海角大神

Skip to footer

Pok茅mon GO has access to Google accounts: Are players at risk?

Developer Niantic said the app's request to access the email, Google Docs, and search history of iOS users was an error. But cybersecurity experts say it still left users susceptible to their information being stolen. 

|
Sam Mircovich/Reuters
Pok茅mon GO on a smartphone screen in Palm Springs, Calif. The game erroneously asked some users for full access to their Google accounts.
  • By Ben Rosen Staff

The maker of Pok茅mon GO promises it has no plans to catch all the information on your Google account.聽

Niantic Labs, maker of the augmented reality game for smartphones, said in a statement Monday the game's request to access all of a player鈥檚 Google account in order for a player to sign up is an 鈥渆rror,鈥 and it only needs an account name and an email address.

鈥淥nce we became aware of , we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access,鈥 wrote Niantic, a spin-off of Alphabet, Google鈥檚 parent company, in a statement. 鈥淕oogle will soon reduce Pok茅mon GO鈥檚 permission to only the basic profile data that Pok茅mon GO needs, and users do not need to take any actions themselves.鈥澛

Though it appears the request was just an honest programming mistake, the request, says cybersecurity experts, brings to light the debate about how much mobile apps can access your personal information, and how that information can be manipulated or stolen.

鈥淲hat something like this points to is how easy it is to make applications overly permissive,鈥 Kevin Butler, an information security professor at the University of Florida who specializes in information security, tells 海角大神 in a phone interview Tuesday. 鈥淭his is a problem with smartphones and other types of devices that are permission based.鈥

鈥淚t鈥檚 really important to understand what the consequences of permissions are, and find ways to ensure that app developers are not 'over-permissioning' their apps because of the security consequences involved,鈥 he adds.

Pok茅mon GO, released just over a week ago, is a mobile game that encourages players to roam public spaces in search of imaginary monsters. The app uses a phone鈥檚 camera and clock to detect where a user is when making Pok茅mon 鈥渁ppear鈥 on the phone screen in order for a player to catch them.

To sign up for the free game, a user must provide the username and password of their pokemon.com, Facebook, or Google account. For iOS users, however, the game also requested full access to their Google account, which would have included their email, documents on Google Drive, pictures on Google Photo, history of internet searches, and Google Maps.

Adam Reeve, a principal architect at the RedOwl Analytics cybersecurity firm, first sounded the alarm, after he discovered, firsthand, how much access Pok茅mon GO was requesting. He quickly revoked the access he agreed to, and deleted the game from his phone.

鈥淚 really wish I could play. It looks like great fun. But there鈥檚 no way ,鈥 wrote Mr. Reeves on his blog. 鈥淚 obviously don鈥檛 think Niantic [is] planning some global personal information heist ... but I don鈥檛 know anything about Niantic鈥檚 security policies. I don鈥檛 know how well they will guard this awesome new power they鈥檝e granted themselves, and frankly I don鈥檛 trust them at all."

Pok茅mon GO is certainly not the only application to collect data from your phone. In order to use them, countless apps require you grant them access to your contact list, to track your location, and to access other personal information. For Pok茅mon GO, location tracking is inherent to the game, just as it is to use Tinder, the dating app, or Foursquare.

With any of these apps, however, it鈥檚 unclear how the information will be used. Pok茅mon GO鈥檚 , for the most part, prohibits it from selling a player鈥檚 personal information to third parties (unless, for instance, Niantic is bought out). But Niantic could be hacked, and its trove of user data stolen. More concerning to some is if malware or software bugs target a user鈥檚 phone. Malware, for example, could trick a user into thinking they are giving Pok茅mon GO permission to access their Google account when, in fact, they are actually giving it to a hacker.聽

Given all of these unknowns, Clifford Neuman, director of the University of Southern California鈥檚 Center for Computer Systems Security, isn鈥檛 sure he鈥檇 play Pok茅mon GO at all. He isn鈥檛 into these games, he said. If he were, though, he would use a separate phone, and create a separate Google account, so it doesn鈥檛 access any more of his personal information.

鈥淭he problem with this, as well as the problem with all these other apps, is there isn鈥檛 a way, when you鈥檙e installing it, to say, 鈥榃ell, it wants this permission. I鈥檓 going to deny it, but still install it,' 鈥 says Dr. Neuman. 鈥 That would be a much better way to do things from a security perspective. That鈥檚 where we really need to get to. Of course, app developers want unfettered access to just about everything.鈥

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
海角大神 was founded in 1908 to lift the standard of journalism and uplift humanity. We aim to 鈥渟peak the truth in love.鈥 Our goal is not to tell you what to think, but to give you the essential knowledge and understanding to come to your own intelligent conclusions. Join us in this mission by subscribing.
QR Code to Pok茅mon GO has access to Google accounts: Are players at risk?
Read this article in
/Technology/2016/0712/Pokemon-GO-has-access-to-Google-accounts-Are-players-at-risk
QR Code to Subscription page
Start your subscription today
/subscribe