Posted by Robert Vamosi on July 11, 2016
Perhaps the number one game app in the world right now, Pokemon GO developers admit their app has too much Google access on iOS devices.
On Monday, security researcher Adam Reeve posted that iOS-based Pokemon GO players who used their existing Google email account to create a game account may have given the game full access to their Google photos, contacts, and email. The company’s developer, Niantic, confirmed the issue late in the day.
“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.”
Reeve suspects this wasn’t part of a conspiracy, but a careless mistake. “I obviously don’t think Niantic are planning some global personal information heist,” he wrote. “This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all. I’ve revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.”
Remember, just because something is insanely popular doesn’t necessarily mean it is secure.
Get the latest AppSec news and trends sent directly to you.