It's worth noting that Niantic Labs (the folks who licensed Pokemon from Nintendo and made Pokemon Go) are actually <i>owned</i> by Google [0]. This is Google giving itself permission to do Google things. Dollars to doughnuts they tried to use some internal-only API because things kept falling over at pokemon.com. Is this a massive UX failure? Certainly. Is giving Google permission to access Google stuff a "Huge security risk"? No more than putting your stuff in Google's hands in the first place.<p>Niantic are also the folks behind Ingress, if you've heard of that.<p>[0] Specifically, Alphabet owns a significant portion of Niantic, along with Nintendo: <a href="https://nianticlabs.com/blog/niantic-tpc-nintendo/" rel="nofollow">https://nianticlabs.com/blog/niantic-tpc-nintendo/</a> (they were previously wholly-owned by Google).
Update from Niantic in this Game Informer article
<a href="http://www.gameinformer.com/b/news/archive/2016/07/11/pokemon-go-has-access-to-your-entire-google-account.aspx" rel="nofollow">http://www.gameinformer.com/b/news/archive/2016/07/11/pokemo...</a><p><i>"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."</i>
If google auth as a platform grants <i>full access</i> to your google account without any sort of confirmation, isn't <i>that</i> the security risk? Whether or not it's intentional or malicious on the part of Niantic, that seems like the real problem here.
And just like that I will never sign in with Google anywhere ever again. I just assumed that an app couldn't grant itself full permissions without notifying me, but now I can see why that might not be the case since they are free to present whatever UI they want in app.<p>In my dream world Google would revoke Niantic's API access forever in order to make an example out of them. Maybe, eventually, if they can prove that they didn't hoover up all the information they had access to they can be unbanned after a year.<p>Unlikely though considering they used to be a part of Google.
"Pokemon Go Release" has "full access" and yet "Ingress" (a game very similar to Pokemon Go from the same company) only has "basic account info". I removed the access and when I started the app, it crashed right away. (I'm on iOS, by the way.) Subsequent launch I'm stuck on the "LOADING..." screen, and then it says "Failed to get player information from the server." I hope the servers are just down and I didn't lock myself out. (Or maybe I should be glad until this fix this breach.) Edit: Deleting the app and reinstalling allowed me to log in again.<p>It appears to be the iOS version only that's doing this, according to this article:<p><a href="http://9to5google.com/2016/07/11/psa-pokemon-go-full-access-google-accounts-iphone/" rel="nofollow">http://9to5google.com/2016/07/11/psa-pokemon-go-full-access-...</a>
I don't see any access granted to Pokemon Go (it's not even listed) in the "Apps Connected to your Account" page: <a href="https://security.google.com/settings/security/permissions" rel="nofollow">https://security.google.com/settings/security/permissions</a><p>I am running on a Nexus 6 and signed in with my Google Account when I first launched the app.<p>Try revoking access and see what happens. Worst case, it might ask you to sign in again.
"[T]his section of the privacy page on the Google account settings website is only showing up for those that have played on iOS and signed in using the Google button. Android users who used the same login method are not seeing the “Pokemon Go Release” at all on the permissions site (nor do they see Ingress), so we’re not sure yet if those users have trusted Niantic with their entire Google account as well." source: <a href="http://9to5google.com/2016/07/11/psa-pokemon-go-full-access-google-accounts-iphone/" rel="nofollow">http://9to5google.com/2016/07/11/psa-pokemon-go-full-access-...</a>
Caveat: I've seen a number of players state or imply that playing this game has been the first decent exercise they've had in years. Lack of exercise is a far greater threat to your well-being than having your Google account hacked, so if that's what it takes, go ahead and play the game anyway.
Full access is bad enough, but the really dodgy thing going on is that you never get asked to approve or deny that access for Pokemon Go when doing the OAuth flow. You just log in, proceed through 2fa, and you're magically logged into the app. Pokemon Go Release then shows up as an authorised app... except I never authorised it.<p>My theory is that they're injecting JavaScript into the web view to automatically press the 'Approve' button and hiding that from the user. If true, that's very worrying. They'd be effectively circumventing the whole OAuth framework by forging the user's approval of the app. Every user should have been asked up-front whether or not they wanted to approve or deny Pokemon Go's full access.
I know Google lets you see which apps are connected to your account via <a href="https://security.google.com/settings/security/permissions" rel="nofollow">https://security.google.com/settings/security/permissions</a> but is there any page where I can see what activity was done on my account by particular apps?
A lot of aspects of Pokemon Go are less than polished from an app dev perspective. The way they ask for device permissions doesn't follow best practices at all (no explanation of why they need them). The interface has too much explanatory text in some places (how much useless backstory did I need to click through to start playing?) and not enough in others (it took me forever to figure out what I was supposed to do once I found a pokemon). My sister-in-law was complaining about how all the pokemon graphics are very 2D, when they could easily have sprung for some shading or shadows.<p>I suspect they built an MVP and launched it and it happened to take off, and we'll see some more polish in the future.<p>For this particular issue though - I'd bet that Niantic has some sort of data-sharing agreement with Google, anyway, making this point moot. They started as an internal startup at Google, and they make really heavy use of the Maps & Places APIs that would probably cost a fortune if they didn't have some sort of bulk data sharing agreement.
There are enough kids playing this maybe the FTC will get involved. Maybe some sort of basic privacy requirement.<p>How is it possible that signing in didn't inform me what permissions I was granting? I didn't think I was giving <i>anything</i> except my email address.
> I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.<p>Why not just create a separate google account if one's so eager to play?
