Slashdot Mirror
Pokemon Go Was Never Able To Read Your Email (gizmodo.com)
Last week a security researcher noted that Pokemon Go's iOS app -- for whatever reason -- was gleaning complete hold of one's Google account. But is that really the case? Gizmodo contacted Adam Reeve, the security researcher in question (who also happens to be a former senior engineering manager at Tumblr) to get more details on his claims, upon which Reeve, now Principal Architect at Red Owl Analytics, said he wasn't "100 percent sure" his blog was true. From the report: Cybersecurity expert and CEO of Trail of Bits Dan Guido has also cast serious doubt on Reeve's claim, saying Google tech support told him "full account access" does not mean a third party can read or send or send email, access your files or anything else Reeve claimed. It means Niantic can only read biographical information like email address and phone number.In a statement, Google tech support said:In this case, we checked that the Full account access permission refers to most of the My account settings. Specific actions such as sending emails, modifying folders, etc, require explicit permissions to that service (the permission will say "Has access to Gmail")Niantic, the company behind Pokemon Go app also assures that its app doesn't access anyone's email. Moreover, it is working with Google to ensure that only a user's profile data is accessed by the app. In a statement to Gizmodo, the company said:We recently discovered that the Pokemon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokemon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokemon GO or Niantic. Google will soon reduce Pokemon GO's permission to only the basic profile data that Pokemon GO needs, and users do not need to take any actions themselves.Perhaps people should be more careful about the accusations they make.
Perhaps people should be more careful about the accusations they make.
Why?
Accusations are often all that is needed in this world to create the effect you desire. Accusations work, because people think that an accusation = "Guilty" or at least "suspicious" and that is all that is needed to trigger the "fear" response. It works, because most people don't actually THINK, don't want to think, they only care about Kardashians or Taylor Swift.
Seriously, WE (us people) should require people making accusations to start putting up or shutting up. Guilty until proven innocent sucks.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
"Perhaps people should be more careful about the accusations they make."
Uh, people should be more careful?
Ironically, while we're busy being paranoid about this app, damn near every other app installed on your phone is sucking your privacy dry.
Right or wrong, let's not pretend this accusation was birthed from sheer stupidity or an addiction to tin-foil hats. There's a damn good reason to be wary of app privacy today, as in there is no such thing.
Although we request you approve "full access" we don't use it, and we promise we won't in the future...
No thank you...
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
The problem being nobody actually understood what 'full access' through Google's API actually does, or bothered to go look it up.
RTFM kids, you'll look a lot less stupid.
You can install it, then revoke it's access from your account to what it doesn't need.
App still works fine.
There are two types of people in the world: Those who crave closure
"Did not do" is *NOT* the same as "Could not do".
Accusation was they had access.
They did indeed have access.
Proofed wrong by even the summary:
"full account access" does not mean a third party can read or send or send email, access your files or anything else
Yes, slightly confusing,. They had "full access" but "full access" does NOT grant you access to Email, Files or any other data.
The say they didn't use that access, good on them. They say they are going to reduce the access requested, great.
The fact remains they had access whether they used it or not.
They had access to account data, but not access to data in any service connected to that account (like email) At least that's how I read this.
bickerdyke
Pokemon Go is a psyops brought to you via the same data-mining shill that developed Ingress as well... Niantic, which was formed by John Hanke. Hanke was the original founder of Keyhole (which was acquired by Google, by the way...) a program that received a large chunk of its funding from In-Q-Tel, a government-controlled venture capital firm that, in turn, is supported largely by National Geospatial-Intelligence Agency (NGA), whose primary mission is “collecting, analyzing, and distributing geospatial intelligence.” Very easy to spot the true intent behind these 'games'.
Here's what the API can do. It's undocumented, so you can't look it up:
https://gist.github.com/arirub...
"In summary:
The direct token that Niantic gets can't access the gmail api / gcal api /MergeSession to create a web session logged in as you on any google property
However, the token could potentially be exchanged through the undocumented mechanism
I haven't seen the app try to exchange this token for an ubertoken while poking at it
The app communicates with Niantic with encrypted blobs and theoretically could send this token to them"
There are two types of people in the world: Those who crave closure
The App had more access than they needed or intended, and more than the Android equivalent. However, it did not have the capabilities that were originally reported. The original blog post that started this sh#t-storm stated that the app could things like "Read all your email, Send email as you, Access all your Google drive documents (including deleting them)[...]" none of which was ever true. The blogger further admitted he'd never actually worked with the google permissions or tested this, and was just inferring (read: being a bit of an alarmist) based on a general description from the Google help page.
So yes, the iOS version of the App can do more than it needs to, and that permissions discrepancy has been added to the long list of things that need to be fixed on this still very young and rather buggy game. But No, the App could never do much of what it was being accused of doing.
Common Sense isn't as Common as people think...
It *potentially* could. And now has been documented as to how it could:
https://gist.github.com/arirub...
There are two types of people in the world: Those who crave closure
Maybe my iPhone is too old, but what does iOS have to do with a Google account?
And is a Google account needed to play Pokémon Go?
The bluetooth connection is required to use the Pokemon Go Plus notifier hardware/wristband that is currently sold out of all suppliers.
https://www.amazon.com/Nintend...
Common Sense isn't as Common as people think...
No, it COULD NOT 'potentially' do that. Full Google account access IS NOT, and DOES NOT INCLUDE Gmail access. So it CAN NOT access your email, docs, etc, even potentially.
No, it COULD NOT have been written to do that. The permissions that it received DO NOT allow access to email, etc
"Perhaps people should be more careful about the accusations they make."
Perhaps what really needs to happen is better definition of what 'full access' means and that app should be more 'careful' about which permissions they request.
"Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information,"
Here is the proof
http://i.imgur.com/TWOedY7.png