
Pokemon Go is a huge security risk - patchoulol
http://adamreeve.tumblr.com/post/147120922009/pokemon-go-is-a-huge-security-risk
======
RKoutnik
It's worth noting that Niantic Labs (the folks who licensed Pokemon from
Nintendo and made Pokemon Go) are actually _owned_ by Google [0]. This is
Google giving itself permission to do Google things. Dollars to doughnuts they
tried to use some internal-only API because things kept falling over at
pokemon.com. Is this a massive UX failure? Certainly. Is giving Google
permission to access Google stuff a "Huge security risk"? No more than putting
your stuff in Google's hands in the first place.

Niantic are also the folks behind Ingress, if you've heard of that.

[0] Specifically, Alphabet owns a significant portion of Niantic, along with
Nintendo: [https://nianticlabs.com/blog/niantic-tpc-
nintendo/](https://nianticlabs.com/blog/niantic-tpc-nintendo/) (they were
previously wholly-owned by Google).

~~~
wlesieutre
They _were_ an Alphabet company, but were spun off last year:
[https://www.theguardian.com/technology/2015/aug/14/niantic-l...](https://www.theguardian.com/technology/2015/aug/14/niantic-
labs-departs-google-alphabet-ingress)

~~~
RKoutnik
Right, so not only did they spend a significant amount of time steeping in
Google itself, the big G then invested a significant amount of cash into the
now-spun-out company. I'd say that qualifies as 'owned'.

~~~
falcolas
How does that make the permission creep OK? If they were part of Google, and
_already had access_ to the data, that's one thing. But they aren't, and they
don't.

------
ChrisLTD
Update from Niantic in this Game Informer article
[http://www.gameinformer.com/b/news/archive/2016/07/11/pokemo...](http://www.gameinformer.com/b/news/archive/2016/07/11/pokemon-
go-has-access-to-your-entire-google-account.aspx)

 _" We recently discovered that the Pokémon GO account creation process on iOS
erroneously requests full access permission for the user’s Google account.
However, Pokémon GO only accesses basic Google profile information
(specifically, your User ID and email address) and no other Google account
information is or has been accessed or collected. Once we became aware of this
error, we began working on a client-side fix to request permission for only
basic Google profile information, in line with the data that we actually
access. Google has verified that no other information has been received or
accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s
permission to only the basic profile data that Pokémon GO needs, and users do
not need to take any actions themselves."_

~~~
andyjdavis
I actually just finished wrangling social log in for a system that is waaaay
less popular than Pokemon GO. Rather amusing to see an organization operating
at a vastly bigger scale still hitting the same sorts of speed bumps.

------
hughes
If google auth as a platform grants _full access_ to your google account
without any sort of confirmation, isn't _that_ the security risk? Whether or
not it's intentional or malicious on the part of Niantic, that seems like the
real problem here.

~~~
mtrpcic
Yeah, I agree. I strongly suspect that the scope of permissions requests was
an oversight (e.g. Just ask for everything now, we'll pair it down once we
know what data we need). Additionally, while I don't like the idea of having
Niantic having access to my entire Google account, let's remember that Niantic
started as a Google company, and is now under the Alphabet umbrella, so have a
vested interest in keeping things on the up-and-up. Lastly, Nintendo is up 35%
thanks to this game (about $7B), and I strongly doubt that there is anything
they could gain from scraping/abusing these Google accounts that would come
even close to that type of impact. My money is on "bad development process and
oversight", and this is just one of many rough edges that I've already noticed
in the software.

~~~
ceejayoz
> I strongly doubt that there is anything they could gain from
> scraping/abusing these Google accounts that would come even close to that
> type of impact.

I'd have said the same about VW's emissions cheating scandal before it broke.

------
arielweisberg
And just like that I will never sign in with Google anywhere ever again. I
just assumed that an app couldn't grant itself full permissions without
notifying me, but now I can see why that might not be the case since they are
free to present whatever UI they want in app.

In my dream world Google would revoke Niantic's API access forever in order to
make an example out of them. Maybe, eventually, if they can prove that they
didn't hoover up all the information they had access to they can be unbanned
after a year.

