PSA: Pokemon Go Has Full Access To Your Google Account Data (techcrunch.com) 104
An anonymous reader writes: If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account. (You can check to see for yourself here.) Given the nature of the game, it's understandable for it to request a lot of permissions, as it needs your precise location, ability to access the camera and motion sensors, read and write the SD card, and charge you money when you run out of Pokeballs or eggs. But full access to your Google account is pushing it, even if Niantic or Nintendo has no malicious intentions. If you're concerned about these permissions, you can always sign-up using a Pokemon Trainer account, assuming the servers are permitting. Google describes full account access as such: "When you grant full account access, the application can see and modify nearly all information in your Google Account (but it canâ(TM)t change your password, delete your account, or pay with Google Wallet on your behalf). This 'Full account access' privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet."
Not Android (Score:5, Informative)
Re: (Score:3)
Re: Not Android (Score:2)
If you deny the permission on Android, the Pokémon GO will then ask you to log in manually with Google account credentials. That process also creates the OAuth token with the overzealous scope.
The fact is, all it is trying to do is activate a single sign on authentication method.
Re: (Score:2)
It's getting into iOS as well, not just android
No kidding? From TFS: If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account.
Re: Scare tactic? (Score:5, Funny)
Pok©mon GO
Wait, they released a new Jamaican version of Pac-Man??
Re: Scare tactic? (Score:2)
The SSO bug in Ingress was fixed on April 19th. Not enough people use Ingress to notice beforehand, I guess. And Niantic was owned by Google until mid 2015, so they always had access.
People don't care (Score:5, Insightful)
Re: (Score:2)
Yeah, I'm sure having access to a long list of reply notifications from Slashdot, not even containing the reply itself (really, can we get that sometime?) is going to be really, really valuable to a spammer.
All fun and games until your account gets stolen. (Score:5, Interesting)
Do you use your Gmail address with any services other than Slashdot? At a minimum, just having your /. account tied to your Gmail account means that they could reset your /. password and take over your account. If you have any other third-party accounts tied to that Gmail address, they can be compromised too.
In the modern world, there are few things that need to be more tightly protected than your email account (which is sad, considering the pathetic state of email security). It's the key to getting into far too many other things.
Additionally, something like this could be used to spam all your contacts with messages (possibly containing malware, or at least malicious links) that appear to come from you. I figure it's been long enough since ILOVEYOU for people to have forgotten some of the more salient lessons there; I'm seeing an uptick in advertisements for scam sites being spread that way on social media.
Re: (Score:2)
Re: All fun and games until your account gets stol (Score:1)
It would lock you out of your Slashdot account. You get to decide how important it would be to have to abandon your current /. account and have to set up a new one.
Re: (Score:2)
I solve this problem like this:
* GMail for Personal
* private domain name + email for all Biz related stuff
Re: (Score:2)
That makes no sense. If you've got the ability to set up a domain name and an email server, why don't you use that for your personal account too?
Re: (Score:2)
I would think a degree of separation for starters. A person with malicious intent that gets hold of his GMail address doesn't get to know the domain name of his more important email address.
Why do you believe people don't care? (Score:5, Informative)
What's your backing for that assertion?
I ask this because I notice you've cited nothing backing up your claim, and it's quite a claim. And because people on /. make comparably grand assertions of people not caring about the Snowden revelations despite evidence to the contrary, and it's a good idea to back up one's statements from something substantial.
Glenn Greenwald, Edward Snowden, and Noam Chomsky addressed this at a recent talk on privacy [youtube.com] and spent some time debunking the notion that the public doesn't care about privacy or that Snowden's revelations weren't a big deal.
The host says around 32m44s that after Snowden's revelations were published by international news "Pew Internet Life Research shows that people were modifying their behavior -- they were self-censoring, they were curtailing their own speech.". Around 38m the host questions the point directly asking "Do people in general care?" to which we get variations on the theme of "Yes" ranging from Snowden's point that whether people care "isn't really that material even if it is the case [because] rights don't exist for the majority; rights exist to protect the minority against the majority.". He then explains that he thinks increasingly people do care because they only recently learned of the threat to their privacy and then he explains that threat in plain language.
