Pokémon Go for iOS requires full Google account access

Pokémon Masters, beware: The iPhone app gains access to all Google account features, including retrieving and sending email.

The massively popular Pokémon Go game, released just a few days ago, obtains full access to a Google account when it’s chosen as an authentication option while setting up the app in iOS. Android is unaffected. While the iOS app also allows using a Pokémon Trainer Club account, the option to create a new club account is unavailable at this writing, apparently due to system overload.

Adam Reeve, a principal architect at analytics firm Red Owl, posted a warning on his personal blog on Friday about this Google account issue. Most apps request a minimum amount of account access (or “basic profile information,” as Google terms it) to provide a link, partly because of frequent blowback from users, pundits, and sometimes regulators when apps ask for too much.

In confirming Reeve’s report in iOS through testing, when the Google account option is selected, the app presents a standard Google in-app login, including requiring a second factor if that’s enabled. However, neither the app nor Google’s login process discloses that the app gains full access. Visiting a Google account’s Connected Apps & Sites link reveals the app’s access status. (In Android, authentication happens without granting access, confirmed in testing and with several Android users. Only local permissions for contacts, camera, and other features are granted, with separate prompts for each.)

pokemon go full access

Pokémon Go in iOS silently requests full access to a linked Google account.

Why this could be troubling

Full access allows an app or website to act effectively as if it were the account owner, including access to email, contacts, and Google Drive files. Full access isn’t inherently a security flaw, but it does open Niantic’s users to risk should its systems be compromised either by an internal or external party. And it gives the company a rope by which it could hang itself, if it should choose to exercise this high level of access, such as sending Gmail on behalf of users.

The risk from attack comes from how the Google account linkage works. With a locally managed account system, like the Trainer Club, an account database contains a mix of unencrypted entries for elements like a user’s account name and email address, and encrypted entries for passwords. With good cryptographic system design, even should an attacker obtain an entire database, the passwords can’t be extracted, even with enormous effort. (Weak systems allow brute-force attacks.)

However, apps and sites that use accounts for authentication run by other sites—like Google, Twitter, and Facebook—don’t store a password, encrypted or otherwise, for that third-party site. Rather, after a user logs into the third-party site and the account is verified, a developer receives a token, just a short piece of unique text, that’s stored and used to handle interaction.

An attacker need only obtain that token to make use of the linked account, whether posting messages on Twitter or reading email on Google.

As Reeve notes, access to email alone can be the thin edge of a wedge to hijack someone’s identity and accounts at multiple sites. Many people use Gmail as their primary or secondary email address, and so other sites would send password-recovery emails to that Gmail account. An attacker with email addresses and tokens could try to reset passwords at popular sites at which it’s likely Pokémon Go users had accounts, and then take over those related accounts.

We’ve contacted Google and the game’s developer and system operator, Niantic, for comment, and will update this story when new information arises. (Niantic was once owned by Google, and was spun off as a freestanding company in October 2015 with investment from Google, the Pokémon Company, and Nintendo, which owns a third of the Pokémon Company.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Google

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Glenn Fleishman

Macworld.com
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?