Unlikely though considering they used to be a part of Google.

~~~
chatmasta
This is a fundamental security issue due to a combination of the OAuth
protocol and UIWebView (and whatever the Android equivalent is), which I've
posted about before [0]. Basically, the problem is that OAuth depends on web-
based access granting, but an app has full permissions over the DOM of the
WebView where the OAuth screen is. So you're entering your password into a
WebView of a third party URL, but unlike a traditional safari page, the
WebView is fully "owned" by the app, so the developers can inject arbitrary
code into the DOM of the third party website.

There is no technical limitation to an app engaging in _very_ nefarious
activity. For example an app could modify the DOM on the sign-in screen to
grab your password after you enter it. Of course the accountability of MITM
and security reviews might mitigate this risk, but passwords are generally
only a few bytes and could easily be obfuscated and passed surreptitiously
over the wire.

I've seen a (quite popular) app implement this for facebook invitations, which
should only have a limit of 50 friends, to secretly (in the background,
without any action on your behalf other than logging in, or perhaps pressing a
"continue" button) invite every one of your friends to download the app. Since
facebook does not notify you when you send an inviation, you would not even
know the app did this unless one of your friends who you invited asked you
about it.

[0]
[https://news.ycombinator.com/item?id=11637209](https://news.ycombinator.com/item?id=11637209)
(thanks molecule)

~~~
crescentfresh
> the WebView is fully "owned" by the app, so the developers can inject
> arbitrary code into the DOM of the third party website

Uh, seriously? I just suggested to our mobile team to integrate this way on
Android (I implemented the OAuth 2 server).

I would've made the same suggestion to a 3rd party app vendor when the day
comes.

~~~
russjr08
A Chrome Custom Tab is probably the better way to go.

------
drivers99
"Pokemon Go Release" has "full access" and yet "Ingress" (a game very similar
to Pokemon Go from the same company) only has "basic account info". I removed
the access and when I started the app, it crashed right away. (I'm on iOS, by
the way.) Subsequent launch I'm stuck on the "LOADING..." screen, and then it
says "Failed to get player information from the server." I hope the servers
are just down and I didn't lock myself out. (Or maybe I should be glad until
this fix this breach.) Edit: Deleting the app and reinstalling allowed me to
log in again.

It appears to be the iOS version only that's doing this, according to this
article:

[http://9to5google.com/2016/07/11/psa-pokemon-go-full-
access-...](http://9to5google.com/2016/07/11/psa-pokemon-go-full-access-
google-accounts-iphone/)

~~~
BryantD
When I checked this morning Ingress also had full perms. I revoked and
reconnected and Ingress only had basic account info. I was also queried
appropriately.

Possibly this was fixed on Ingress sometime in the last X months but not on
Pokemon Go.

~~~
biehl
Same here. I granted Ingress access in Nov 2015

------
seagray
I don't see any access granted to Pokemon Go (it's not even listed) in the
"Apps Connected to your Account" page:
[https://security.google.com/settings/security/permissions](https://security.google.com/settings/security/permissions)

I am running on a Nexus 6 and signed in with my Google Account when I first
launched the app.

Try revoking access and see what happens. Worst case, it might ask you to sign
in again.

~~~
jpreiland
on iPhone 6s, checked and saw it had full access. I revoked access and opened
the app up. It was stuck loading so I logged out and back in. Went back to
check app permissions on google and it had full access again.

~~~
towelrod
Wait, you revoked access from within google, and then the pokemon app was able
to give itself access again without asking for permission?

~~~
jpreiland
Yes. I'm not sure if I need to re-log in the app or not though. Maybe if it
didn't freeze and I didn't have to re-log then it might have left the access
revoked. But it seems that once I re-log the full access goes back into
effect.

~~~
peterkelly
re-logging in is re-authorization

------
NeonVice
"[T]his section of the privacy page on the Google account settings website is
only showing up for those that have played on iOS and signed in using the
Google button. Android users who used the same login method are not seeing the
“Pokemon Go Release” at all on the permissions site (nor do they see Ingress),
so we’re not sure yet if those users have trusted Niantic with their entire
Google account as well." source: [http://9to5google.com/2016/07/11/psa-
pokemon-go-full-access-...](http://9to5google.com/2016/07/11/psa-pokemon-go-
full-access-google-accounts-iphone/)

~~~
thevibesman
> Android users who used the same login method are not seeing the “Pokemon Go
> Release” at all on the permissions site (nor do they see Ingress)

This is interesting, I can't test this myself as I have previously played
Ingress on both iPhone and Android.

