
Pokemon Go – Permissions Update - nate_martin
https://support.pokemongo.nianticlabs.com/hc/en-us/articles/222648408-Permissions-update
======
matt_wulfeck
I'm glad they involved google to make sure the change happens to anyone and
also to verify their claims about access. This is the type of response we
should expect/demand from other companies. Well done.

~~~
Someone1234
I agree it is helpful to involve Google so it can be changed for existing
Pokemon Go users. But I don't see how Google has verified the claim, since
Google themselves have yet to release a statement.

By the way, Google indorsed this comment. Believe me?

~~~
poorman
It's probably much easier to involve Google when you are a Google spinoff
company.

~~~
imron
Yeah, because they likely have the phone number of someone they can call.

------
minimaxir
This is the same message that was released to the press yesterday.

I'm surprised Google itself has not said anything, as they are also at fault
for not showing the permissions workflow in the first place.

~~~
8bitben
Exactly, that's what I'm more worried about - Google needs to present clear
information about what access is provided BEFORE I accept the account
connection. It's not necessarily Niantic's fault for asking for too much, it's
Google's for not at least making me aware.

~~~
eridius
It's entirely plausible that Niantic didn't realize they were asking for too
much specifically because Google didn't show the permissions being asked. So
any time they tested their own app, they would have just seen what everybody
else saw, which is that the app asked for access to the Google Account with no
mention of what permissions.

~~~
kaspiCZ
Despite that, it is wexing that they wouldn't come across this issue during
testing. Maybe it's a production issue. I am very interested in a technical
explanation from either Google or Niantic. They surely had to test iOS app and
check their Google permission page. Otherwise it would be really sloppy
testing.

------
e12e
Isn't this a bit: "Accidentally left open gate to castle. Now closed. No fix
in place to make sure other people working closely with Alphabet/Google won't
leave door open again. Share and enjoy." ?

On another note, from the "privacy policy":

1\. REVISIONS TO THIS PRIVACY POLICY

Any information that is collected via our services is covered by the privacy
policy in effect at the time such information is collected we may revise this
privacy policy from time to time if we make any material changes to this
privacy policy, including any change that we propose that will have
retroactive effect, we’ll notify you of those changes by posting them on the
services or by sending you an email or other notification, and we’ll update
the “last updated date” above to indicate when those changes were made

So, they'll _let you know_ if they apply _retroactive_ changes to the policy?
How is that any different from "lol, you give data, we do what we want, ok?"

~~~
Freak_NL
> So, they'll let you know if they apply retroactive changes to the policy?

Pretty standard for a lot of apps and web services. The alternative is not to
use them, or to be very conscious about what data you supply them with. Most
people just click accept (as with any EULA).

~~~
e12e
Seems like a privacy policy that amounts to "lol, whatever" can't possibly be
lagally binding in the EU at least. If it _is_ (found to be) void they could
be required to delete _all_ customer data - as they have no legal grant to
store it or use it for any purpose?

------
biogeneration
I really appreciate that they were able to make a change quickly and provide
transparency about the issue and resolution.

~~~
sliverstorm
Though, I always feel kind of bad about the whole torch-and-pitchforks almost
certainly resulting in some poor sap(s) working 24/7 to fix the issue ASAP
when it really could have been fixed, oh, Thursday. (assuming the absence of
malice, it's just important it get fixed reasonably soon) Especially
considering they doubtless have all kinds of other major issues on their
plate- like the server load problems.

~~~
gwbas1c
As much as I don't like the torch and pitchforks approach; this is the kind of
oversight that should be found long before an app is released. It also shows
that the market won't tolerate broad security overreaches.

I certainly want to try Pokemon Go, but after seeing these articles, I decided
to wait.

------
chromaton
On Android, Pokemon Go requests permission to access your contacts. I declined
this access, and the app still seems to work (modulo the crashes & bugs that
others have reported).

Accessing the camera and location I can understand, but I don't want to give
Pokemon Go access to my contacts.

~~~
disgruntledphd2
I assume that its for a yet to be implemented find friends feature, but I was
also concerned at that permission request.

------
panic
This update completely broke login for people with Pokemon Trainer Club
accounts. It doesn't even send the HTTP request:
[https://www.reddit.com/r/pokemongo/comments/4sjbeq/ios_users...](https://www.reddit.com/r/pokemongo/comments/4sjbeq/ios_users_who_login_using_pokemon_trainers_club/)

------
saturdaysaint
From the 1.01 iOS release notes: "-Fixed Google account scope"

~~~
minimaxir
Not documented, Pokemon Go now asks for Notification permissions. (Which is
typical of mobile games and should have been done at launch, but ironic given
current circumstances.)

~~~
qzervaas
> should have been done at launch

Generally speaking, this is the worst way to do it, as the app hasn't made a
case for why it needs to send notifications.

It should do it in a contextual way so the user understands that notifications
will enhance their experience of the app.

~~~
bpchaps
Why is it the worst way? It would make total sense to combine those ideas.

~~~
Wofiel
Typically the user should be primed, given reason for what the notifications
will entail, how frequent they might be and so on. It makes users much more
receptive to them if you tell then why they should want to have this optional
feature enabled, rather than a blind notification popup in first launch.

