search slide
search slide
pages bottom

Pokemon Go’s iOS privacy settings give its developer total access to your Google account

We’ve already touched on some of the real-world issues linked to augmented reality game Pokemon Go, but Monday revealed another significant problem with the game. If you you sign up for the game using iOS (not Android) and a linked Google account, Niantic (the game’s developer) gets complete access to anything and everything attached to said account. While the game has skyrocketed to the top of the download charts and driven Nintendo’s stock price through the roof, issues like this could sharply curtail its upward growth.

As detailed by Adam Reeve, who found the flaw, this means that Pokemon Go can read all of your email, send email directly from your account, access and delete all Google Drive documents, access your search history, access your maps and navigation history, and access any photos you might have stored on Google Photos. Presumably it can also post on your behalf to Google Plus and access information stored in any other shared Google service.

NotHelpfulPokemon

As of this writing, the app only offers two options for signing up for an account — either you go through Google, or you can use Pokemon.com. Unfortunately, the sign-up function for Pokemon.com is currently disabled, so it’s Google or nothing.

If you’ve already signed up for a Pokemon Go account you can visit this account page to remove the application’s full permissions and lock your information up again. That won’t erase any information Niantic may have pulled from your account in the meantime, but it will prevent the application from making further changes.

It’s not clear yet if making these changes will impact whether or not the game runs properly. Some users have reported that they had to reinstall the game after removing account permissions, while others have had no issues. While the issue is supposed to be limited to iOS users, we would recommend that Android users check this as well — the privacy cost of leaving your entire account open to a third-party developer is significant. The problem doesn’t appear to strike 100% of iOS users, but there’s no information yet on which Google accounts request total access and which do not.

Niantic has not responded to requests for comment, save to note that it had no comment to share. Pokemon Go is largely built on Niantic’s previous title Ingress, which made significant use of real-world location data, but nothing either game does would justify or require total access to one’s Google account.

Leave a Reply

Captcha image