Update: Niantic have issued a statement to engadget.com saying:
We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.
For more information, please review Niantic's Privacy Policy here: https://www.nianticlabs.com/privacy/pokemongo/en
Original story:
Pokémon GO is the talk of the Internet right now and it seems almost everyone is jumping on the 'mon-catching hype-train, all having a blast at the same time.
While the game has been hugely popular with fans since its launch last week, it has already drawn a few criticisms relating to its mechanics and now it seems there might also be an issue with it's implementation of Google Account authentication, specifically on the iOS version.
Reports have appeared that if you sign in to the game using your Google Account the app is granted full access to your account. Essentially this means the authentication permissions granted can do almost anything with your Google Account, including reading your email, your cloud stored drive documents and of course your Google search history.
While we're confident this is just a bug, it will come as a concern to many. Typically when an app makes use of an external account such as Facebook, Twitter or LinkedIn the client sets a scope of access as to how much of the account it needs access to - for instance on Facebook you might just want to grant permission on basic info and not the ability to post on that users wall, this scope of permission will then be made clear to the user when they approve the access - no such screen appears to be present on Pokémon GO when logging in via a Google Account.
The reports also suggest that this isn't the same for everyone on iOS, but we can confirm the account that this writer setup earlier today did indeed grant full access. You can check this for yourself by visiting accounts.google.com using the account that was used to login.
The issue appears to be isolated to iOS and does not affect Android users.
Have you logged in to Pokémon GO with a Google Account on iOS, has it acquired full access too? Let us know in the comments below.
[source adamreeve.tumblr.com]
Comments 43
Are you serious? I just logged onto it! :/
Guess the people at Niantic now know what you watch when you are feeling particularly lonely.
Pretty sure this is just a mistake, but it's something they need to fix ASAP - if the account info gets into the wrong hands...
Doesn't say anything like that on my. But if they do something stupid with it, then I'll stop using that app. They are an thing ice as it is.
Good thing I don't use my Google Account for anything else. Although that is definitely something they need to fix
Lucky I used a new, basically empty account.
Well as long as i can long in, not like using PTC is an alternative.
Haha...just checked my account and it isn't showing up at all despite logging in several times with my Google account. This was on an Android device though.
@antdickens I would like to think it's a bug but Miitomo also asks for tons of permissions so I'm not sure if Nintendo cares about our privacy, even though they like to censor games.
Pokemon Go should only ask permission for the camera, GPS and in-game purchases, right?
Ha now that's funny.
@VanillaLake yeah, it only needs basic permissions for the Google Account. The access to the camera, gps etc are granted from your phone itself - not via the Google Account.
Well y'know if the Trainer ID login hadn't been busted for two days straight I wouldnt've had to switch to my Google account in the first place! It's far too late to turn back now...
Hm, but Google was the only option when I signed up! Did you guys have other options? I would have gladly created a game-specific account, but there was no such choice. =(
@antdickens Android has it's own issues. Since you guys have been pushing the "Apk" angle so hard the past few days perhaps you should cover this potential issue as well?
https://thestack.com/security/2016/07/11/infected-pokemon-go-apk-carries-dangerous-android-backdoor/
"...including reading your email, your cloud stored drive documents and of course your Google search history" Frantically deletes Pokemon GO
My bigger concern right now is why the server keeps overloading. Please get out of our servers until you guys get your own dedicate servers on your region
Hopefully this is why they delayed the UK launch. I doubt it though.
@antdickens OK, thank you.
Hooray for being on Android! Sure, that just means that Google has even more access to everything I do, but in this case, it works out!
Can't help but feel sad that the vast majority of articles recently are dedicated to a casual smartphone app.
The trainer log in I haven't used in years, I don't really remember it. It's far simpler to use Gmail. Anyway if it's an IOS only issue I'm fine. I also made sure my APK is safe so I'm good for going!
sighs T.T
Of course when I get it I use my Google account...
So what happens if I remove it
@Tsurii Cat videos!? By yourself at night!? Scandalous!!!
but i had the same google account on both my ipad and my samsung phone so.... uh oh
If you want linked accounts, making a second Google account is simple enough. I never link anything with my primary Google account. (Paranoid, I am. )
Yeah, this kind of thing is exactly why I've been saying in the past articles that I won't use Pokemon Go. It would be nice to get in on the fun, but divulging my personal history and/or Google account and/or social media history to hungry data vacuum suction collectors is not worth the price of free to me. THEY should be paying US to give them that information!
As for personally identifying footprints of Google search history, that can be circumvented with Fennec Fox web browser on Android combined with Ixquick or DuckDuckGo web search engines. If you're on iOS... You got an Apple device, of course you're going to be tracked and recorded.
Apparently, the App is already generating 1.6 million dollars in revenue a day.
@hieveryone You'll be fine, just use your handy dandy notebook if anyone tries to find out your real identity...
@rjejr Good find! Too bad malware is spreading to phones now, too.
Just as long as they don't leak my personal information, I don't really care. Hopefully this doesn't mean I can be hacked easily. That's my only concern.
@Kirk So around 48 million a month, 576 million a year... Looks like Pokémon on smart phones turned out to be a jackpot, even with only the most basic features available. Guess where Nintendo's portable future is going... So much for drawing people to Nintendo consoles with mobile.
Eh that is my YouTube email, not my main, so I'm straight. And they kinda forced us to use google anyways. The servers for official Pokemon are complete trash which doesn't make sense because it's the official one. I'm still a lil salty because I lost all those mons.
If they got their filthy paws on my search history.............
...................... ( ͡° ͜ʖ ͡°) NOICE!
Just doing some research. The user may likely to have the infected/hacked Pokémon GO app, for being impatient. It says "Pokemon Go Release" without an "é". Maybe this is what you get for "jailbraking" the App Store (or downloading the APK on Android). Not sure if that's possible.
For Android users: https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app
I maybe be wrong to what I said above, but Niantic had responded to this issue.
https://www.engadget.com/2016/07/11/pokemon-go-on-ios-is-digging-deep-into-linked-google-accounts/ (UPDATE)
Apple, Google and Microsoft all have the reputation of being manipulative and way too curious. If you have a smartphone, they already know everything they could want to know about you. If you were not worried about your privacy yesterday, there's no need to be worried now.
And stop picking your nose while I'm talking to you. Jesus!
Niantic: "Google accounts, gotta collect them all!"
Ouch. Won't be playing anymore until this is patched. Good thing I used my gamer email.
Just an FYI everyone, Niantic confirmed it was a mistake and no information was used/ looked at/ ect.
Let's not pretend that all these companies don't know fine well they're gathering as much data as humanly possible on us as often as possible; it's ultimately how most companies like this make money on us at the end of the day. The more information they have on us, the more it/we can be monetised in one way or another, even if it just means having a better understanding of how to target Ads at us or how to better influence and direct our purchasing habits, even via all these micro-transactions and stuff.
@Infinite8 Thanks for the info!
Congratulations Google, you now know my route to work, which I'm sure I've already put into Google Maps years ago.
Frankly, I think the idea of resisting putting any information out there is kind of silly, because it's virtually impossible. As long as nobody is hacking my info and using it to steal my money or ruin my credit...
Tap here to load 43 comments
Leave A Comment
Hold on there, you need to login to post a comment...