Pokémon GO: Are you letting a thief in?
You might want to know this before you go and catch ’em all.
In a blog post by security analyst, Adam Reeve, Reeve reported that users had inadvertently given Pokémon Go developers, Niantic, access to their google accounts in a rush to join the Pokémon Go bandwagon.
Checking permission settings, he noticed that “Pokémon Go has full access to your Google account.” Cautious, he checked the Google help page for indications on what “full access” meant and came across this: “When you grant full account access, the application can see and modify nearly all information in your Google Account” and “This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.”
As many would induce, Reeve suggested that Pokémon Go and Niantic could now:
- Read all your emails
- Send email as you
- Access all your google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more
Niantic have since come out with a statement:
“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO‘s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”