Is ‘Pokémon Go’ Reading Your Emails? Niantic Messed Up But It's Probably Not Doing That
On Monday, Pokémon "trainers" took a break from wandering around like zombies catching 'em all to break into panic over whether or not Pokémon Go is a privacy trainwreck.
It's not a trainwreck — it's more of a fender bender.
Pokémon Go players started freaking out when they discovered that the augmented reality game granted Google "full account access" when they log in with Google on iOS — meaning the game developers, Niantic Labs, would be able to read and send email, access, edit and delete documents in Google Drive and Google Photos as well as access your browser and map histories from your account, the Guardian noted.
And Niantic has confirmed that it requested full access, but it didn't mean to.
Here's Niantic's full statement to Ars Technica:
We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.
Simply put, Niantic Labs said it doesn't have full access to your Google account — it is only accessing "basic Google profile information," as it mentioned above, which includes your user ID and email address. As the Guardian noted, the panic-inducing mislabeling is likely due to Niantic Labs using an out-of-date Google shared sign-on service for Pokémon Go, which skipped the steps that ask you to grant the app permissions, and instead defaulted to marking it as "full access."
Slack security engineer Ari Rubenstein "believe[s] this is a mistake on Google and Niantic's part, and isn't being used maliciously in the way that was originally suggested," according to his post on GitHub. He noted that "Pokémon Go should be safe to play in the next couple of days on iOS, or even now. Go have fun and play a game :)".
However, after spending the night digging into the issue, Rubenstein did find an undocumented way that Pokémon Go access rights could be used to obtain full account access, as Twitter user @SwiftOnSecurity pointed out, which Rubenstein dubbed "worrisome."
But as Niantic Labs said in the aforementioned statement, it is aware of the full account access issue and is currently working on a fix.