Hit App Pokemon Go Raises Security Concerns for Google Account Holders

The app "erroneously" requests full access to users' Google accounts.

ByABC News
July 12, 2016, 4:12 PM

— -- The biggest concern for most users of the new hit app Pokémon Go is where to catch their next Pokémon or how much money they can budget for the game's in-app purchases.

However, many of those who used their Google accounts to sign up for the game on iOS may be surprised to know that they have basically handed the keys to their account to the game's developer.

When users first load the game, they are prompted to register for an account. One option they are offered is to quickly log in using their Google account.

If that option is selected, the player is then taken to a Google log-in page -- much like the log-in page for Gmail.

The user can then enter their Google account details, which then authorizes their log in attempt, and if successful, redirects them back to the app to proceed with playing the game.

The player’s Google username and password are never shared directly with the game, however, Google says that it “sends a random code to third-party sites to enable you to sign in to these sites with your Google Account."

“This code doesn't reveal any personal information,” according to Google. “Also, the security of your Google Account will not be compromised by signing in to other sites with your account.”

However, that code does grant a certain amount of access to a user’s Google-held data to the third-party application.

In some instances, third-party applications only get “access to basic data from your account, like your name, email, gender, or country,” according to Google.

But others are granted “full account access," which Google says allows the app to “see and modify nearly all information in your Google Account.”

PHOTO: Pokemon Go takes full access when used with a Google account.
Pokemon Go takes full access when used with a Google account.

In response to concerns, Niantic, the company that developed the game for Nintendo, said that the game’s request for full account access was a mistake, and said “Pokémon GO only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected.”

The software development company said that the company is working on an update that would see the app only request basic account information. Google has also confirmed to ABC News that it will soon reduce the game's account permission so that it can only access the most basic profile data required for the game to function.

Logging into apps and web services using social media accounts is a common practice.

Google, Facebook and Twitter, among others, allow their users to use their accounts to sign in to third-party sites. It’s a convenient way for users to use other services without having to keep track of a username and password for each account.

While Niantic claims that the level of access that Pokémon Go was granted was an error, security experts say it highlights greater concerns.

“This just shows how incredibly easy it is, right now, for malicious developers to trick users into handing over unlimited access to their Google accounts, usually without even knowing what they are doing,” Ross Schulman, the co-director of the Cybersecurity Initiative and Senior Counsel at the Open Technology Institute, told ABC News.

Sen. Al Franken, the ranking member on the Senate's Privacy, Technology, and the Law Subcommittee, has sent a letter to Niantic calling on it to explain the collection and use of users' data.

"I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent," the senator said in the letter. "As the augmented reality market evolves, I ask that you provide greater clarity on how Niantic is addressing issues of user privacy and security, particularly that of its younger players."

Concerns over security do not appear to have dampened the game's popularity.

Since its July 6 release, the game has become somewhat of a cultural phenomenon, captivating the attention of users across the U.S.

In a sign of just how popular the game has become, the U.S. Marine Corps tweeted a screenshot of soldiers surrounding a Pikachu that the virtual reality game made appear on a firing line.

Related Topics