNewsJimDotCom · · Score: 1

    Probably not as hard as whining about it.

    --
    God spoke to me
  18. Re:All fun and games until your account gets stole by UnknownSoldier · · Score: 1

    I solve this problem like this:

    * GMail for Personal
    * private domain name + email for all Biz related stuff

  19. Re:All fun and games until your account gets stole by Orgasmatron · · Score: 1

    That makes no sense. If you've got the ability to set up a domain name and an email server, why don't you use that for your personal account too?

    --
    See that "Preview" button?
  20. Only If You Sign Up With a Google Acccount by rsmith-mac · · Score: 4, Informative

    One thing that TFS doesn't make clear here is that this situation only occurs if you sign up for Pokemon Go with a Google account.

    The game supports two different account types, either a Pokemon Trainer Club account through pokemon.com, or a Google account. Because the game is incredibly, absurdly popular right now, Nintendo is throttling Pokemon Trainer Club account creation to prevent their servers from becoming molten silicon. Which is why so many people are signing up with their Google account.

    It's signing up via a Google account that causes PoGo/Nintendo to have full access to said account. Which means that if you have already signed up via the Pokemon Trainer Club, or will do so in the future, you'll be fine. It's only users signing up via the Google account system that are getting their Google accounts linked in this fashion. So the straightforward solution is to only sign up for the game with a Pokemon Trainer Club account. Which admittedly isn't super helpful due to the aforementioned throttle on Pokemon Trainer Club account creation, but there is at least a workaround.

    Otherwise the iOS-centric aspect of this is a bit unusual. Obviously iOS isn't giving PoGo access to your Google account, rather it seems to be a difference in how the two apps work. It appears that the Android version of the app doesn't try to request full permissions, only the iOS version does. Why? That's a good question...

  21. Re: Scare tactic? by Rosyna · · Score: 1

    The SSO bug in Ingress was fixed on April 19th. Not enough people use Ingress to notice beforehand, I guess. And Niantic was owned by Google until mid 2015, so they always had access.

  22. Re: All fun and games until your account gets stol by Bing+Tsher+E · · Score: 1

    It would lock you out of your Slashdot account. You get to decide how important it would be to have to abandon your current /. account and have to set up a new one.

  23. So Google has access to your Google account? by Anonymous Coward · · Score: 1

    Google makes an app that gets full access to your Google account... and this is news?

    Is someone forgetting that until recent niantic wasn't even a separate company?

  24. Re:All fun and games until your account gets stole by Calydor · · Score: 1

    I would think a degree of separation for starters. A person with malicious intent that gets hold of his GMail address doesn't get to know the domain name of his more important email address.

    --
    -=This sig has nothing to do with my comment. Move along now=-
  25. Pokeman by leatherbags1 · · Score: 1

    my son is waiting http://kgnexportshouse.com/

  26. That's what you get ... by quax · · Score: 1

    ... when you hire Team Rocket to code your app.

  27. "ON iPHONE" by JohnStock · · Score: 1

    The title is very careful not to mention Apple or iPhone, but does mention Google. Very obviously written by a iFan

  28. Already in the process of being fixed. by Ashe+Tyrael · · Score: 1

    From Niantic:

    "We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."

    --
    "How fine you look when dressed in rage."
  29. Can this article be updated? by nhat11 · · Score: 1

    iOS version of Pokémon Go is a possible privacy trainwreck [Updated]
    No user data has been accessed, and Google and Niantic are working on fixes.

    by Andrew Cunningham - Jul 11, 2016 10:00pm EDT

    Update: Niantic has confirmed in a statement that the Pokémon Go app requests more permissions than it needs, but that it has not accessed any user information. Google will automatically push a fix on its end to reduce the app's permissions, and Niantic will release an update to the app to make it request fewer permissions in the first place. The full statement:

            "We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.

  30. Re:Also by tsqr · · Score: 1

    It's getting into iOS as well, not just android

    No kidding? From TFS: If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account.

  31. Its an iOS problem by netsavior · · Score: 1

    It is an iOS problem, and the summary mentions SD card? would be pretty nice if I could put an SD card into my wife's iPhone.