My Android device is mostly for development/testing, so I'm not nearly as
regular a user of the platform as I am for iOS.

Could any Android users comment on if this is normal to not see Android apps
like Ingress on this authorization list?

~~~
mr_potato_face
I've never played Ingress, but I've played PGO for android. Google account
settings
([https://security.google.com/settings/security/permissions](https://security.google.com/settings/security/permissions))
shows an empty list for me.

------
rwallace
Caveat: I've seen a number of players state or imply that playing this game
has been the first decent exercise they've had in years. Lack of exercise is a
far greater threat to your well-being than having your Google account hacked,
so if that's what it takes, go ahead and play the game anyway.

~~~
jonny_eh
Pokemon Go, like most apps, is likely just a fad. In a few months, only a few
thousand die hards will still be playing it. But the full access permissions
will still be there.

~~~
TheOneTrueKyle
That's what my parents said 20 years ago... hasn't died yet

~~~
TheGRS
You should try the Go game. It may have some lasting power I haven't seen yet,
but its not the normal Pokemon game by any stretch. The core gameplay is
actually pretty boring once you've done it for a little while (i.e. once the
initial euphoria of catching things wears off).

~~~
TheOneTrueKyle
Oh I have been playing and while it is far inferior to the core Pokemon
gameplay, I have met over 30 new people because of this game in less than a
week. People who I've never talked to at work, I am now talking to.

I have honestly never used an app that has brought me closer together to the
people around me. I don't see this being a fad.

------
maknz
Full access is bad enough, but the really dodgy thing going on is that you
never get asked to approve or deny that access for Pokemon Go when doing the
OAuth flow. You just log in, proceed through 2fa, and you're magically logged
into the app. Pokemon Go Release then shows up as an authorised app... except
I never authorised it.

My theory is that they're injecting JavaScript into the web view to
automatically press the 'Approve' button and hiding that from the user. If
true, that's very worrying. They'd be effectively circumventing the whole
OAuth framework by forging the user's approval of the app. Every user should
have been asked up-front whether or not they wanted to approve or deny Pokemon
Go's full access.

------
nappy-doo
I spoke with a friend of mine at Niantic. They are in communication with the
oauth group at Google, and are fixing the issue.

~~~
voltagex_
Can you also tell them to read a few Reddit threads, or Twitter? There are
many, many issues which will limit the lifetime of this game.

------
cheshire137
I know Google lets you see which apps are connected to your account via
[https://security.google.com/settings/security/permissions](https://security.google.com/settings/security/permissions)
but is there any page where I can see what activity was done on my account by
particular apps?

------
nostrademons
A lot of aspects of Pokemon Go are less than polished from an app dev
perspective. The way they ask for device permissions doesn't follow best
practices at all (no explanation of why they need them). The interface has too
much explanatory text in some places (how much useless backstory did I need to
click through to start playing?) and not enough in others (it took me forever
to figure out what I was supposed to do once I found a pokemon). My sister-in-
law was complaining about how all the pokemon graphics are very 2D, when they
could easily have sprung for some shading or shadows.

I suspect they built an MVP and launched it and it happened to take off, and
we'll see some more polish in the future.

For this particular issue though - I'd bet that Niantic has some sort of data-
sharing agreement with Google, anyway, making this point moot. They started as
an internal startup at Google, and they make really heavy use of the Maps &
Places APIs that would probably cost a fortune if they didn't have some sort
of bulk data sharing agreement.

------
MBCook
There are enough kids playing this maybe the FTC will get involved. Maybe some
sort of basic privacy requirement.

