- A massive security risk has been discovered in Pokemon Go
- The game can view your emails and private photos.
- This seems to impact mainly iOS users.
While Pokemon Go might just be available in three countries for now, that hasn’t stopped fans the world over from obtaining the game for Android via sideloading or iOS by creating and using an iTunes account for Australia, New Zealand, or the US. It seems that those playing Pokemon Go have been subject to a glaring security violation. The game has full access to your Google account. Well, at least on iOS.
(Also see: Pokemon Go Tips and Tricks)
This was discovered by Adam Reeve, Principal Architect at RedOwl Analytics. He took to Tumblr to share his findings:
“Let me be clear – Pokemon Go and Niantic can now:
• Read all your email
• Send email as you
• Access all your Google drive documents (including deleting them)
• Look at your search history and your Maps navigation history
• Access any private photos you may store in Google Photos
• And a whole lot more”
And this isn’t all. According to Reeve, since the game uses email as an authentication mechanism, he believes there’s “a pretty good chance of gaining access to your accounts on other sites too.”
(Also see: Pokemon Go Is Responsible for These Real Life Weird and Scary Things)
There is no need for this either. Usually when a developer allows users to sign in via Google, the level of access is specified. More often than not this is simply contact information.
Reeves later tweeted that “it seems to affect some iOS users, not all. No idea what the criteria are yet.”
(Also see: Playing Pokemon Go in India? Here’s Everything You Need to Know)
We’ve checked this with the Google account used on our iPhone 5S and yes, Pokemon Go did grant itself complete access to our account. This was not the case with our Android build of the game, although at the time of posting this, just one user has reported that it does impact the Android version as well. Reeves believes that on “Android it’s using client permissions to get data, whilst on iOS it’s using the Google account.”
Nonetheless, if you’re not keen on letting Niantic have complete access to your account, deleting the game isn’t enough. Here’s what you need to do to fix this:
- Log in to your Google account.
- View the app permissions available here.
- Revoke access to the game by clicking it.
Right now, Niantic and The Pokemon Company have maintained silence on this. Keep in mind that if you ever decide to risk playing Pokemon Go again, you’ll need to grant it access to a Google account. The game does have an option to let you sign in using a Pokemon.com account but since the game’s launch the sign up section of the site has been unavailable. Hopefully this corrects itself in days to come what with Niantic and The Pokemon Company planning a global launch for the game soon enough.
Update, July 12, 2016: Niantic has issued the following statement:
“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.
Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”