PSA: Pokemon Go Has Full Access To Your Google Account Data

An anonymous reader writes: If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account. (You can check to see for yourself here.) Given the nature of the game, it's understandable for it to request a lot of permissions, as it needs your precise location, ability to access the camera and motion sensors, read and write the SD card, and charge you money when you run out of Pokeballs or eggs. But full access to your Google account is pushing it, even if Niantic or Nintendo has no malicious intentions. If you're concerned about these permissions, you can always sign-up using a Pokemon Trainer account, assuming the servers are permitting. Google describes full account access as such: "When you grant full account access, the application can see and modify nearly all information in your Google Account (but it canâ(TM)t change your password, delete your account, or pay with Google Wallet on your behalf). This 'Full account access' privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet."

People don't care

[DogDude]

People simply don't care. In all honesty, most people's lives aren't interesting or important enough to be worth anything to anybody, anyway. Harvest their data, try to sell them (more) crap they don't need, and that's about it.

Not Android

[The+MAZZTer]

I personally checked mine, and other sources are also reporting, the Android version does not do this. It seems to be specific to the iOS version so it's probably a bug.

Re:Not Android

[dwillden]

Google no longer owns Niantic.

Not to worry

[JustAnotherOldGuy]

"If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account."

Oh, I'm sure that Google would never do anything bad while they're pawing through all your shit in an attempt to monetize everything you do.

I mean, so they have your email, phone calls, location history, documents, camera, pictures, videos, contact list, etc etc, but c'mon- it's Google, and Google has never done anything shady, amirite?

Oh, and how does an app grant itself all of these permissions? Aren't we supposed to have to do that? What's the point of having "permissions" if an app can just assign them to itself at will?

Re:Not to worry

[cbhacking]

Well, the app has to request that you sign in to grant it access, and you have to do that. It can't *just* assign the permissions to itself; you do have to do something too.

With that said, I certainly *thought* that Google would tell you just what permissions it is granting to what entity (app, in this case) and require you to approve that grant before actually giving access. Apparently that's not always how it happens, though (at least, not for ex-Alphabet companies, or something).

Re:Not to worry

[JustAnotherOldGuy]

Do you even know how this sort of thing works?

Well hurr durr no, these new-fangled computin' machines are a consarn mystery to us techo-n00bs.

The article says, "you may have noticed that the app grants itself full access to your Google account"...

If it asks for those permissions, then it isn't granting itself a goddamn thing, now is it?

So, either the article is wrong or the app grants itself full access.

Out of curiosity, what part of "grants itself full access" sounds like "the app requests for those permissions when you install it"?

Re: Scare tactic?

[TroII]

Pok©mon GO

Wait, they released a new Jamaican version of Pac-Man??

All fun and games until your account gets stolen.

[cbhacking]

Do you use your Gmail address with any services other than Slashdot? At a minimum, just having your /. account tied to your Gmail account means that they could reset your /. password and take over your account. If you have any other third-party accounts tied to that Gmail address, they can be compromised too.

In the modern world, there are few things that need to be more tightly protected than your email account (which is sad, considering the pathetic state of email security). It's the key to getting into far too many other things.

Additionally, something like this could be used to spam all your contacts with messages (possibly containing malware, or at least malicious links) that appear to come from you. I figure it's been long enough since ILOVEYOU for people to have forgotten some of the more salient lessons there; I'm seeing an uptick in advertisements for scam sites being spread that way on social media.

Re:The good and the bad

[cbhacking]

This isn't about app capabilities on your phone. This is about third-party API access to your Google account. It's all online, viewed and managed through a browser and used (or abused) via web services. It has nothing to do with your phone (except that apparently the iOS and Android versions of the app request different permissions to your Google account, and apparently the iOS version is unreasonably greedy).

Is it as treacherous as Ingress?

[carlhaagen]

Niantic's first game, Ingress, is quite similar. Run around in the real world, GPS on, game constantly updating Google/Niantic's servers about where you are. Niantic is a Google enterprise, btw., and here's the kicker: once you're hooked on the game and you are about to level up to level 3 (maybe 15 hours of playing or so), you are required to "verify" your account to be able to continue playing, by giving Google your phone number to get a "confirmation SMS", effectively linking your real person to all past and future movement data of where you have been, at what times, during what days. How's that for creepy and treacherous? If this isn't the equivalent of having a GPS tracker on your person, I don't know what is. Boycott that shit. Surely Pokemon Go is the exact same stuff? Just one step further, with your phone letting "them" see what you see, in addition to engaging a shitload of more people to keep track on.

Re:micropayments?

[Sowelu]

If you live in an area with a lot of pokestops (read: 'densely populated area'), free items flow like water, and if you're at all careful to keep some pokeballs around, you won't get caught needing more. If you live in an area without many of them, then you might run into pokemon a lot more often than you run into places to naturally recharge your items, and running into that rare critter you want might make you desperate enough to spend money for more pokeballs on the spot.

Much like Ingress though, it's helpful to go into it expecting that equipment shortages are just part of the game (because they are). Much like Ingress, if you're a heavy player, it's probably worth five bucks to buy extra item storage. And unlike Ingress, if you have powerful enough monsters, or live in an area where people slack off, you can hold onto a gym and get free in-game money to buy premium stuff without spending a cent.

