Pokémon GO Gets Full Access To Your Google Account On iOS

Watch out: If you're using your Google Account to sign into Pokémon GO on iOS, you may have allowed the developers at Niantic to have access to your email, documents and anything else attached to that account. Unlike other applications that link to Google, which typically ask for your basic account info, Pokémon GO gets full access to your entire account (h/t all the Kotaku readers who tipped us about this).

The app gives no warning and does not request this access -- it just takes, like a Pokémon trainer in the wild.

There's no indication that Niantic has done anything with this data, and it could very well be an oversight, but it's nonetheless scary for anyone concerned with privacy. You can check what permissions your Google account is granting right here.

Pokémon GO players can also sign up accounts through the Pokémon website. Be warned, however: If you try to switch from a Google account to a Pokemon.com account, you will lose your progress.

When reached by Kotaku, a representative for Niantic declined to comment.


Comments

    That's fine by me, I don't even use my google email account for anything anyway, it was required for something in the past and that's why I created it, never added it anything to it.

      Same, created Google account solely for Pokemon Go.

      I would've used by spam outlook email if they allowed it.

    Calling it now. This will turn out to be nothing and they'll be doing nothing with your stuff.

    I denied access to my contacts list. If they want to have a gander at my e-bills they can go for it. Its the only thing my google account exists for.

    And now our charizard overlords will know everything about us. They'll be one step closer to new world order.

    Unless youve just made a google account for the app

    Yeah... I'm not so invested in it that I'm OK with Pokemon being a gateway to read/write/send access to my emails.

    I do kinda hope there's a way to restore progress with a more sensibly limited level of google access, but I won't be too broken up if there's not. For now until Niantic gets their shit together, that's a definite revoke. Pity the damage could've already well and truly been done and we wouldn't even necessarily know about it for years.

    You know how companies love to avoid telling you about breaches until they've had a chance to conduct 'thorough internal investigations' (for fucking years).

    Last edited 12/07/16 9:23 am

      I was found to give the game a go. Installed it, saw that it wanted my gmail account, couldn't be bothered creating a fake one and I immediately uninstalled it.

      The Pokemon.com account setup has been down too. Looks like I'll have to find other means to stay fit.

    Also, this:
    When reached by Kotaku, a representative for Niantic declined to comment.
    This is unacceptable. That doesn't tell us shit.

    'No comment' can mean anything from, "We were hoping you wouldn't notice, and kinda wish you would all give it a rest, it's not that big a deal," to, "We take this concern seriously and are investigating our options," to, "Holy shit we were not prepared for this."

    Last edited 12/07/16 9:26 am

      Agreed - I'm not particularly worried about it, myself, but you can't deny it's a significant security risk. Either it was unintentional, in which case you say "whoops, we screwed up, we're fixing it now", or it was intentional, and you say "we need it for this this and this, if that's too much for you we're sorry". You can't just shrug your shoulders.

        Historically, 'no comment' is a comment in itself, which has typically meant: "I don't want to talk about this and fuck you for asking."

    Security researcher Adam Reeve has a detailed post on the issue here: http://adamreeve.tumblr.com/post/147120922009/pokemon-go-is-a-huge-security-risk

    To me, this seems like there are two bugs or issues happening here. The first is the app asking for too much access for some reason (given this apparently isn't affecting all iOS users, I'm going to go with a bug), but the second is that Google is *silently* giving it permission.

    It should not be possible for an app to gain access to a Google account without Google telling the user what the app is being granted, which suggests to me there's a bug in Google's system that's allowing this to happen.

    Both of these things need to be fixed. Also, it's not possible to limit the app's access from Google's account security page. You either revoke it entirely or not at all, which seems kind of silly to me, but I'm not a Google software engineer.

      Update: It looks like the blog post linked above has incorrect information. Transientmind has a clarification post below.

    I don't understand the 'IF' part of logging into Pokemon GO. Google is the only authentication method.

      In some places (US only?) there's the ability to log in with a Pokémon account membership.

        Came to Australia with the update two nights ago along with reduced google account access.

    UPDATE: https://www.engadget.com/2016/07/11/pokemon-go-on-ios-is-digging-deep-into-linked-google-accounts/

    Google and Niantic confirmed to Engadget that the PokemonGO app itself only has the capacity to query the minimal information required from Google, and that the permissions access will soon be restricted by Google at Google's end.

    Additionally, when Niantic is able, they will push out a client-side patch to ensure that the app only requests the level of access to Google required for the app to function.

    Haha, this is why I won't let google force me to merge my google account with my Gmail.

Join the discussion!