On Friday, former Tumblr staffer Adam Reeve posted on his Tumblr some alarming information about the permissions that Pokémon GO gains access to if you log in with your Google account. Adam, who is now Principal Architect at the cybersecurity firm RedOwl, wrote:
To play the game you need an account. Weirdly, Niantic won’t let you just create one – you need to sign in with an existing account from one of two services – the pokemon.com website or Google. Now the Pokemon site is for some reason not accepting new signups right now so if you’re not already registered there you’ll need to use a Google account – and that’s where the fun begins.
I started the game, hit the Google button, and was redirected to log in. Normally you’d see a little message saying what data the app is going to be able to access – something like “This app will be able to view your email address and name”. For some reason that’s not shown in this case, but I went ahead and logged in anyway. Then on a whim I went to see which permissions it was granted (you can see for your own account right here). To say I was a little stunned is putting it lightly – it said:
Pokemon Go has full access to your Google account.
The issue only seems to be happening with iOS, and it’s inconsistent. Not everyone is having a problem, but this still signifies a pretty big security risk. Especially since it’s next to impossible to create an account on Pokemon.com right now.
The post has blown up, with word spreading across Tumblr, Twitter, and Facebook. Adam spent most of his day today being interviewed about the find by major news outlets who’ll be continuing to spread the word and, hopefully, pushing Niantic to fix this oversight ASAP. Adam is also my husband, so I asked him for more details. It’s very weird to interview your own spouse.
GeekMom: So, can you tell me how you found this security problem with Pokémon GO?
Adam: Usually when you use Google to sign into an app you go through 3 screens. You enter your email, then your password, and finally you get a screen listing the permissions the app wants and asking you to confirm. Typically for a game this would be to get your real name and email address. In the case of Pokémon GO it skipped that final screen and went straight into the game. This made me curious as to whether it had actually worked so I went to a page at Google which lists the permissions each app has, and there I saw it listed with “full access” to my account.
GM: What does “full access” mean?
A: It’s not really posted clearly on Google’s help page, but I quoted what it says on that page in my post. Which is basically that the app has full access to read and modify all of the information associated with your account.
GM: Who is this affecting right now?
A: So far this seems to affect some portion–at least 50% as far as I can tell–of iOS users who use Google to sign into the game. Android users seem to be unaffected. No one seems to know, or be telling, why not every iOS user is affected.
GM: Have the companies involved with the game said anything yet about fixing the problem?
A: So far there’s been nothing other than “no comment” from the companies involved–Google, Niantic, Nintendo.
UPDATE 7/11/16, 10:50pm ET: Niantic Labs and The Pokemon Company responded to Engadget’s article. They’ve confirmed that Pokémon GO only accesses basic profile information, but that the “account creation process on iOS erroneously requests full access permission for the user’s Google account.” Google is working to reduce the game’s permissions.