How is it possible that signing in didn't inform me what permissions I was
granting? I didn't think I was giving _anything_ except my email address.

~~~
greggman
Kids (under 13 in USA, under 16 in Netherlands) aren't allowed to have gmail
accounts AFAIK

[https://support.google.com/accounts/answer/1350409?hl=en](https://support.google.com/accounts/answer/1350409?hl=en)

~~~
nommm-nommm
That's due to a Clinton era law Children's Online Privacy Protection Act of
1998 (COPPA). It forbids companies form collecting personal info from children
under 13 without their parents permission.

~~~
Pxtl
What's funny is that nobody seems to provide a workflow to actually create
accounts for kids. I want to set up a supervised google account for my son for
hangouts et al... and I have no idea how. I guess that's not a thing.

~~~
nommm-nommm
It is for some services/websites that have policies in place. Google probably
doesn't care enough to have a process, not worth it for them.

~~~
nommm-nommm
Since I can't edit here is an example:

[http://www.neopets.com/coppa/consentform.phtml](http://www.neopets.com/coppa/consentform.phtml)

Google doesn't care because it takes more effort for them to obey by the law
than its worth for them at this time.

~~~
jaredandrews
Haha, I remember getting this signed and then faxed by my dad when I was like
11. Funny seeing it here because I first learned HTML from Neopets (anyone
else?). HTML brought me to javascript and computer programming in general. 15
years later, that form is still up and I guess kids are still playing Neopets.
And now I am here, weird.

------
kamac
> I really wish I could play, it looks like great fun, but there’s no way it’s
> worth the risk.

Why not just create a separate google account if one's so eager to play?

~~~
duaneb
Seriously; I created one just to avoid entering 2fa every time servers go
down.

~~~
rickyc091
The pokemon trainer site does work, just requires a lot of refreshing...

~~~
duaneb
I tend to trust easy to revoke, well tried auth mechanisms over someone's
home-grown version—especially judging by e.g. playstation network's terrible
history. I simply don't trust Nintendo to not require me to reset my password
with a breach, and I'm lazy as hell.

------
toufka
Isn't Niantic actually affiliated with (part of?) Google in some way? So it
would seem natural, if odd, that it doesn't ask for full permissions for the
account is actually already has full permissions to. In the same way google
docs doesn't ask, but gets, full permissions to your google account, or
google+ doesn't ask, but gets, full permissions to your google account.

~~~
pritambaral
Google no longer owns Niantic

~~~
toufka
Well then that is a strange security lapse on Google's part. A spin-off
company that had internal high-level access privileges, is spun off, and can
still retains those high-level access privileges? That seems like a mistake
somewhere.

~~~
ihsw
You can make an app that does the same thing right now.

What are you talking about?

It's developer laziness.

~~~
toufka
I don't know the android ecosystem well. Can any random app ask for and be
granted full access without informing the user of that elevated access
request?

~~~
ihsw
That is a feature of the Google sign-in system.

The security policies for that sign-in system are not as granular as Android's
security policies.

Normally an app would request permissions at run-time or install-time.

------
nickpsecurity
Here I thought the article was going to be on how Pokemon Go encourages people
to wonder into dangerous or restricted areas while paying attention to their
phone. The odds of someone getting attacked in a rough area would seem to go
up with such an app given how critical situational awareness is. I don't know
enough about how the app works to assess that, though.

One app that got me thinking about these things was Google Maps. I noticed it
directed me through The Hood of a murder capital to save 3 minutes on a route.
An area where people are known to surround cars or level guns on their owners.
I had to wonder how much more risk like this is in any GPS-enabled app that
sends you from point A to B.

~~~
teofilow
What city is this? Just curious. I don't know any such city in the United
States

~~~
nickpsecurity
Just look up top 10 cities or metro areas for violent crime. Memphis Metro
Area, in and around Memphis TN, is one of them on most years. We have lots of
good areas and things going on with the worst stuff mainly in impoverished,
minority areas. Lots of street gangs that maintain efficiency and image with
armed robbery, murder to solve disputes, and/or initiation by murder of
innocent, harmless people. Impoverished, white areas are fairly safe with
their crooks mainly doing property crime or con jobs. Rarely violent. Most
impoverished areas I've been have a mix, though. Middle-class and upper-class
areas are also fairly safe outside property crime regardless of mix. Last I
checked, city was going mostly Black with lots of Latinos coming in and Whites
moving out due to crime. Actually, exits from all races for that. Often
outside of Memphis but having jobs inside it. Economy & education keep going
downhill predictably. Many companies refuse to deliver to certain areas or
leave the city since theft overtakes profits quickly. Many make it, though,
with beefed up security. Local grocer has 8 security guards for one store.
Police themselves guard best, Chinese, food place. Haha.

