In case you’ve been living under a rock for the past week, Pokémon GO is an outrageously popular, augmented reality mobile game. It’s already beating Tinder and rivaling Twitter in daily active users. The game is just five days old, and already there are almost 50,000 reviews on the iOS App Store. People are spending far more time seeking out Pokémon than they are spending on WhatsApp, Instagram, Snapchat, or Facebook Messenger.
The success of Pokémon GO is great for its creator Niantic, and for the millions who have downloaded it. Except for one thing: there’s a major security vulnerability, and no one’s quite sure why it exists.
Two days after the game’s release, security expert Adam Reeve tweeted about the vulnerability. Due to the game’s overwhelming demand, new users — if the overburdened servers were functioning — were forced to log in using a Google account. Those who did so were then able to begin playing. However, neither Google nor the Pokémon GO app itself warned new users how much privacy they were sacrificing.
Turns out that it’s quite a lot.
“Full access.” That should sound like a bit much. It is. Reeve writes in a post titled “Pokemon Go is a huge security risk” on his blog. In his tweet linking to the post, he calls the app malware. The biggest takeaway is that “full access” just means:
Pokemon Go and Niantic can now:
Read all your email
Send email as you
Access all your Google drive documents (including deleting them)
Look at your search history and your Maps navigation history
Access any private photos you may store in Google Photos
And a whole lot more
The access affected all iOS users and select Android users. To see whether you yourself have given up access to your account, look here.
There’s very little reason for Niantic to have this much access. Reeve writes that “best practices (and simple logic) dictate” that apps ask for the minimum required information — “which is usually just simple contact information.” As a result, Reeve guesses that this was an oversight — albeit a big oversight — on Niantic’s behalf.
“This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all. I’ve revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.”
Still, there’s something fishy going on. When an app asks for permissions, Google should be quick to inform users how many permissions they’re granting. In this case, there was no such prompt: users created an account, and — unbeknownst to them — gave away full access.
Further, still, Niantic isn’t dispelling concern: a spokesperson told Ars Technica only the following: “No comment to share at the moment.”
“During gameplay and when you … register to create an account with us … we’ll collect certain information that can be used to identify or recognize you (‘PII’). Specifically, because you must have an account with Google before registering to create an Account, we will collect PII (such as your Google email address …) that your privacy settings with Google … permit us to access.
“Following termination or deactivation of your … Account, Niantic, its clients, affiliates, or service providers may retain information … and user content for a commercially reasonable time period…”
If you’re someone who treasures your Pokémon over your privacy, then continue as if nothing had happened. If you’d prefer to keep your Google account to yourself, then you should revoke access. (Revoking access reportedly does not affect your hard-earned Pokémon.)
If you’ve yet to sign up, just use a burner Google account. With a user base this big and growing by the day, exploits can’t be far behind.