Privacy scare over Pokémon Go app for iOS

Google and Niantic are working on fixes.

Privacy scare over Pokémon Go app for iOS [Updated]

As if there weren’t enough headlines about malicious bogus Pokémon Go apps for Android, and thieves using the game ambush and rob unsuspecting players, privacy concerns have now been raised about the iOS edition of the app.

Adam Reeve found that players of the iOS version of Pokémon Go who signed into the app via Google, were unwittingly giving the Nintendo game - developed by Niantic - “full access to [their] Google account”.

Here’s what Reeves said:

Let me be clear - Pokemon Go and Niantic can now:

  • Read all your email
  • Send email as you
  • Access all your Google drive documents (including deleting them)
  • Look at your search history and your Maps navigation history
  • Access any private photos you may store in Google Photos
  • And a whole lot more

And they have no need to do this - when a developer sets up the “Sign in with Google” functionality they specify what level of access they want - best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.

Other players of Pokémon Go - including popular security tweeter @SwiftOnSecurity - said they had confirmed that the app had grabbed full access to their Google accounts.

I like to imagine this is a cockup rather than a conspiracy, and that the game’s developers do not have any malicious intent, but this really doesn’t sound good at all.

Hopefully a new fixed version of the Pokémon Go app for iOS will be released sooner rather than later.

In the meantime, players may wish to revoke the game’s access to their Google account.


Game developer Niantic has responded to the issues raised by Reeve:

We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.”

Slack security engineer Ari Rubinstein has confirmed that the iOS version of Pokémon Go only requests your OpenID and email address from Google.

In short, it sounds like Pokémon Go app for iOS (in its current form at least) cannot access your email messages or Google Drive documents.

From the sound of things we can all stand down from “Brown alert” and concentrate on something more important - catching that elusive Eevee.

Tags: , , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , , ,

2 Responses

  1. Matt P

    July 12, 2016 at 2:23 pm #

    Do not need to take any action? How do we know there are not any unscrupulous Niantic employees poised to access accounts when they think no one is watching!! At the very least Google Account Holders using this app should change their passwords and activate 2 step verification just in case. Am I not right Graham?

    • SJM in reply to Matt P.

      July 12, 2016 at 3:20 pm #

      @Matt P They released a public damage control statement, of course they won’t talk about the obvious ways a rogue employee could have had access to the data!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.