That's backdrop. Relevant here, North and South Memphis are largely the worst
in terms of violence. You do _not_ want to be in certain neighborhoods
regardless of color. Even cops avoid them. Others are a risk more if you're
white or look like you have property to take. Local media & cops suppress the
worst of it to maintain tourism revenue (eg Elvis, BBQ) although the murders
naturally get reported. Examples of censorship were kicking out The First 48
show and rape kit scandal. That Google Maps takes you right near those areas
is probably why lots of people think the whole city is hood and trashed rather
than just those parts. They never see the good parts unless specifically
visiting them family, friends, jobs, or tourism.

So, yeah, it's a real issue. I double-check Google Maps if I'm going anywhere
Downtown, Midtown, North, or South as it doesn't differentiate risky vs non-
risky areas. I regularly have to force it to make safer routes. Straight-up
avoid certain areas of the city unless I'm packing heat & with backup.
Otherwise, still all kinds of good things to get involved in over there with
most folks being alright. We just in a rough area and economy. :)

Note: As another example, BLM protestors sieged our Interstate (I-40) last
night for hours then dispersed into Downtown. Local news cautioned everyone to
stay away from that area for safety as it's normally dangerous but now
unpredictable. Bad route at the least. Google routes still offering me a
speedy trip through there, though. Unreal.

------
beckler
It should be noted that it sounds like only iOS users are seeing this.

I signed in with my Android, and I didn't see anything from Niantic or Pokemon
Go in my security settings.

~~~
generalledger
Same here (Android user), and I just double checked what apps have access to
my google account, and nothing from Niantic or Pokemon Go listed at all.

------
thoreauway
Doesn't Google OWN Niantic? So now Google has access to our Google data? Don't
see the issue.

~~~
andrewguenther
They no longer own them. They were spun during the housecleaning before the
Alphabet announcement.

~~~
jfoster
Yep, though they also soon after made a further investment in Niantic. It may
sound bizarre at first, but there might be good reasons why they did that. For
instance, Nintendo might've been less likely to team up with a wholly Google-
owned Niantic. (purely speculation on my part)

[https://nianticlabs.com/blog/niantic-tpc-
nintendo/](https://nianticlabs.com/blog/niantic-tpc-nintendo/)

~~~
ocdtrekkie
I strongly suspect a direct Google/Nintendo tie was considered less favorable
than some little ex-Google company that still uses Google servers working on a
Nintendo game. The announcement timing was pretty close.

------
ceejayoz
This seems like a massive security fail on Google's part. There's no reason
the OAuth flow should be able to request admin privileges _silently_. As a
user, I really must get a prompt asking me (and warning me!).

------
mschuster91
On a sidenote: does anyone know why the fuck are the servers so overcrowded?
In a world with a whole bunch of automated cloud management solutions and
auto-scaling, where is the problem?

------
dopu
I'm running iOS 9.3.2, and signing in to Pokemon Go caused it to have full
access to my Google account. Just revoked it and looks like I can still play
the game just fine.

Perhaps they misconfigured the Google auth sign-in? It's rather worrisome that
it's this easy for an application to gain full access to your account, though.

~~~
csolo93
Did you check the permissions again? I did the same, running the same iOS
version, and it just restored the same full-access when I opened the app
again.

~~~
dopu
Yep, just checked. It's not here at all. Were you asked to sign in again after
you revoked?

------
raoulduke
Here's a weird question.
[https://www.facebook.com/NationalMallNPS/photos/a.3795806520...](https://www.facebook.com/NationalMallNPS/photos/a.379580652053692.97287.151776458167447/1186299898048426/?type=3&theater)
Pokemon Go is designed to not only augment places where people already are but
also to direct them to other places. My friend just ran down the
Ninatic/Google connection. Can the app be used to direct people away from
polling places and/or to congest areas around polling places?

To wit, would anyone be interested in tracking (I can do it for at least some
locations) the locations of gyms in comparison to polling places? (I haven't
used the app; can one get a location of gyms?)