Isn't Niantic actually affiliated with (part of?) Google in some way? So it would seem natural, if odd, that it doesn't ask for full permissions for the account is actually already has full permissions to. In the same way google docs doesn't ask, but gets, full permissions to your google account, or google+ doesn't ask, but gets, full permissions to your google account.
Here I thought the article was going to be on how Pokemon Go encourages people to wonder into dangerous or restricted areas while paying attention to their phone. The odds of someone getting attacked in a rough area would seem to go up with such an app given how critical situational awareness is. I don't know enough about how the app works to assess that, though.<p>One app that got me thinking about these things was Google Maps. I noticed it directed me through The Hood of a murder capital to save 3 minutes on a route. An area where people are known to surround cars or level guns on their owners. I had to wonder how much more risk like this is in any GPS-enabled app that sends you from point A to B.
It should be noted that it sounds like only iOS users are seeing this.<p>I signed in with my Android, and I didn't see anything from Niantic or Pokemon Go in my security settings.
This seems like a massive security fail on Google's part. There's no reason the OAuth flow should be able to request admin privileges <i>silently</i>. As a user, I really must get a prompt asking me (and warning me!).
On a sidenote: does anyone know why the fuck are the servers so overcrowded? In a world with a whole bunch of automated cloud management solutions and auto-scaling, where is the problem?
I'm running iOS 9.3.2, and signing in to Pokemon Go caused it to have full access to my Google account. Just revoked it and looks like I can still play the game just fine.<p>Perhaps they misconfigured the Google auth sign-in? It's rather worrisome that it's this easy for an application to gain full access to your account, though.
Here's a weird question. <a href="https://www.facebook.com/NationalMallNPS/photos/a.379580652053692.97287.151776458167447/1186299898048426/?type=3&theater" rel="nofollow">https://www.facebook.com/NationalMallNPS/photos/a.3795806520...</a> Pokemon Go is designed to not only augment places where people already are but also to direct them to other places. My friend just ran down the Ninatic/Google connection. Can the app be used to direct people away from polling places and/or to congest areas around polling places?<p>To wit, would anyone be interested in tracking (I can do it for at least some locations) the locations of gyms in comparison to polling places? (I haven't used the app; can one get a location of gyms?)<p>[lol. let me clarify my interest would be in thwarting rather than harnessing this possibility.]
Any idea how long the signup page is down? I made my account yesterday and, when forced between using my google auth and making some pokemon.com account, it was a no brainer to not use my google account. It took me a few tries but since this is a game and not something in the realm of life-and-death, I found it wasn't horrible to actually wait. And try again.<p>The entire issue is predicated on using your google account credentials which isn't really mandatory. Maybe I'm overly cautious but I don't use my google account to auth anywhere. If that's the only option, and it's not a google product.. then it looks like I'm not using that service.
Thing like this is why i dont use google, facebook etc and only have 4 apps. I love technology but it looks like hardly anyone is looking out for the consumer,let alone a non tech savvy consumer.
I'm more worried about my daughter getting hit by a car (because she walks in front of it, or because the driver is playing) than I am about my google account being hijacked!
I detected that immediately when I signed up with google at first. No double-checking what I was ok with sharing with the company. Had to remove their permission from my account settings right away. Signed up with their email/password system, much better.
Seem like a issue with Google Auth on iOS. I've logged into Pokemon Go from my Android and iPhone. I revoked the access of "Pokemon Go release" from Connected Apps page then logged in again from my Android phone. "Pokemon Go release" doesn't show up in my Connected Apps page anymore even after a login from Android.
Where there's a security hole, there's an exploit.[1]<p>[1] <a href="https://thestack.com/security/2016/07/11/infected-pokemon-go-apk-carries-dangerous-android-backdoor/" rel="nofollow">https://thestack.com/security/2016/07/11/infected-pokemon-go...</a>
Wow. This game must be the fastest thing to skyrocket into worldwide popularity. Yesterday I noticed someone on social media talking about it. "Some random game pokemon fans like" - I figured. Today it seems like everyone around the world is playing it. And it was released just a week ago? Never seen anything quite like it.
This article, though rife with paranoia, brings up some interesting points.<p><a href="http://blackbag.gawker.com/pokemon-go-is-a-government-surveillance-psyop-conspirac-1783461240" rel="nofollow">http://blackbag.gawker.com/pokemon-go-is-a-government-survei...</a>
People die doing this: <a href="https://www.youtube.com/watch?v=B2KXVfnw4rg" rel="nofollow">https://www.youtube.com/watch?v=B2KXVfnw4rg</a>
I got a number of permission requests at runtime the first time launching the app. If anything, it appears to be running into more of the Android 6 runtime permissions.
kind of a scam, just a bad wording from google "full access" and old oauth workflow - but no real security threat<p>TLDR: Pokemon Go can't read your gmail - he checked<p><a href="https://gist.github.com/arirubinstein/fd5453537436a8757266f908c3e41538" rel="nofollow">https://gist.github.com/arirubinstein/fd5453537436a8757266f9...</a>
I can't tell whether this game is the most heavily marketed social-media blitz of all time or truly viral. A virtual treasure hunt game finally gets people outside? Come on.
It's a free game everyone.<p>When something is free to play, and involves you walking around with geo services and a camera on, you and your data are the product.<p>This is just massive data collection disguised as a video game.
I fond of e-sport. So it’s interesting for me to test new game. Pokemon go stole the scene at a grate pace. But this game is a really risky for cybersecurity. Maybe we don’t need such program.