Greenwald, by this time in the discussion, had already debunked the notion that people who say they have no secrets and therefore don't care: He offered them his email address and told them to send him the credentials of every personal (as opposed to work) account they have including the sensitive ones (I interpreted this to mean an account on, say, a cheat-on-one's-spouse site). To date, he said, nobody's taken him up on his offer. Here he points out that contrary to the naysayers who dismissed the Snowden revelations as a flash-in-the-pan that would go away in a few days, these documents have been headline stories "not just in the United States but in dozens of countries in multiple continents around the world precisely because people were so angry and offended at the intrusion into their privacy including people who might have said in the past 'I don't really care'." (43m43s). He cites a "massive increase in the number of people around the world who are now using encryption to protect the privacy of their communications, to the number of people who put pressure on the US Government in both parties to enact legislation limiting these programs [the NSA spying programs] but maybe the best evidence of all of how much people care about privacy is the behavioral change in Silicon Valley companies. The biggest ones -- Yahoo, Facebook, Apple, and Google, and Microsoft -- when I first read the archive that Ed gave me, one of the things that struck me the most is what full-scale collaborators these companies were in the surveillance state that the NSA had created. They were not only complying [and a Snowden leaked document from the NSA showing "Dates When PRISM Collection Began For Each Provider [washingtonpost.com]"] [...] to the extent the law required but even went beyond that." including building backdoors into their non-free, user-subjugating, proprietary software. Greenwald concludes, "And the reason they were such full-scale collaborators is because nobody knew they were doing it completely in the dark, nobody knew they were doing it, and there was no cost." (45m18s). Once this became known these companies changed their behavior due to fear of being seen as the collaborators they have been for so long. They know the pressures of their customer base and that they are seen standing up to the FBI, being "seen as aides and abettors of ISIS", etc. People won't use these companies' products and services if they know their privacy won't be upheld.
Noam Chomsky reflected on this from a historical p
Not to worry (Score:5, Informative)
"If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account."
Oh, I'm sure that Google would never do anything bad while they're pawing through all your shit in an attempt to monetize everything you do.
I mean, so they have your email, phone calls, location history, documents, camera, pictures, videos, contact list, etc etc, but c'mon- it's Google, and Google has never done anything shady, amirite?
Oh, and how does an app grant itself all of these permissions? Aren't we supposed to have to do that? What's the point of having "permissions" if an app can just assign them to itself at will?
Re: (Score:3)
Well, the app has to request that you sign in to grant it access, and you have to do that. It can't *just* assign the permissions to itself; you do have to do something too.
With that said, I certainly *thought* that Google would tell you just what permissions it is granting to what entity (app, in this case) and require you to approve that grant before actually giving access. Apparently that's not always how it happens, though (at least, not for ex-Alphabet companies, or something).
Re: (Score:2)
Re: (Score:2)
Is that how it works? "App has permissions it was explicitly granted" isn't a great headline.
I was sort of hoping someone on /. would explain this. I've read three different puff pieces, and I still have no idea how these permissions were granted. Have people been tapping "Grant all rights to my Google Account", and being surprised by the result?
Re: (Score:2)
I'd guess the surprise is more of a "why does this app need access to everything on my phone?" nature. At least on Android, you get a list of permission the app asks for, and you have to approve that before you install it. If it updates and requests new permissions, you have to explicitly approve those as well. I'd imagine iOS works the same way, but I don't have an iPhone, so can't say for sure.
So, yeah, it's up to the user to decide if they want to approve the app with those permissions or not. I saw
Re: (Score:2)
I'd guess contacts are so you can trade or play with your friends? E-mail/messages as well, I suppose. I don't have the game, so that's just speculation.
Re:Not to worry (Score:5, Insightful)
Do you even know how this sort of thing works?
Well hurr durr no, these new-fangled computin' machines are a consarn mystery to us techo-n00bs.
The article says, "you may have noticed that the app grants itself full access to your Google account"...
If it asks for those permissions, then it isn't granting itself a goddamn thing, now is it?
So, either the article is wrong or the app grants itself full access.
Out of curiosity, what part of "grants itself full access" sounds like "the app requests for those permissions when you install it"?
The good and the bad (Score:2)
On iOS, you at least have granular permission control over an app's access to the things under iOS's jurisdiction, such as network, location, contacts, and whatnot. But the Google bits seem to be all or nothing, unfortunately.
It seems to be a bit weird, since Niantic is supposedly not part of the Google-verse anymore. But old habits die hard, I guess... or else they're still doing favors for their former overlords. Stockholm Syndrome, maybe?
Re: (Score:2)
Android 6 allows the user to deny or grant permissions on a more fine-grained level.
Re: (Score:3)
This isn't about app capabilities on your phone. This is about third-party API access to your Google account. It's all online, viewed and managed through a browser and used (or abused) via web services. It has nothing to do with your phone (except that apparently the iOS and Android versions of the app request different permissions to your Google account, and apparently the iOS version is unreasonably greedy).
micropayments? (Score:2)
Just looked at pokemon go on the appstore I see it offers in app purchases from $0.99 to $99.99.
When I first heard about it I just assumed it was $25 or something and you just had the app to play with considering its nintendo and thats how console games ususally work.
Is it like the other micropayment games where it is technically possible to win without paying but would take several years because of the way the game is weighted?
Re: (Score:2)
Re: (Score:3)
If you live in an area with a lot of pokestops (read: 'densely populated area'), free items flow like water, and if you're at all careful to keep some pokeballs around, you won't get caught needing more. If you live in an area without many of them, then you might run into pokemon a lot more often than you run into places to naturally recharge your items, and running into that rare critter you want might make you desperate enough to spend money for more pokeballs on the spot.
Much like Ingress though, it's h
Re: (Score:2)
What if. . . (Score:2)
one does not have a Google account? Does it sign you up for one or does it go apoplectic when it can't find your information?