[lol. let me clarify my interest would be in thwarting rather than harnessing
this possibility.]

~~~
rasz_pl
screw pooling places, what about locations of businesses (restaurants etc)
that spend serious $$ for Google advertising?

~~~
raoulduke
I mean... that'd be an issue. I don't think it'd be as big an issue as
widespread electoral fraud or electioneering. But it'd probably be an issue...

------
randomh3r0
Any idea how long the signup page is down? I made my account yesterday and,
when forced between using my google auth and making some pokemon.com account,
it was a no brainer to not use my google account. It took me a few tries but
since this is a game and not something in the realm of life-and-death, I found
it wasn't horrible to actually wait. And try again.

The entire issue is predicated on using your google account credentials which
isn't really mandatory. Maybe I'm overly cautious but I don't use my google
account to auth anywhere. If that's the only option, and it's not a google
product.. then it looks like I'm not using that service.

~~~
arielweisberg
It's been down since at least last Thursday. The way I hear it it's been much
longer.

~~~
randomh3r0
But, again, I made an account yesterday. <24h ago. So, is it _actually_
offline, or are people hitting the friendly little google button instead of
just waiting? If it's the latter, then while I don't disagree about the
gravity of requiring "All Perms" for a stupid game, I kind of feel like people
deserve whatever happens for their impatience.

Don't just throw around account access, no matter how pervasive, in the name
of impatience. Ever.

~~~
MBCook
The game never asks for access, it's not clear in any way how much information
you're giving them.

In the past I've tried to use Google to sign in to some games and been given a
screen that I noped out of because of what it was asking for. That didn't
happen here. I assumed they only got my email address (if that), not full
email/contact/calendar history.

I checked my Google permissions. iOS has a fair amount, Mac OS X has a fair
amount, Pokémon GO has more than both put together. Without asking. That's
crazy.

------
Mendenhall
Thing like this is why i dont use google, facebook etc and only have 4 apps. I
love technology but it looks like hardly anyone is looking out for the
consumer,let alone a non tech savvy consumer.

------
lowbloodsugar
I'm more worried about my daughter getting hit by a car (because she walks in
front of it, or because the driver is playing) than I am about my google
account being hijacked!

~~~
rasz_pl
How about your daughters naked selfies leaking because someone breached
Niantic and leveraged access to gdrive?

------
gesman
So the solution is to create a throw away gmail account, I guess? Or not
bother playing at all.

------
lllorddino
Just revoked access because the app never disclosed this information on
signing up with my Google account. This is sick.

------
BadassFractal
I detected that immediately when I signed up with google at first. No double-
checking what I was ok with sharing with the company. Had to remove their
permission from my account settings right away. Signed up with their
email/password system, much better.

------
tlrobinson
Report it here: [https://support.pokemongo.nianticlabs.com/hc/en-
us/requests/...](https://support.pokemongo.nianticlabs.com/hc/en-
us/requests/new?ticket_form_id=319988)

------
gregorkas
On Android 6.0 I got the correct permissions dialog and I was able to select
what the app sees and what it can do. Is this just me?

~~~
chipgap98
But isn't that what the app needs from your phone? I always thought that was
difference then what you are giving an app permission to do when using OAuth

~~~
rtkwe
On Android they're able to use the OS APIs to access that information because
the google account is closely tied to the OS so the permissions there are
basically permissions to the phone data because with Android they're pretty
much one and the same.

------
peterjlee
Seem like a issue with Google Auth on iOS. I've logged into Pokemon Go from my
Android and iPhone. I revoked the access of "Pokemon Go release" from
Connected Apps page then logged in again from my Android phone. "Pokemon Go
release" doesn't show up in my Connected Apps page anymore even after a login
from Android.

