Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Iphone Security Android Communications Google IOS Networking Nintendo Operating Systems Privacy Software The Almighty Buck The Internet Games News Apple Entertainment Technology

PSA: Pokemon Go Has Full Access To Your Google Account Data (techcrunch.com) 104

An anonymous reader writes: If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account. (You can check to see for yourself here.) Given the nature of the game, it's understandable for it to request a lot of permissions, as it needs your precise location, ability to access the camera and motion sensors, read and write the SD card, and charge you money when you run out of Pokeballs or eggs. But full access to your Google account is pushing it, even if Niantic or Nintendo has no malicious intentions. If you're concerned about these permissions, you can always sign-up using a Pokemon Trainer account, assuming the servers are permitting. Google describes full account access as such: "When you grant full account access, the application can see and modify nearly all information in your Google Account (but it canâ(TM)t change your password, delete your account, or pay with Google Wallet on your behalf). This 'Full account access' privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet."
This discussion has been archived. No new comments can be posted.

PSA: Pokemon Go Has Full Access To Your Google Account Data

Comments Filter:
  • People don't care (Score:5, Insightful)

    by DogDude ( 805747 ) on Monday July 11, 2016 @06:31PM (#52492987)
    People simply don't care. In all honesty, most people's lives aren't interesting or important enough to be worth anything to anybody, anyway. Harvest their data, try to sell them (more) crap they don't need, and that's about it.
    • by Calydor ( 739835 )

      Yeah, I'm sure having access to a long list of reply notifications from Slashdot, not even containing the reply itself (really, can we get that sometime?) is going to be really, really valuable to a spammer.

      • Do you use your Gmail address with any services other than Slashdot? At a minimum, just having your /. account tied to your Gmail account means that they could reset your /. password and take over your account. If you have any other third-party accounts tied to that Gmail address, they can be compromised too.

        In the modern world, there are few things that need to be more tightly protected than your email account (which is sad, considering the pathetic state of email security). It's the key to getting into far too many other things.

        Additionally, something like this could be used to spam all your contacts with messages (possibly containing malware, or at least malicious links) that appear to come from you. I figure it's been long enough since ILOVEYOU for people to have forgotten some of the more salient lessons there; I'm seeing an uptick in advertisements for scam sites being spread that way on social media.

    • by jbn-o ( 555068 ) <mail@digitalcitizen.info> on Monday July 11, 2016 @08:12PM (#52493519) Homepage

      What's your backing for that assertion?

      I ask this because I notice you've cited nothing backing up your claim, and it's quite a claim. And because people on /. make comparably grand assertions of people not caring about the Snowden revelations despite evidence to the contrary, and it's a good idea to back up one's statements from something substantial.

      Glenn Greenwald, Edward Snowden, and Noam Chomsky addressed this at a recent talk on privacy [youtube.com] and spent some time debunking the notion that the public doesn't care about privacy or that Snowden's revelations weren't a big deal.

      The host says around 32m44s that after Snowden's revelations were published by international news "Pew Internet Life Research shows that people were modifying their behavior -- they were self-censoring, they were curtailing their own speech.". Around 38m the host questions the point directly asking "Do people in general care?" to which we get variations on the theme of "Yes" ranging from Snowden's point that whether people care "isn't really that material even if it is the case [because] rights don't exist for the majority; rights exist to protect the minority against the majority.". He then explains that he thinks increasingly people do care because they only recently learned of the threat to their privacy and then he explains that threat in plain language.

