Pokémon Go for iOS requires full Google account access

Pokémon Masters, beware: The iPhone app gains access to all Google account features, including retrieving and sending email.

The massively popular Pokémon Go game, released just a few days ago, obtains full access to a Google account when it’s chosen as an authentication option while setting up the app in iOS. Android is unaffected. While the iOS app also allows using a Pokémon Trainer Club account, the option to create a new club account is unavailable at this writing, apparently due to system overload.

Adam Reeve, a principal architect at analytics firm Red Owl, posted a warning on his personal blog on Friday about this Google account issue. Most apps request a minimum amount of account access (or “basic profile information,” as Google terms it) to provide a link, partly because of frequent blowback from users, pundits, and sometimes regulators when apps ask for too much.

In confirming Reeve’s report in iOS through testing, when the Google account option is selected, the app presents a standard Google in-app login, including requiring a second factor if that’s enabled. However, neither the app nor Google’s login process discloses that the app gains full access. Visiting a Google account’s Connected Apps & Sites link reveals the app’s access status. (In Android, authentication happens without granting access, confirmed in testing and with several Android users. Only local permissions for contacts, camera, and other features are granted, with separate prompts for each.)

pokemon go full access

Pokémon Go in iOS silently requests full access to a linked Google account.

Why this could be troubling

Full access allows an app or website to act effectively as if it were the account owner, including access to email, contacts, and Google Drive files. Full access isn’t inherently a security flaw, but it does open Niantic’s users to risk should its systems be compromised either by an internal or external party. And it gives the company a rope by which it could hang itself, if it should choose to exercise this high level of access, such as sending Gmail on behalf of users.

The risk from attack comes from how the Google account linkage works. With a locally managed account system, like the Trainer Club, an account database contains a mix of unencrypted entries for elements like a user’s account name and email address, and encrypted entries for passwords. With good cryptographic system design, even should an attacker obtain an entire database, the passwords can’t be extracted, even with enormous effort. (Weak systems allow brute-force attacks.)

However, apps and sites that use accounts for authentication run by other sites—like Google, Twitter, and Facebook—don’t store a password, encrypted or otherwise, for that third-party site. Rather, after a user logs into the third-party site and the account is verified, a developer receives a token, just a short piece of unique text, that’s stored and used to handle interaction.

An attacker need only obtain that token to make use of the linked account, whether posting messages on Twitter or reading email on Google.

As Reeve notes, access to email alone can be the thin edge of a wedge to hijack someone’s identity and accounts at multiple sites. Many people use Gmail as their primary or secondary email address, and so other sites would send password-recovery emails to that Gmail account. An attacker with email addresses and tokens could try to reset passwords at popular sites at which it’s likely Pokémon Go users had accounts, and then take over those related accounts.

We’ve contacted Google and the game’s developer and system operator, Niantic, for comment, and will update this story when new information arises. (Niantic was once owned by Google, and was spun off as a freestanding company in October 2015 with investment from Google, the Pokémon Company, and Nintendo, which owns a third of the Pokémon Company.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Google

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Glenn Fleishman

Macworld.com
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?