Pokémon GO isn’t Stealing all Your Data

| News

Pokémon GO is the game to play, and it’s so popular that Nintendo’s servers can’t keep up with demand. That led to loads of people signing up with their Google ID, promptly followed by loads of people freaking out thinking the game is accessing all of their email, contacts, and documents. The game isn’t really stealing all your data, and the developers said they’re fixing the error that granted Pokémon GO full access to your Google account.

Pokémon Go Google account permissions

Signing in to Pokémon GO with your Google ID gives the game full access to your account

Pokémon GO is an iOS and Android game that uses your smartphone’s GPS and camera to hunt down and collect Pokémon characters in the real world. It uses augmented reality (AR) to make characters appear as if they’re really in front of you, and playing gets you outdoors exploring your neighborhood or city as you look for landmarks where power-up points and Pokémon are hiding.

The game is so popular, however, that Nintendo’s game servers can’t keep up. Players haven’t been able to sign up for Pokémon Trainer Accounts practically since the game launched last week and have been signing in with their Google logins instead. The upside is that they can play the game; the downside is that Pokémon GO granted itself full access to everything in player’s Google account including email, contacts, calendars.

Pokémon Go’s open door to data

Google described full access saying, “When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).”

That’s pretty ominous, and legitimate cause for concern because no game should need that level of access to your Google account. Niantic, the Nintendo subsidiary that developed Pokémon Go, agreed and said full access permissions was supposed to happen, and a fix is on the way.

Niantic said in a statement,

We recently discovered that the Pokémon GO account creation process on iOS erroneously request full access permission for the user’s Google account. However, Pokémon GO only accesses basically Google profile information (specifically, your User ID and email addresses) and no other Google account information is or has been accessed or collected.

Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.

That means Pokémon GO users who signed in with their Google credentials don’t need to take any action to limit the game’s access to their personal data because the permissions change will happen automatically.

Remove Google permissions for Pokémon Go

Google lets you revoke permissions for apps

If you’d rather not use your Google ID with the game, it’s easy to revoke Pokémon Go’s permissions from Google’s account security settings Web page. Just select Pokémon GO, then click Remove. You won’t be able to play the game until you grant account access again, or get lucky and can sign up for a Pokémon Trainer Account.

3 Comments Add a comment

  1. archimedes

    The main issue I’ve seen with Pokémon Go is the large number of kids – and adults – wandering into the street glued to their iPhones and largely unaware of their actual surroundings including other people and vehicles.

    The secondary (less life-threatening) issue is having $99.99 in-app purchases in a game for kids. Apparently Niantic wants to cash in the way Smurfs Village did.

    I’m sure people will say “hahaha, Darwin award” and “stupid parents, you didn’t set up your purchase permissions correctly” – perhaps with some justification – but does anyone really think this was a good idea?

  2. Scott B in DC

    Just because they didn’t do it doesn’t mean that opening the door, even inadvertently, is not a problem. It shows a lack of risk review and mitigation on behalf of the industry that will brush it off as “oh, it’s just a mistake.” In my world, a mistake causes bigger problems than just the potential for the leaking of personal information.

    Sorry if this sounds overly dramatic but I am sick-and-tired of the “oh, it’s just a mistake” attitude. We don’t allow that from other industries, why is this accepted in the computer industry? This double standard is really getting on my nerves and after 40 years professionally and 30 years in security, I am ready to unplug and let the idiots go down with the ship with their “it’s just a mistake.”

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account