      Greenwald, by this time in the discussion, had already debunked the notion that people who say they have no secrets and therefore don't care: He offered them his email address and told them to send him the credentials of every personal (as opposed to work) account they have including the sensitive ones (I interpreted this to mean an account on, say, a cheat-on-one's-spouse site). To date, he said, nobody's taken him up on his offer. Here he points out that contrary to the naysayers who dismissed the Snowden revelations as a flash-in-the-pan that would go away in a few days, these documents have been headline stories "not just in the United States but in dozens of countries in multiple continents around the world precisely because people were so angry and offended at the intrusion into their privacy including people who might have said in the past 'I don't really care'." (43m43s). He cites a "massive increase in the number of people around the world who are now using encryption to protect the privacy of their communications, to the number of people who put pressure on the US Government in both parties to enact legislation limiting these programs [the NSA spying programs] but maybe the best evidence of all of how much people care about privacy is the behavioral change in Silicon Valley companies. The biggest ones -- Yahoo, Facebook, Apple, and Google, and Microsoft -- when I first read the archive that Ed gave me, one of the things that struck me the most is what full-scale collaborators these companies were in the surveillance state that the NSA had created. They were not only complying [and a Snowden leaked document from the NSA showing "Dates When PRISM Collection Began For Each Provider [washingtonpost.com]"] [...] to the extent the law required but even went beyond that." including building backdoors into their non-free, user-subjugating, proprietary software. Greenwald concludes, "And the reason they were such full-scale collaborators is because nobody knew they were doing it completely in the dark, nobody knew they were doing it, and there was no cost." (45m18s). Once this became known these companies changed their behavior due to fear of being seen as the collaborators they have been for so long. They know the pressures of their customer base and that they are seen standing up to the FBI, being "seen as aides and abettors of ISIS", etc. People won't use these companies' products and services if they know their privacy won't be upheld.

      Noam Chomsky reflected on this from a historical p

  • Not to worry (Score:5, Informative)

    by JustAnotherOldGuy ( 4145623 ) on Monday July 11, 2016 @06:42PM (#52493031) Journal

    "If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account."

    Oh, I'm sure that Google would never do anything bad while they're pawing through all your shit in an attempt to monetize everything you do.

    I mean, so they have your email, phone calls, location history, documents, camera, pictures, videos, contact list, etc etc, but c'mon- it's Google, and Google has never done anything shady, amirite?

    Oh, and how does an app grant itself all of these permissions? Aren't we supposed to have to do that? What's the point of having "permissions" if an app can just assign them to itself at will?

    • Well, the app has to request that you sign in to grant it access, and you have to do that. It can't *just* assign the permissions to itself; you do have to do something too.

      With that said, I certainly *thought* that Google would tell you just what permissions it is granting to what entity (app, in this case) and require you to approve that grant before actually giving access. Apparently that's not always how it happens, though (at least, not for ex-Alphabet companies, or something).

    • by Nemyst ( 1383049 )
      Do you even know how this sort of thing works? The app requests for those permissions when you install it, as with anything else, and granting it full access is going to be explicitly mentioned. They can't magically get into your Google account from iOS. More to the point, this is Nintendo and Niantic, neither of which are affiliated with Google (Niantic has been independent for almost a year). All this has to do with Google is that the app is requesting full access.
      • Is that how it works? "App has permissions it was explicitly granted" isn't a great headline.

        I was sort of hoping someone on /. would explain this. I've read three different puff pieces, and I still have no idea how these permissions were granted. Have people been tapping "Grant all rights to my Google Account", and being surprised by the result?

        • I'd guess the surprise is more of a "why does this app need access to everything on my phone?" nature. At least on Android, you get a list of permission the app asks for, and you have to approve that before you install it. If it updates and requests new permissions, you have to explicitly approve those as well. I'd imagine iOS works the same way, but I don't have an iPhone, so can't say for sure.

          So, yeah, it's up to the user to decide if they want to approve the app with those permissions or not. I saw

      • Re:Not to worry (Score:5, Insightful)

        by JustAnotherOldGuy ( 4145623 ) on Monday July 11, 2016 @10:58PM (#52494337) Journal

        Do you even know how this sort of thing works?

        Well hurr durr no, these new-fangled computin' machines are a consarn mystery to us techo-n00bs.

        The article says, "you may have noticed that the app grants itself full access to your Google account"...

        If it asks for those permissions, then it isn't granting itself a goddamn thing, now is it?