~~~
bpchaps
Right - a popup at launch with useful context rather than a blind "We want
$ALLTHETHINGS".

~~~
qzervaas
Exactly - I just meant not the default popup as soon as you launch without any
explanation or justification.

This is what developers would do in the past with location access also, but as
privacy awareness takes hold people are far more likely just to deny these
permissions.

In iOS it's a pain for a user to actually reenable the setting after the fact.

------
quaffapint
Keep in mind you dont have to login with your google account - you can create
a free pokemon club account and use that.

~~~
sp332
That site has been down continuously for days, so it might not be a real
option.

Edit: OK, _continually_ since it does seem to be up sometimes!

~~~
quaffapint
I just did it this morning - just refreshed the page once and it worked fine.

------
mattlutze
I'm slightly curious how we prove the statements to be true.

There wasn't the normal "this app wants ___ permissions, is that cool?"
message from the Google OAuth dialog. I had not idea I'd authorized Niantic to
go scrape all my emails, access Google's own processing on them for
advertisement system training or review my location history, for example.

I'm not so sure why I should believe they didn't do that.

------
foota
I wonder how many applications do the same thing and haven't been called out
on it.

~~~
cavisne
The difference here is the "grant full access" screen was never shown to
users. That shouldn't be possible and speculation is that either the app
somehow hijacked past the screen, or Niantic being an ex-google company was
whitelisted to avoid this.

I can easily see how the second would happen, I wonder if Ingress (their
previous inside google app) even showed up on your list of authorized third
parties?

~~~
foota
From what others have posted here, any native app that loads the oauth flow in
a web view control or whatever it's called, has full control over it, and so
can do anything it wants.

------
mark_l_watson
I didn't think they were doing anything nefarious but you never know. I think
I will install it now, to see what my grandchildren have been talking about.

~~~
ryanschneider
The concern (at least for me) wasn't that Niantic was doing anything
nefarious, it was that if they didn't even know they were asking for full
permission are they professional enough to prevent that full permission from
being misused by a malicious actor? The app is so popular that an exploit
could be a gold mine for black hats.

Glad to see Google patching the permissions server-side, as I bet a lot of
people just checked the app out once out of curiosity and won't launch the
updated version.

------
stephenyeargin
Take a look at this list of potential things you can ask for as a developer:

[https://developers.google.com/identity/protocols/googlescope...](https://developers.google.com/identity/protocols/googlescopes)

And most folks will click "Approve" without really reviewing the list. That
said, Twitter and Facebook (two other popular OAuth providers) heavily
restrict certain "full" access to only trusted applications that they either
have a business relationship with or otherwise review the application before
allowing those scopes to be requested or used. This incident may prompt Google
to do more of that, which isn't entirely great news for the more responsible
developers with purpose-built apps.

~~~
tommorris
That's why Facebook changed their APIs in 2014. Before any app could ask for
anything. Now apps can only ask for public profile data, email address and a
list of your friends that have also installed the app.

Before you could also get stuff like education and work history, family
relationships, relationship status, sexual orientation and a whole load of
other stuff that could potentially cause a lot of trouble. And people would
happily click OK just to play FarmVille or whatever.

Now Facebook makes it so any app needing advanced permissions data has to be
reviewed by Facebook first.

See [https://developers.facebook.com/blog/post/2014/04/30/the-
new...](https://developers.facebook.com/blog/post/2014/04/30/the-new-facebook-
login/)

------
qwertyuiop924
Great. Although this is really a left-pad situation: it's good that they fixed
it, but that fact that it was a problem in the first place is pretty damn
disturbing.

------
callesgg
Inital thought: Wow that company is so great... that they did the right
thing...

...Wait a second do i think a company is great just cause they do things the
way they should do them.

~~~
TeMPOraL
Yes. Because it's an uncommon thing for a company to do right by their
customers, and everyone that does IMO deserves praise (and more business).

------
rtanaka
It is indeed fixed but updating iOS app alone does not change the permissions.
I had to sign out of the app, revoke the permissions on google and then sign
back in.

~~~
ajoy39
thats why they're involving google, Google is handling the permissions changes

------
unimpressive
Oh good, I can finally feel comfortable about installing it.

------
sl1e
Is the button that takes me to login with Google account the same as using a
Google email address to create an account?

------
aftbit
Perfect response! :)

------
cocotino
Bit of OT

Played Pokémon GO yesterday (iOS 1.0 version) and it was very buggy. Many bugs
looked like they were server side (requests freezing), but there were strange
rendering errors (like seeing only waves on the ground where Pokémon are, and
not the actual Pokémon on them) that could be fixed by restarting the app
several times. The phone also got absurdly hot, I never play on it, I don't
know if it's normal for it to get like that, but I could barely hold it in my
hand.

I literally couldn't understand all the fuss about the game, it was unplayable
for me...

~~~
weberc2
Yep, that's about right. This app is shit on iOS. I thought the App Store was
supposed to have a quality review process, but this thing crashes all the
time.

~~~
alex_anglin
Haven't played it, but testing an app without any significant load would seem
to be pretty different from scaling up the backend to twitter-scale in a
couple of days.

~~~
weberc2
Why should the app crash or hang for backend issues?

