Panic on the streets over as Pokémon Go creator dispels security risk fears

12 Jul 2016

Pokémon Go creator Niantic has moved dispel security risk fears after it emerged iOS users handed over full access to their Google accounts

Just as Pokémon Go took America by storm, another storm raged overnight as it emerged users on iOS devices had inadvertently handed out permissions for their entire Google account to Niantic Labs. But now, the game’s creator Niantic Labs has moved to dispel fears.

The launch of Pokémon Go was an overnight success, adding $7.5bn to Nintendo’s value as the popular Pokémon genre was reborn for an augmented reality (AR) age.

Users combined the power of the cameras on their smartphone with location-based capabilities to bring a 21st-century twist to a 20th-century card-collection phenomenon.

‘Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves’
– NIANTIC LABS

Within days of its launch, users were clocking up collections of up to 150 Pokémon characters on streets, in buildings, in the sea, up in the air and even on battlefields and god knows where else. In some cases, petty criminals in the US were reported to have used the game to lure victims into mugging attacks.

But such incidents were on the fringe as the popular phenomenon saw Pokémon Go clock up more downloads than Tinder and daily active users than Twitter.

However, the news was marred by the revelation that Nintendo and the game’s developer Niantic Labs were potentially capable of accessing more personal information than users had bargained for.

Security risk fears

It emerged yesterday (11 July) that the Pokémon Go game – which uses GPS and augmented reality – not only tracks your location but is linked to your Google account.

And the way it is structured means users have been handing over full access to their Google account, which means if Nintendo and Niantic so wished they would be able to see and modify nearly all information in users’ Google accounts.

What this means in plain English is that Pokémon Go and Niantic could, if they wanted to, read all your email, send email as you, access and delete Google drive documents, access your search and Maps navigation history and access and archive photos stored in Google Photos. It’s just the tip of the iceberg.

According to Adam Reeve from Red Owl Analytics, who revealed the problem, nothing in the sign-up process indicates that users are giving full access to their account.

“Now, I obviously don’t think Niantic are planning some global personal information heist,” Reeve wrote in his blog. “This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and, frankly, I don’t trust them at all. I’ve revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.”

Niantic moves to dispel panic

For its part, Niantic has admitted there is an issue but has said that no information other than basic Google profile information was received or accessed by Pokémon Go or Niantic.

“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account.

“However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.

“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access.

“Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com