        So, either the article is wrong or the app grants itself full access.

        Out of curiosity, what part of "grants itself full access" sounds like "the app requests for those permissions when you install it"?

  • On iOS, you at least have granular permission control over an app's access to the things under iOS's jurisdiction, such as network, location, contacts, and whatnot. But the Google bits seem to be all or nothing, unfortunately.

    It seems to be a bit weird, since Niantic is supposedly not part of the Google-verse anymore. But old habits die hard, I guess... or else they're still doing favors for their former overlords. Stockholm Syndrome, maybe?

    • But the Google bits seem to be all or nothing, unfortunately.

      Android 6 allows the user to deny or grant permissions on a more fine-grained level.

      • This isn't about app capabilities on your phone. This is about third-party API access to your Google account. It's all online, viewed and managed through a browser and used (or abused) via web services. It has nothing to do with your phone (except that apparently the iOS and Android versions of the app request different permissions to your Google account, and apparently the iOS version is unreasonably greedy).

  • Just looked at pokemon go on the appstore I see it offers in app purchases from $0.99 to $99.99.

    When I first heard about it I just assumed it was $25 or something and you just had the app to play with considering its nintendo and thats how console games ususally work.

    Is it like the other micropayment games where it is technically possible to win without paying but would take several years because of the way the game is weighted?

    • by Sowelu ( 713889 )

      If you live in an area with a lot of pokestops (read: 'densely populated area'), free items flow like water, and if you're at all careful to keep some pokeballs around, you won't get caught needing more. If you live in an area without many of them, then you might run into pokemon a lot more often than you run into places to naturally recharge your items, and running into that rare critter you want might make you desperate enough to spend money for more pokeballs on the spot.

      Much like Ingress though, it's h

  • one does not have a Google account? Does it sign you up for one or does it go apoplectic when it can't find your information?

    • What do you mean, when "it" can't find your information? If you don't have a Google account, you can't sign into the app using a Google account. Since the only other way to sign into the app is using a service that no longer allows new account creation, you won't be able to use the app at all until you create a Google account.

      • you won't be able to use the app at all until you create a Google account.

        Right, so what's the problem? Make an account just for Pokemon and other spammers. People are getting excited for nothing.

        • I have a "phone account" for google. It's tied to nothing but my phone. When google needs an account for most services, that's what it gets. I also have several gmail accounts. I have one tied to the mail app on the phone, so I can access my personal email on my phone, without directly tying that account to the rest of google's services.

          The problem comes when google decides that since there are two google accounts available to two different apps on the phone that it can pick whichever one it wants

          • Well, In my case, I do seem to be able to decide for myself which account my mail goes out. If the app doesn't send from the address that was registered on installation, maybe that's where the lawyers come in. But something tells me that you give permission when installing the app. If enough people deny it, the developers might react. I still see the problem as self inflicted.

    • by Anonymous Coward

      You can also login using your Trainer ID (Nintendo account). If you don't have either of those then on iOS I presume it tells you to go create one. On Android...how would you even be using the phone?

    • You sign up for a free account non-Google account at pokemon.com (it was intermittent for 4 days because of volume, but it's live now) and you can login to that account instead. It works on iOS and, I think, Android. And it has no access to your Google account.

  • So what you are saying is that it is nothing more than a device to gain access to your private data at google. And because all of that data is now records owned by a third party, they are free to legally sell it to the government.
    • Hmm... diabolical, if true. I suspect it'd get them sued *hard* if it came out that they were doing this, though. Requesting more access than you need is a security risk and a reason to distrust the app. Abusing that unreasonable level of access is an existential risk for a company, and a financial (and possibly even criminal; you could arguably make something stick via CFAA) risk to the people responsible for that decision.