Re: (Score:2)
What do you mean, when "it" can't find your information? If you don't have a Google account, you can't sign into the app using a Google account. Since the only other way to sign into the app is using a service that no longer allows new account creation, you won't be able to use the app at all until you create a Google account.
Re: (Score:1)
you won't be able to use the app at all until you create a Google account.
Right, so what's the problem? Make an account just for Pokemon and other spammers. People are getting excited for nothing.
Re: (Score:2)
I have a "phone account" for google. It's tied to nothing but my phone. When google needs an account for most services, that's what it gets. I also have several gmail accounts. I have one tied to the mail app on the phone, so I can access my personal email on my phone, without directly tying that account to the rest of google's services.
The problem comes when google decides that since there are two google accounts available to two different apps on the phone that it can pick whichever one it wants
Re: (Score:1)
Well, In my case, I do seem to be able to decide for myself which account my mail goes out. If the app doesn't send from the address that was registered on installation, maybe that's where the lawyers come in. But something tells me that you give permission when installing the app. If enough people deny it, the developers might react. I still see the problem as self inflicted.
Re: (Score:1)
You can also login using your Trainer ID (Nintendo account). If you don't have either of those then on iOS I presume it tells you to go create one. On Android...how would you even be using the phone?
Re: (Score:2)
You sign up for a free account non-Google account at pokemon.com (it was intermittent for 4 days because of volume, but it's live now) and you can login to that account instead. It works on iOS and, I think, Android. And it has no access to your Google account.
Calea and 3rd party databases (Score:2)
Re: (Score:2)
Hmm... diabolical, if true. I suspect it'd get them sued *hard* if it came out that they were doing this, though. Requesting more access than you need is a security risk and a reason to distrust the app. Abusing that unreasonable level of access is an existential risk for a company, and a financial (and possibly even criminal; you could arguably make something stick via CFAA) risk to the people responsible for that decision.
Re: (Score:1)
Is it worse than yodlee and its progeny? (Score:2)
Is it as treacherous as Ingress? (Score:4, Interesting)
Re: (Score:2)
It sucks, because there are both ethical and seriously unethical uses for that kind of data collection. I don't necessarily want it in anyone's hands, but a "white hat" statistician could use it to really help urban planning / civil engineering / etc without hurting anyone in the process. Kind of like medical data that way.
You have to be seriously naive to think that people collecting this info are on your side, but I know I'd be annoyed if I worked with the data for good purposes and had no way to avoid
Re: (Score:2)
Re: (Score:2)
WTF? (Score:1)
Re: (Score:2)
And what does Google accounts have to do with iPhones?
After Giving Google your data you now want what? (Score:1)
So you've been giving your life's data to Google for convenience but somehow you feel cheated that someone else wants access too. Is Google special? Yes! Should you trust them? No! Is there a price to be paid for convenience? Yes!
How hard is it to make an extra gmail account? (Score:2)
Only If You Sign Up With a Google Acccount (Score:5, Informative)
One thing that TFS doesn't make clear here is that this situation only occurs if you sign up for Pokemon Go with a Google account.
The game supports two different account types, either a Pokemon Trainer Club account through pokemon.com, or a Google account. Because the game is incredibly, absurdly popular right now, Nintendo is throttling Pokemon Trainer Club account creation to prevent their servers from becoming molten silicon. Which is why so many people are signing up with their Google account.
It's signing up via a Google account that causes PoGo/Nintendo to have full access to said account. Which means that if you have already signed up via the Pokemon Trainer Club, or will do so in the future, you'll be fine. It's only users signing up via the Google account system that are getting their Google accounts linked in this fashion. So the straightforward solution is to only sign up for the game with a Pokemon Trainer Club account. Which admittedly isn't super helpful due to the aforementioned throttle on Pokemon Trainer Club account creation, but there is at least a workaround.
Otherwise the iOS-centric aspect of this is a bit unusual. Obviously iOS isn't giving PoGo access to your Google account, rather it seems to be a difference in how the two apps work. It appears that the Android version of the app doesn't try to request full permissions, only the iOS version does. Why? That's a good question...
So Google has access to your Google account? (Score:1)
Google makes an app that gets full access to your Google account... and this is news?
Is someone forgetting that until recent niantic wasn't even a separate company?
Pokeman (Score:1)
That's what you get ... (Score:2)
... when you hire Team Rocket to code your app.
"ON iPHONE" (Score:1)
Already in the process of being fixed. (Score:2)
From Niantic:
"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line
Can this article be updated? (Score:1)
iOS version of Pokémon Go is a possible privacy trainwreck [Updated]
No user data has been accessed, and Google and Niantic are working on fixes.
by Andrew Cunningham - Jul 11, 2016 10:00pm EDT
Update: Niantic has confirmed in a statement that the Pokémon Go app requests more permissions than it needs, but that it has not accessed any user information. Google will automatically push a fix on its end to reduce the app's permissions, and Niantic will release an update to the app to make it request fewe
Its an iOS problem (Score:2)