The massively popular Pokémon Go game, released just a few days ago, obtains full access to a Google account when it’s chosen as an authentication option while setting up the app in iOS. Android is unaffected. While the iOS app also allows using a Pokémon Trainer Club account, the option to create a new club account is unavailable at this writing, apparently due to system overload.
Update: A Pokémon Go update is now available, which includes a fix for the Google account data access. After installing the update, the game will say that it has access to only your Google user ID and email address.
In a statement late Monday, the game’s developer, Niantic, said that it was an error to request that level of access, and the app only made use of a Google account’s name and associated email address. The firm is updating the app to reduce what permissions are requested, and said Google will automatically reduce its app permissions. Niantic’s complete statement appears at the end of the article.
Adam Reeve, a principal architect at analytics firm Red Owl, posted a warning on his personal blog on Friday about this Google account issue. Most apps request a minimum amount of account access (or “basic profile information,” as Google terms it) to provide a link, partly because of frequent blowback from users, pundits, and sometimes regulators when apps ask for too much.
In confirming Reeve’s report in iOS through testing, when the Google account option is selected, the app presents a standard Google in-app login, including requiring a second factor if that’s enabled. However, neither the app nor Google’s login process discloses that the app gains full access. Visiting a Google account’s Connected Apps & Sites link reveals the app’s access status. (In Android, authentication happens without granting access, confirmed in testing and with several Android users. Only local permissions for contacts, camera, and other features are granted, with separate prompts for each.)
Access can be revoked without disabling the app, however. In the Connected Apps & Sites settings, click the Pokémon Go Release entry, click Remove, and then click OK. The game will continue to function, although it’s possible it may request authentication again at a later point.
Why this could be troubling
Full access allows an app or website to act effectively as if it were the account owner, including access to email, contacts, and Google Drive files. (A request to Google to clarify the extent of full access received no response.) Full access isn’t inherently a security flaw, but it does open Niantic’s users to risk should its systems be compromised either by an internal or external party. And it gives the company a rope by which it could hang itself, if it should choose to exercise this high level of access, such as sending Gmail on behalf of users.
The risk from attack comes from how the Google account linkage works. With a locally managed account system, like the Trainer Club, an account database contains a mix of unencrypted entries for elements like a user’s account name and email address, and encrypted entries for passwords. With good cryptographic system design, even should an attacker obtain an entire database, the passwords can’t be extracted, even with enormous effort. (Weak systems allow brute-force attacks.)
However, apps and sites that use accounts for authentication run by other sites—like Google, Twitter, and Facebook—don’t store a password, encrypted or otherwise, for that third-party site. Rather, after a user logs into the third-party site and the account is verified, a developer receives a token, just a short piece of unique text, that’s stored and used to handle interaction.
An attacker need only obtain that token to make use of the linked account, whether posting messages on Twitter or reading email on Google.
As Reeve notes, access to email alone can be the thin edge of a wedge to hijack someone’s identity and accounts at multiple sites. Many people use Gmail as their primary or secondary email address, and so other sites would send password-recovery emails to that Gmail account. An attacker with email addresses and tokens could try to reset passwords at popular sites at which it’s likely Pokémon Go users had accounts, and then take over those related accounts.
A spokesperson for Niantic, the game’s developer, said the company has no comment on the matter at this time. We’ve also contacted Google and will update this story when new information arises. (Niantic was once owned by Google, and was spun off as a freestanding company in October 2015 with investment from Google, the Pokémon Company, and Nintendo, which owns a third of the Pokémon Company.
Niantic’s complete statement:
Update: This story was updated with a response from Niantic and with instructions to revoke Google account access.