  • Yodlee.com wanted user name and password of all your financial and bank accounts.
  • by carlhaagen ( 1021273 ) on Monday July 11, 2016 @07:30PM (#52493273)
    Niantic's first game, Ingress, is quite similar. Run around in the real world, GPS on, game constantly updating Google/Niantic's servers about where you are. Niantic is a Google enterprise, btw., and here's the kicker: once you're hooked on the game and you are about to level up to level 3 (maybe 15 hours of playing or so), you are required to "verify" your account to be able to continue playing, by giving Google your phone number to get a "confirmation SMS", effectively linking your real person to all past and future movement data of where you have been, at what times, during what days. How's that for creepy and treacherous? If this isn't the equivalent of having a GPS tracker on your person, I don't know what is. Boycott that shit. Surely Pokemon Go is the exact same stuff? Just one step further, with your phone letting "them" see what you see, in addition to engaging a shitload of more people to keep track on.
    • by Sowelu ( 713889 )

      It sucks, because there are both ethical and seriously unethical uses for that kind of data collection. I don't necessarily want it in anyone's hands, but a "white hat" statistician could use it to really help urban planning / civil engineering / etc without hurting anyone in the process. Kind of like medical data that way.

      You have to be seriously naive to think that people collecting this info are on your side, but I know I'd be annoyed if I worked with the data for good purposes and had no way to avoid

    • by Nemyst ( 1383049 )
      Niantic hasn't been part of Google/Alphabet for almost a year.
  • by Anonymous Coward
    Since when have iPhones got SD cards? Do you think maybe the writer has noticed the extravagant permissions on Android and assumes that they're the same on iPhone?
  • So you've been giving your life's data to Google for convenience but somehow you feel cheated that someone else wants access too. Is Google special? Yes! Should you trust them? No! Is there a price to be paid for convenience? Yes!

  • Probably not as hard as whining about it.
  • by rsmith-mac ( 639075 ) on Monday July 11, 2016 @11:03PM (#52494367)

    One thing that TFS doesn't make clear here is that this situation only occurs if you sign up for Pokemon Go with a Google account.

    The game supports two different account types, either a Pokemon Trainer Club account through pokemon.com, or a Google account. Because the game is incredibly, absurdly popular right now, Nintendo is throttling Pokemon Trainer Club account creation to prevent their servers from becoming molten silicon. Which is why so many people are signing up with their Google account.

    It's signing up via a Google account that causes PoGo/Nintendo to have full access to said account. Which means that if you have already signed up via the Pokemon Trainer Club, or will do so in the future, you'll be fine. It's only users signing up via the Google account system that are getting their Google accounts linked in this fashion. So the straightforward solution is to only sign up for the game with a Pokemon Trainer Club account. Which admittedly isn't super helpful due to the aforementioned throttle on Pokemon Trainer Club account creation, but there is at least a workaround.

    Otherwise the iOS-centric aspect of this is a bit unusual. Obviously iOS isn't giving PoGo access to your Google account, rather it seems to be a difference in how the two apps work. It appears that the Android version of the app doesn't try to request full permissions, only the iOS version does. Why? That's a good question...

  • Google makes an app that gets full access to your Google account... and this is news?

    Is someone forgetting that until recent niantic wasn't even a separate company?

  • my son is waiting http://kgnexportshouse.com/ [kgnexportshouse.com]
  • ... when you hire Team Rocket to code your app.

  • The title is very careful not to mention Apple or iPhone, but does mention Google. Very obviously written by a iFan
  • From Niantic:

    "We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line

  • iOS version of Pokémon Go is a possible privacy trainwreck [Updated]
    No user data has been accessed, and Google and Niantic are working on fixes.

    by Andrew Cunningham - Jul 11, 2016 10:00pm EDT

    Update: Niantic has confirmed in a statement that the Pokémon Go app requests more permissions than it needs, but that it has not accessed any user information. Google will automatically push a fix on its end to reduce the app's permissions, and Niantic will release an update to the app to make it request fewe

  • It is an iOS problem, and the summary mentions SD card? would be pretty nice if I could put an SD card into my wife's iPhone.

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Working...