Future Tense

Be Careful About Logging Into Pokémon Go With Your Google Account

Lurking inconspicuously.

Google

Pokémon Go is out of control right now. The mobile game has been downloaded millions of times and is exploding in popularity all over the world. As people hear about it, they’re rushing to sign up and join the fun. But that sign-up could come with more risks than you think.

Adam Reeve, the principal architect at the cybersecurity analytics firm RedOwl, pointed out in a blog post on Monday that when users sign in to Pokémon Go with a Google account, they risk granting the mobile game extensive permission to peer into their lives on Google.

Logging into a service can be a good cybersecurity decision if that third party has strong security and two-factor authentication, like Google does, because it means one less login to keep track of and fewer variables if you get hacked. Usually, though, an app like Pokémon Go would request limited permission to actually access that other account, because it’s mainly using the third party to identify and authenticate users. In the case of Google, Pokémon Go probably just needs to know who you are. Yet when some users (like me!) check the “Apps connected to your account“ page on their Google accounts, they’ll find that Pokémon Go “has full access to your Google account,” the highest level Google provides.

My personal list of authorized apps is very short. Google Chrome has “full access” status because, you know, it’s a Google product. Boomerang, an app that works with Gmail to schedule emails, “has access to Gmail, basic account info.” It makes sense that it needs Gmail access because I’m asking it to do tasks in … Gmail. Dropbox only “has access to Google Contacts,” and iOS and OS X, two operating systems that have extensive interoperability with Google products, have “access to Gmail, Google Calendar, Google Contacts, basic account info.” Even Apple isn’t getting “full access.” But for some reason, Pokémon Go is. I reached out to Niantic, the company that makes the game, for comment and will update if I hear back.

Google says on its Accounts Help page:

When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf). …

This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.

The company goes on to say that users should use the “revoke access” button to cut off any app they don’t fully trust. And that’s exactly what Reeve is doing. He wrote, “I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all. I’ve revoked their access to my account, and deleted the app. I really wish I could play …”

If you’re using Pokémon Go on Android you’ll be explicitly asked to accept these terms, but either way, if you check your Google permissions and find that Pokémon Go has free rein on your account, you should give some thought to whether you’re comfortable with this. Unfortunately, the Pokémon Go login choices are currently limited to using your Google account or a pokemon.com account. You can’t make a login that’s just for the app.

Assuming this isn’t part of an evil Niantic plot to steal our identities, the company will hopefully revise the permissions it’s seeking soon. We want to catch Pokémon in augmented reality, not have a game company all up in our actual reality.

Update, July 12, 8:25 a.m.: On Monday night, Niantic gave a statement to the Verge and other outlets that promises a change to the Google permission Pokémon Go currently demands. The company wrote:

We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.

This will address the concern about permissions, which is great news for Pokémon Go fans who didn’t want to give the game up over a security risk. But it’s still troubling that Niantic didn’t know what it was asking Google—and users—for in the first place.