July 13, 2016

Pokémon GO Is A Huge Security Risk: Grants Itself ‘Full Access’ To Your Google Account

By now, everyone might be aware of the Nintendo’s new location-based augmented reality mobile game Pokémon GO. Since its launch just a few days ago, this latest addition to the series of long running games launched by Nintendo, has invaded the digital world and needless to say, it’s a huge hit. It became insanely popular that it has already surpassed the popular dating app Tinder in terms of downloads and giving tough competition to Twitter in daily active users.

Pokémon GO Is A Huge Security Risk Grants Itself 'Full Access' To Your Google Account

But seems like there’s a problem! Due to the huge hype surrounding Pokémon GO, even hackers are catching the game’s popularity to distribute malicious versions of Pokémon GO that could install DroidJack malware on Android phones, allowing them to compromise user’s devices completely. However, the latest threat is related to the privacy concerns raised about the iOS version of the official Pokémon GO app.

Pokémon GO – A Huge Security Risk

Security expert ‘Adam Reeve’ has warned that the Pokemon Go players are exposing themselves to security risks by signing up using Google. Adam Reeve, who reported the issue on his Tumblr blog, was “stunned” when he came to know that Pokemon Go has complete access to your Google account. So, in these risky times of frequent data breaches, he says that playing Pokemon Go isn’t worth the risk.

Here is what ‘Adam Reeve’ had to say on ‘Pokemon Go’ malware:

To play the game you need an account. Weirdly, Niantic won’t let you just create one – you need to sign in with an existing account from one of two services – the pokemon.com website or Google. Now the Pokemon site is for some reason not accepting new signups right now so if you’re not already registered there you’ll need to use a Google account – and that’s where the fun begins.

Just when you hit the Google button, you are logged in. But, you are not shown a message regarding what data this app is going to access. It turns that Pokemon Go has full access to your Google account.

Here’s what it means when Pokemon Go has full access to your account:

  • When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).
  • This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.

What exactly this means is quite unclear, but Reeve claimed that the Nintendo’s Pokémon GO developed by Niantic can now:

  • Read all your email
  • Send email on your behalf
  • Access all your Google drive documents (including deleting them)
  • Look at your search history and your Maps navigation history
  • Access any private photos you may store in Google Photos
  • And a whole lot more

Although Reeve said this issue appears to mostly affect iOS users, some Android users are reporting that their devices are also being affected.

Pokémon GO Is A Huge Security Risk Grants Itself 'Full Access' To Your Google Account (2)

Pokémon GO doesn’t Intend:

Game developer Niantic issued a statement regarding this saying that it never intended for its game to get full access to your Google account and that the app hasn’t accessed any user data beyond “basic profile information” such as your User ID and email address. Niantic also said that the company is actively working on a fix to downgrade the permission.

“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”

How to Revoke Pokémon GO’s Access to Google Account?

  • Go to Google account permission page and look for Pokémon GO.
  • Select ‘Pokémon GO Release’ and click “REMOVE” button to revoke full account access.
  • Launch Pokémon GO on your device and confirm it still works.
  • This will immediately revoke the Pokémon GO app’s access to your Google account, but you may lose your game data.

Useful Tip: Use a burner Google account – Create an all new Google account, with nothing in it, and use this account to sign into Pokémon GO or any other apps that you may find doubtful.

About the author 

Chaitanya


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}