Pokémon GO has access to Google accounts: Are players at risk?

Developer Niantic said the app's request to access the email, Google Docs, and search history of iOS users was an error. But cybersecurity experts say it still left users susceptible to their information being stolen. 

Sam Mircovich/Reuters
Pokémon GO on a smartphone screen in Palm Springs, Calif. The game erroneously asked some users for full access to their Google accounts.

The maker of Pokémon GO promises it has no plans to catch all the information on your Google account. 

Niantic Labs, maker of the augmented reality game for smartphones, said in a statement Monday the game's request to access all of a player’s Google account in order for a player to sign up is an “error,” and it only needs an account name and an email address.

“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access,” wrote Niantic, a spin-off of Alphabet, Google’s parent company, in a statement. “Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.” 

Though it appears the request was just an honest programming mistake, the request, says cybersecurity experts, brings to light the debate about how much mobile apps can access your personal information, and how that information can be manipulated or stolen.

“What something like this points to is how easy it is to make applications overly permissive,” Kevin Butler, an information security professor at the University of Florida who specializes in information security, tells The Christian Science Monitor in a phone interview Tuesday. “This is a problem with smartphones and other types of devices that are permission based.”

“It’s really important to understand what the consequences of permissions are, and find ways to ensure that app developers are not 'over-permissioning' their apps because of the security consequences involved,” he adds.

Pokémon GO, released just over a week ago, is a mobile game that encourages players to roam public spaces in search of imaginary monsters. The app uses a phone’s camera and clock to detect where a user is when making Pokémon “appear” on the phone screen in order for a player to catch them.

To sign up for the free game, a user must provide the username and password of their pokemon.com, Facebook, or Google account. For iOS users, however, the game also requested full access to their Google account, which would have included their email, documents on Google Drive, pictures on Google Photo, history of internet searches, and Google Maps.

Adam Reeve, a principal architect at the RedOwl Analytics cybersecurity firm, first sounded the alarm, after he discovered, firsthand, how much access Pokémon GO was requesting. He quickly revoked the access he agreed to, and deleted the game from his phone.

“I really wish I could play. It looks like great fun. But there’s no way it’s worth the risk,” wrote Mr. Reeves on his blog. “I obviously don’t think Niantic [is] planning some global personal information heist ... but I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all."

Pokémon GO is certainly not the only application to collect data from your phone. In order to use them, countless apps require you grant them access to your contact list, to track your location, and to access other personal information. For Pokémon GO, location tracking is inherent to the game, just as it is to use Tinder, the dating app, or Foursquare.

With any of these apps, however, it’s unclear how the information will be used. Pokémon GO’s privacy policy, for the most part, prohibits it from selling a player’s personal information to third parties (unless, for instance, Niantic is bought out). But Niantic could be hacked, and its trove of user data stolen. More concerning to some is if malware or software bugs target a user’s phone. Malware, for example, could trick a user into thinking they are giving Pokémon GO permission to access their Google account when, in fact, they are actually giving it to a hacker. 

Given all of these unknowns, Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security, isn’t sure he’d play Pokémon GO at all. He isn’t into these games, he said. If he were, though, he would use a separate phone, and create a separate Google account, so it doesn’t access any more of his personal information.

“The problem with this, as well as the problem with all these other apps, is there isn’t a way, when you’re installing it, to say, ‘Well, it wants this permission. I’m going to deny it, but still install it,' ” says Dr. Neuman. “ That would be a much better way to do things from a security perspective. That’s where we really need to get to. Of course, app developers want unfettered access to just about everything.”

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.