I figured I’d post this because I don’t see anyone else talking about
it and it bothers me. If you didn’t know, Pokemon Go is the latest in
the long running series of games from Nintendo (although Go is actually
made by a developer called Niantic).
It’s also the first (I think) to run on your phone. Needless to say,
it’s a huge hit. And it looks like a ton of fun - pretty much everyone I
know is playing it.
But there’s a problem.
To play the
game you need an account. Weirdly, Niantic won’t let you just create one
- you need to sign in with an existing account from one of two services
- the pokemon.com website or Google. Now the Pokemon site is for some
reason not accepting new signups right now so if you’re not already
registered there you’ll need to use a Google account - and that’s where
the fun begins.
I started the game, hit the Google button, and
was redirected to log in. Normally you’d see a little message saying
what data the app is going to be able to access - something like “This
app will be able to view your email address and name”. For some reason
that’s not shown in this case, but I went ahead and logged in anyway.
Then on a whim I went to see which permissions it was granted (you can
see for your own account right here). To say I was a little stunned is putting it lightly - it said:
Pokemon Go has full access to your Google account
Here are a couple of excerpts from the Google help page about what this means:
When you grant full account access, the application can see and modify nearly all information in your Google Account
This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.
Let me be clear - Pokemon Go and Niantic can now:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more
What’s
more, given the use of email as an authentication mechanism
(think “Forgot password” links) they now have a pretty good chance of
gaining access to your accounts on other sites too.
And they have
no need to do this - when a developer sets up the “Sign in with Google”
functionality they specify what level of access they want - best
practices (and simple logic) dictate you ask for the minimum you
actually need, which is usually just simple contact information.
Now,
I obviously don’t think Niantic are planning some global personal
information heist. This is probably just the result of epic
carelessness. But I don’t know anything about Niantic’s security
policies. I don’t know how well they will guard this awesome new power
they’ve granted themselves, and frankly I don’t trust them at all. I’ve
revoked their access to my account, and deleted the app. I really wish I
could play, it looks like great fun, but there’s no way it’s worth the
risk.
http://adamreeve.tumblr.com/post/147120922009/pokemon-go-is-a-huge-security-risk