Warning: Pokémon Go is automatically granting permission to read your Gmail

Warning: Pokémon Go is automatically granting permission to read your Gmail

Pokémon Go has become phenomenally popular in the days since its release last month, but the app may be hiding a serious privacy and security issue.

In many cases, users who sign into the app through a Google Account are often inadvertently granting broad permissions over all information linked to the account, including the power to read and send emails. At no point in the sign-in process does the app notify users that full access is being granted.

You can avoid using Google by creating an account for the game via the Pokémon Trainer Club website – but that service has been overloaded by players so plenty of people are using their Google accounts to join instead. According to stats out today, Pokémon Go was rolled out across the world last week, has been installed more than five million times, and already has nearly the same number of daily Android users as Twitter.

When you opt to use your Google account as your Pokémon Go sign-in, the iOS version of the Nintendo-backed title automatically gains “full access to your Google account,” meaning “the application can see and modify nearly all information in your Google account.”

This suggests the game and its developer Niantic can potentially read your Gmail messages, peek at your Drive documents and private photos, and access your other files held in Google’s cloud. The software also requires access to your phone’s camera, contacts, whereabouts, storage, Bluetooth, Google Play billing, and more, on Android. Given this privacy laundry list, the FBI and NSA will offer to make the next Pokémon title.

There’s no indication that developer Niantic Labs is actively using that power, but it still represents a dangerous overreach and a real privacy concern for millions of users.

Security researcher Adam Reeve, who first pointed out the privacy problems, said that he thought it was unlikely that the issues had happened because of maliciousness, but rather by accident.

Of course, it’s not easy for Pokémon Go to overtake any Android smartphones.You can check and modify those permissions here. After permissions are revoked, the user is automatically signed out, but the app’s functionality is otherwise unaffected.

Currently, the Niantic Labs has not make any comment. Hopefully, this is just a problem of unwanted, rather than deliberate action from the developer.

The game allows you to create either a Pokémon account (a third party account designed expressly for Pokémon GO and other Pokémon stuff) or to use your Google account. Almost everyone is opting to use their Google account because the Pokémon account system is getting slammed with too much traffic.

No comments

Leave a Reply