Pokemon Go is a cultural phenomenon that is sweeping the nation.
However, it is starting to raise concerns. Recently, privacy concerns regarding players personal info being released to third-party sites have been raised.
What is Pokemon GO?
Pokemon Go is a part reality–part video game scavenger hunt. Prior to the release of Pokémon Go, the original version was a wildly popular Nintendo game. Now it has moved from the game console and has morped into a free app that can be downloaded and played on Android and iOS devices. In this augmented reality game—the goal is still the same: “catch ‘em all”—but the interface has changed. Now, real life elements are incorporated as part of the game.
In this scavenger hunt, the game accesses your phone’s GPS and clock to decide which Pokémon appear in your game. So for example, if you’re at the park, more bug and grass Pokemon appear. If you’re by a lake, more water types appear. And if it’s at night, you are chasing more nocturnal ghost and fairy types of creatures. So Pokémon won’t just come to you; you actually have to traverse the real world to “catch ’em all.”
Security concerns have risen among Google Account holders. Some players may have unwittingly given the game’s developers access to everything in their Google account, from documents and photos to email messages and search history, including items stored in their cloud. Due to a coding glitch, signing in with a Google account on iOS devices results in giving the app “full access” to the gamer’s account information, meaning “the application can see and modify all information” contained therein.
The player’s Google username and password are never shared directly with the game, however, Google says that it “sends a random code to third-party sites to enable you to sign in to these sites with your Google Account.” In some cases these third party-sites are granted “full account access,” which Google says allows the app to “see and modify nearly all information in your Google Account.”
iPhone and iPad users appear to be especially vulnerable. Adam Reeve, who first documented the issue on his Tumblr blog, said it seems to be a problem isolated to iPhones and iPads. It did not appear to affect Android devices—although users playing on these devices should still be aware.
Pokémon Go for iOS has just been updated to version 1.0.1, with developer Niantic Labs promising improved stability, crash fixes, and a less intrusive grip on Google account permissions.
“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information,” it said. “Google has verified that no other information has been received or accessed by Pokemon Go or Niantic.”
Even after the fix, some users are reporting that their Google Account is still showing Niantic has full access to their account. If this is the case, Pokemon Go users should:
• Log in to your Google account and open up the “Apps connected to your account” page.
• Scroll down to “Pokemon Go,” then hit “Remove Access.”
• Confirm by hitting “OK.”
While Niantic claims that the level of access that Pokémon Go was granted was an error, security experts say it highlights greater concerns.
“This just shows how incredibly easy it is, right now, for malicious developers to trick users into handing over unlimited access to their Google accounts, usually without even knowing what they are doing,” Ross Schulman, the co-director of the Cybersecurity Initiative and Senior Counsel at the Open Technology Institute told ABC News.