Pokémon GO has access to Google accounts: Are players at risk?

Developer Niantic said the app's request to access the email, Google Docs, and search history of iOS users was an error. But cybersecurity experts say it still left users susceptible to their information being stolen. 

|
Sam Mircovich/Reuters
Pokémon GO on a smartphone screen in Palm Springs, Calif. The game erroneously asked some users for full access to their Google accounts.

The maker of Pokémon GO promises it has no plans to catch all the information on your Google account. 

Niantic Labs, maker of the augmented reality game for smartphones, said in a statement Monday the game's request to access all of a player’s Google account in order for a player to sign up is an “error,” and it only needs an account name and an email address.

“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access,” wrote Niantic, a spin-off of Alphabet, Google’s parent company, in a statement. “Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.” 

Though it appears the request was just an honest programming mistake, the request, says cybersecurity experts, brings to light the debate about how much mobile apps can access your personal information, and how that information can be manipulated or stolen.

“What something like this points to is how easy it is to make applications overly permissive,” Kevin Butler, an information security professor at the University of Florida who specializes in information security, tells The Christian Science Monitor in a phone interview Tuesday. “This is a problem with smartphones and other types of devices that are permission based.”

“It’s really important to understand what the consequences of permissions are, and find ways to ensure that app developers are not 'over-permissioning' their apps because of the security consequences involved,” he adds.

Pokémon GO, released just over a week ago, is a mobile game that encourages players to roam public spaces in search of imaginary monsters. The app uses a phone’s camera and clock to detect where a user is when making Pokémon “appear” on the phone screen in order for a player to catch them.

To sign up for the free game, a user must provide the username and password of their pokemon.com, Facebook, or Google account. For iOS users, however, the game also requested full access to their Google account, which would have included their email, documents on Google Drive, pictures on Google Photo, history of internet searches, and Google Maps.

Adam Reeve, a principal architect at the RedOwl Analytics cybersecurity firm, first sounded the alarm, after he discovered, firsthand, how much access Pokémon GO was requesting. He quickly revoked the access he agreed to, and deleted the game from his phone.

“I really wish I could play. It looks like great fun. But there’s no way it’s worth the risk,” wrote Mr. Reeves on his blog. “I obviously don’t think Niantic [is] planning some global personal information heist ... but I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all."

Pokémon GO is certainly not the only application to collect data from your phone. In order to use them, countless apps require you grant them access to your contact list, to track your location, and to access other personal information. For Pokémon GO, location tracking is inherent to the game, just as it is to use Tinder, the dating app, or Foursquare.

With any of these apps, however, it’s unclear how the information will be used. Pokémon GO’s privacy policy, for the most part, prohibits it from selling a player’s personal information to third parties (unless, for instance, Niantic is bought out). But Niantic could be hacked, and its trove of user data stolen. More concerning to some is if malware or software bugs target a user’s phone. Malware, for example, could trick a user into thinking they are giving Pokémon GO permission to access their Google account when, in fact, they are actually giving it to a hacker. 

Given all of these unknowns, Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security, isn’t sure he’d play Pokémon GO at all. He isn’t into these games, he said. If he were, though, he would use a separate phone, and create a separate Google account, so it doesn’t access any more of his personal information.

“The problem with this, as well as the problem with all these other apps, is there isn’t a way, when you’re installing it, to say, ‘Well, it wants this permission. I’m going to deny it, but still install it,' ” says Dr. Neuman. “ That would be a much better way to do things from a security perspective. That’s where we really need to get to. Of course, app developers want unfettered access to just about everything.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Pokémon GO has access to Google accounts: Are players at risk?
Read this article in
https://www.csmonitor.com/Technology/2016/0712/Pokemon-GO-has-access-to-Google-accounts-Are-players-at-risk
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe