Pokemon Go oh no no no, we're not reading your email, says gamemaker
God-mode access token found in wildly popular app
Final update This was a developing story: read through to the updates for the full scoop.
Smash-hit mobile game Pokemon Go's catchphrase is "you gotta catch 'em all" – gotta catch all your Google accounts, it seems.
As spotted today by IT architect Adam Reeve, the ultra-popular monster-catching vitamin-D-injecting exercise-encouraging game is potentially a privacy nightmare on Apple iOS devices: the software appears to gain extensive access to your Google account when you sign up.
You can avoid using Google by creating an account for the game via the Pokemon Trainer Club website – but that service has been overloaded by players so plenty of people are using their Google accounts to join instead. According to stats out today, Pokemon Go was rolled out across the world last week, has been installed more than five million times, and already has nearly the same number of daily Android users as Twitter.
When you opt to use your Google account as your Pokemon Go sign-in, the iOS version of the Nintendo-backed title automatically gains "full access to your Google account," meaning "the application can see and modify nearly all information in your Google account."
This suggests the game and its developer Niantic can potentially read your Gmail messages, peek at your Drive documents and private photos, and access your other files held in Google's cloud. The software also requires access to your phone's camera, contacts, whereabouts, storage, Bluetooth, Google Play billing, and more, on Android. Given this privacy laundry list, the FBI and NSA will offer to make the next Pokemon title.
There is no suggestion that Niantic is abusing the account access granted to its software.
Frustratingly, it is not clear how far "full access control" really goes. The wording used by Google in its documentation varies depending on where you look. On one page, Google says "this 'full account access' privilege should only be granted to applications you fully trust," because they can get at "nearly all information in your Google account."
However, on other pages and within the Google API Explorer, there is talk of fine-grain control, for example: reading Gmail messages requires an app to have permission to access Gmail, which Pokemon Go doesn't explicitly have – just "full account access."
Niantic spun out of Google in 2015, built augmented-reality game Ingress, and then used that to create Pokemon Go – think of it as regular Pokemon with Google Maps. You run around outdoors – the real outdoors – looking for creatures to capture; the monsters are superimposed over your phone's camera view to help you imagine catching them when you get near one. Your phone's location is used to work out if you're close to a generated pokemon.
And thousands upon thousands of people are obsessed with it.
When you use your Google account to sign up, you should get a dialog box asking if you're OK with granting the app permission to control your Google account. But that doesn't appear on Apple devices.
To be clear, not everyone who uses their Google account to sign in hands over control: Android phones do not gain access, it seems, but iOS devices do. When we tried using the game on an up-to-date iPhone 6S, it was granted full account access. An up-to-date Android Nexus 6P did not get full access.
If you think you're affected, you should check the app permissions page for your Google account to see what exactly you've granted Pokemon Go. If you're not happy with this level of intrusion, you should log into your Google account and revoke access to Pokemon Go.
We've asked Niantic and Google for comment. Meanwhile, in San Francisco and Chicago, planned Pokemon Go gatherings have garnered the interest of thousands of players. And malware writers and muggers are loving the app, too. ®
Updated to add on July 11
San Francisco-based Niantic has sent us a statement responding to today's confusion: it says it didn't read your email, and the "full account access" permissions granted to its iOS app will be scaled back by Google. Here it is:
We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.
Well, OK. So Niantic says it didn't look inside your Gmail inbox. Whether or not it actually had the power to do so is the crunch question: was Niantic, an ex-Google organization, granted wildcard access to Google user accounts? Apparently, yes, it was.
Analysis of the Pokemon Go app by Slack security engineer Ari Rubinstein confirms that the software only requests your OpenID and email address from Google, and is configured to only get that information about your account. Future versions could turn evil and try to access more services, although players would have to sign-in again for that to take effect.
In any case, Google will restrict the game's access to players' basic profile details. So that's the end of that. Even if Niantic wanted to abuse its access permissions in future builds of its game, and snoop on people's emails and private selfies, it won't be able to.
Final update on July 13
Rubinstein has posted more technical details behind Pokemon Go's use of permissions: it appears the game used undocumented APIs to obtain a token that could be exchanged with Google for extra rights, such as the right to read the user's Gmail messages. It never exercised that power, but the potential was there, hence Google and Niantic's shyness to reveal exactly how they screwed this one up.
Anyway, Google and Niantic have now downgraded the "full access" permissions for the game. Go ahead and play it – just don't run into traffic chasing a pikachu.