In Ingress, aside from maxing out your storage capacity, the only time people usually spent real money was to boost portals for large groups to use, and not everyone did that (go out drinking with a dozen players, and one or two of them boost the portals the bar is sitting on). I expect the same thing to happen here, except that Lure modules have been really frequent in town, a lot more frequent than the Ingress equivalent. I'm not sure if that's because they are cheaper, or because the game is less viciously competitive (so you don't need to plan how to keep the enemy team from taking advantage). Either way I don't think money is going to be a huge thing...again, unless you live so far out in the boonies that you run into wild pokemon way more than you run into pokestops. Me, I'm constantly having to throw away pokeballs because my inventory gets too full.

I have a feeling that some businesses are going to try and monetize this game for their own purpose. It's like $15 to keep a portal boosted up with Lure modules for a whole day, and if you're lucky enough to control access to it (like, can only reach it from inside your restaurant), you could probably introduce some new customers who might otherwise go somewhere else? It's one form of advertising, at least.

Why do you believe people don't care?

[jbn-o]

What's your backing for that assertion?

I ask this because I notice you've cited nothing backing up your claim, and it's quite a claim. And because people on /. make comparably grand assertions of people not caring about the Snowden revelations despite evidence to the contrary, and it's a good idea to back up one's statements from something substantial.

Glenn Greenwald, Edward Snowden, and Noam Chomsky addressed this at a recent talk on privacy and spent some time debunking the notion that the public doesn't care about privacy or that Snowden's revelations weren't a big deal.

The host says around 32m44s that after Snowden's revelations were published by international news "Pew Internet Life Research shows that people were modifying their behavior -- they were self-censoring, they were curtailing their own speech.". Around 38m the host questions the point directly asking "Do people in general care?" to which we get variations on the theme of "Yes" ranging from Snowden's point that whether people care "isn't really that material even if it is the case [because] rights don't exist for the majority; rights exist to protect the minority against the majority.". He then explains that he thinks increasingly people do care because they only recently learned of the threat to their privacy and then he explains that threat in plain language.

Greenwald, by this time in the discussion, had already debunked the notion that people who say they have no secrets and therefore don't care: He offered them his email address and told them to send him the credentials of every personal (as opposed to work) account they have including the sensitive ones (I interpreted this to mean an account on, say, a cheat-on-one's-spouse site). To date, he said, nobody's taken him up on his offer. Here he points out that contrary to the naysayers who dismissed the Snowden revelations as a flash-in-the-pan that would go away in a few days, these documents have been headline stories "not just in the United States but in dozens of countries in multiple continents around the world precisely because people were so angry and offended at the intrusion into their privacy including people who might have said in the past 'I don't really care'." (43m43s). He cites a "massive increase in the number of people around the world who are now using encryption to protect the privacy of their communications, to the number of people who put pressure on the US Government in both parties to enact legislation limiting these programs [the NSA spying programs] but maybe the best evidence of all of how much people care about privacy is the behavioral change in Silicon Valley companies. The biggest ones -- Yahoo, Facebook, Apple, and Google, and Microsoft -- when I first read the archive that Ed gave me, one of the things that struck me the most is what full-scale collaborators these companies were in the surveillance state that the NSA had created. They were not only complying [and a Snowden leaked document from the NSA showing "Dates When PRISM Collection Began For Each Provider"] [...] to the extent the law required but even went beyond that." including building backdoors into their non-free, user-subjugating, proprietary software. Greenwald concludes, "And the reason they were such full-scale collaborators is because nobody knew they were doing it completely in the dark, nobody knew they were doing it, and there was no cost." (45m18s). Once this became known these companies changed their behavior due to fear of being seen as the collaborators they have been for so long. They know the pressures of their customer base and that they are seen standing up to the FBI, being "seen as aides and abettors of ISIS", etc. People won't use these companies' products and services if they know their privacy won't be upheld.

Noam Chomsky reflected on this from a historical p

Only If You Sign Up With a Google Acccount

[rsmith-mac]

One thing that TFS doesn't make clear here is that this situation only occurs if you sign up for Pokemon Go with a Google account.

The game supports two different account types, either a Pokemon Trainer Club account through pokemon.com, or a Google account. Because the game is incredibly, absurdly popular right now, Nintendo is throttling Pokemon Trainer Club account creation to prevent their servers from becoming molten silicon. Which is why so many people are signing up with their Google account.

It's signing up via a Google account that causes PoGo/Nintendo to have full access to said account. Which means that if you have already signed up via the Pokemon Trainer Club, or will do so in the future, you'll be fine. It's only users signing up via the Google account system that are getting their Google accounts linked in this fashion. So the straightforward solution is to only sign up for the game with a Pokemon Trainer Club account. Which admittedly isn't super helpful due to the aforementioned throttle on Pokemon Trainer Club account creation, but there is at least a workaround.

Otherwise the iOS-centric aspect of this is a bit unusual. Obviously iOS isn't giving PoGo access to your Google account, rather it seems to be a difference in how the two apps work. It appears that the Android version of the app doesn't try to request full permissions, only the iOS version does. Why? That's a good question...