You need to read this. If you log in via your google account, you are giving the game total access to your email, google drive, etc. That is not acceptable. Go to your google security settings and see for yourself…and tell it no.
It’s a brilliant little game, but one thing a day of playing it has convinced me of — its implementation is crap. Buggy, inconsistent, and now also, a security risk.
Upon launch, it asked for four permissions:
1) Location
2) pictures and files
3) contact list
4) access to the camera.
I denied it access to the middle two, and when I go to google security, it doesn’t show up on the list of apps connected to my account.
It looks like it’s only a total privacy clusterfuck on iOS – the Android version asks for the permissions it needs and gives you the choice of denying them. I said yes to all the things it asked for and it still didn’t give itself total access to my Google account.
I was using a throwaway Google account anyway though.
Huh, it looks like Ingress (by the same company and using similar data sets for landmarks) only asks for ‘basic profile information’. Wonder why Niantic changed things.
Thanks, PZ. I was thinking about it, just to figure out how the geolocate bit works. But I just refused to update a bunch of apps that wanted access, so I’m not going to add another.
A guy at work was going on about some people staking out critter locations and robbing folks. It probably happened somewhere.
I’ve heard rumors of G**gle playing fast and loose with ideas like privacy. I avoid their software for the most part, other than G**gle Earth, where I save nothing.
Like church on Sunday, it’s just one more thing on my “don’t waste time with it” list.
Checked, it had full permissions on my google account (I use iOS). I revoked permission from the Google account and Go doesn’t seem to have any problems with it, even after I’ve logged out and back into the game.
@4 – http://www.usatoday.com/story/tech/2016/07/10/four-suspects-arrested-string-pokemon-go-related-armed-robberies/86922474/ Apparently it did happen at least once. It just means while playing, don’t go anywhere you wouldn’t normally feel safe, even if you think other players are there.
I just revoked all permission for it from my Gmail account, and set up a second only-for-Pokemon-Go gmail account just for the app to use. It wasn’t stopping me from using it under my original gmail account after revoking full access, but I don’t want to put more time into that account only for it to potentially be pulled out from under me in the unknown future – better to just restart now with the new account while I’m still low-leveled.
#7: I just did the same experiment: revoked all access, then logged in, and it was fine.
It also grabbed all access right back the instant I logged in.
So I’ve revoked its access once more, and will not log back in unless they fix this.
#8: that sounds like a better solution. I’m not enthused enough about the game to go to the trouble, though.
Given that this isn’t happening on Android, I’m guessing it’s a massive screwup. I’d check back next time it updates, I’d be surprised if that’s not fixed…
A follow up article – looks like a screw up on IOS where they asked for way more than they intend to use.
http://gizmodo.com/can-pokemon-go-really-read-all-your-emails-1783479136
@PZ Dang, I checked after revoking and restarting the game and it didn’t have access; but I just checked again and now it does. Ugh. Really don’t like that it can take back access without even popping up a warning.
Do read the article @11 linked if you haven’t – Niantic has issued a response, and hopefully are following through.
#1, #2, #10,
This is not an iOS/Android thing. The OS permissions is something else (BTW Android only asks about those permissions since 6.0 “Marshmallow”). What they’re talking about in the post is when you log into the game itself, the type of login that many apps use, you can use your Google account, your FB, Twitter, etc. When you do that, it asks for different permissions on such accounts, which are separate from the OS. I log in with Google to most apps that request it, and always could revoke the permissions before logging in, but it’s not very clear that you can do it.
Google does have privacy and security issues and sometimes even flat out refuse to recognize them as such. For example, with Chrome they show the passwords saved in it to the Windows user that’s logged in, they are unencrypted while the Windows (and I assume Mac) user is logged in. So shared computers, anyone can see your passwords. Their excuse is that if an attacker is logged into Windows, then all bets are off cause they cold run a keylogger or whatever. But if the passwords remained encrypted within the browser with an individual password, it would be much more difficult for the vast majority of malware to get them. They think of the worst hypothetical scenarios without considering the vastly more common ones, like maybe it’s not a super hacker you’re protecting against, but you just don’t want family members and the occasional friend to have access to all your passwords?
Google’s thinking in general is weird, they do cool things, but from the perspective of out of touch nerd geniuses.
I should have said, that was their response until a while ago, but after pressure mounted, they started requiring the Windows password to see the Chrome passwords (you can still freely see the login names and sites though). The problem is that it is easy for programs to extract the passwords and show them to anyone, so it’s pretty much moot if they aren’t encrypted within the browser’s sandbox.
As others have said, it does look as though this was an IOS screw up and the company says it’s fixing it. But it is one major motherfucker of a bug and doesn’t give me much confidence in the rest of their security. They are storing a lot of data about users on their servers and the game’s popularity makes it an irresistible target for hackers. It will be breached sooner or later and their record so far says sooner is more likely. It also suggests that damage resulting from a breach might not be as contained as it could be.
The company’s privacy policy is also a bit of a train wreck. There’s no control over how the data will be stored or used in the future.
I don’t mean to scare anyone off using the app, just make sure your decision to do so is well-informed.
It’s a bad idea to use your Google account to sign in, even if you’re using a separate Google account just for the game.
Easy solution: don’t use your Google account. Take the 90 seconds and make a Pokèmon Trainer account. I don’t mean to sound snide, but I generally take it as a given that if you’re linking things together you are compromising security. One of the reasons I don’t use sites or apps that link to your Facebook account
Pokemon Go(es through your nude selfies)?
A friend of mine is hatching a 10km egg.
@Matrim #16 I believe people tried that and the Pokèmon trainer site wasn’t creating new accounts.
@19, For a few hours while they dealt with the load. I ran into the issue, waited about 2 hours, tried again, worked fine. I don’t know if they’ve had reoccurring issues or not, but things seemed to have been sorted out.
http://www.usatoday.com/story/tech/gaming/2016/07/12/pokemon-go-maker-says-google-access-error/86980070/
OP is misleading (or the makers of the app are lying). The app seeks *permissions* to access all of that stuff but never touches it. The tone of the OP suggests that they’re munging all your data for commercial gain, which is not the case.