People who sign up for Pokemon Go to catch them all could end up giving all their personal data away.
The hit game asks for a surprising amount of permission to access users’ Google accounts, the internet discovered on Monday. Redowl engineer Adam Reeve has the best writeup on his blog.
Basically, if you log into Pokemon Go through your Google account on an iPhone — which is the first option provided — it gives “full access” to your account. According to Google’s help page, that should only be “granted to applications you fully trust.”
Here’s some stuff that Pokemon Go can do with that level of permission, according to Reeve:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
I went through my Google permissions and found that I had unwittingly given Pokemon Go permission to my entire account — and I’m pretty sure I never agreed to do anything like that. That’s the same level of permission that I give to Google Chrome, my browser.
Niantic, the developer behind Pokemon Go, doesn’t need all that permission — other sites have “sign in with Google” without asking for, say, email permission.
Here’s what Google has to say about “full access:”
When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).
Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.
Now, I obviously don’t think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they have granted themselves, and frankly I don’t trust them at all.
On Android, many users are reporting that they can play Pokemon Go without giving the company full access to their Google accounts.
Niantic used to be part of Google before it was spun off last year, so its developers likely know how Google’s authentication works. If this is an oversight or a bug, you can expect it to be changed soon — so you won’t need to hand over access to your mail and photos to catch some pocket monsters.