------
Animats
Where there's a security hole, there's an exploit.[1]

[1] [https://thestack.com/security/2016/07/11/infected-pokemon-
go...](https://thestack.com/security/2016/07/11/infected-pokemon-go-apk-
carries-dangerous-android-backdoor/)

~~~
Nadya
This is completely unrelated because it isn't exploiting anything (other than
humanware)

Any modified APK for any App could be loaded in with a RAT asking for full
permissions. It just happens PKMNGO is popular and people are trying to get
their hands on it before it is officially released in their region.

------
auganov
Wow. This game must be the fastest thing to skyrocket into worldwide
popularity. Yesterday I noticed someone on social media talking about it.
"Some random game pokemon fans like" \- I figured. Today it seems like
everyone around the world is playing it. And it was released just a week ago?
Never seen anything quite like it.

------
meowsus
This article, though rife with paranoia, brings up some interesting points.

[http://blackbag.gawker.com/pokemon-go-is-a-government-
survei...](http://blackbag.gawker.com/pokemon-go-is-a-government-surveillance-
psyop-conspirac-1783461240)

------
test6554
Could you simply create a new google account for the sole purpose of playing
pokemon go?

------
test6554
Could you not simply create a new google account strictly for use with pokemon
go?

~~~
pritambaral
One _could_ , but _will everyone_ do that?

------
ultramancool
Title isn't exactly accurate - can we edit this to indicate iOS only?

------
darkboltyoutube
People die doing this:
[https://www.youtube.com/watch?v=B2KXVfnw4rg](https://www.youtube.com/watch?v=B2KXVfnw4rg)

------
Zigurd
I got a number of permission requests at runtime the first time launching the
app. If anything, it appears to be running into more of the Android 6 runtime
permissions.

------
guillegette
Funny enough when I downloaded the app I didn't use my official account and I
logged in with a secondary account wondering exactly about this.

------
guillegette
Funny enough, when I installed the game I didn't use my official Google
account and I used my test one thinking about this. Glad I did it.

------
131hn
kind of a scam, just a bad wording from google "full access" and old oauth
workflow - but no real security threat

TLDR: Pokemon Go can't read your gmail - he checked

[https://gist.github.com/arirubinstein/fd5453537436a8757266f9...](https://gist.github.com/arirubinstein/fd5453537436a8757266f908c3e41538)

------
thecourier
I'm usingn the android version. they aren't even a connected application. so
no risk in Android.

------
Darsstar
So, Pokemon Go is not listed under my account... Could it be the mallware
version?

~~~
castis
Should be listed as "Pokemon Go Release" here:
[https://security.google.com/settings/security/permissions](https://security.google.com/settings/security/permissions)

------
throw7
I see google Chrome gets full account access... I guess this is required? Or
not?

------
minimaxir
Better/more neutral title: Pokemon Go asks for full Google permissions

~~~
BenoitEssiambre
It doesn't ask though:

"Normally you’d see a little message saying what data the app is going to be
able to access - something like “This app will be able to view your email
address and name”. For some reason that’s not shown in this case"

~~~
minimaxir
You're right, "asks" isn't the correct word and I apologize.

The title could still be more neutral/explanatory, though.

------
carsonreinke
Why in the world would they do this? Or was this just merely an accident?

~~~
sp332
Niantic used to be owned by Google, so they should know what they're doing.

~~~
rtkwe
It does work properly on Android. It only asks for access to Location,
Contacts, Camera, and Storage.

~~~
sp332
Those are just things it has access to on your phone. That's not the
permissions you give it on your Google account, which might include sending
email as you. Those you can find here
[https://security.google.com/settings/security/permissions?pl...](https://security.google.com/settings/security/permissions?pli=1)

~~~
rtkwe
I checked that page already. I can only speak for myself but for me it has no
listing on the Google Permissions page so it looks like it does permissions
correctly to me.

~~~
rtkwe
I'm running Android 6.0.1 on a Nexus 6 btw.

------
Dowwie
I can't tell whether this game is the most heavily marketed social-media blitz
of all time or truly viral. A virtual treasure hunt game finally gets people
outside? Come on.

------
julionc
Jesus Christ, They wants to catch 'em all

------
zeffr
It's a free game everyone.

When something is free to play, and involves you walking around with geo
services and a camera on, you and your data are the product.

This is just massive data collection disguised as a video game.

~~~
MBCook
No, they make their money through IAPs.

No one signed up to let Niantic read their email in exchange for free items.

~~~
zeffr
Maybe no one on HN or in your circle of friends, but I think you massively
overestimate the average user's sense of data protection.

~~~
MBCook
I'm willing to bet if you put a warning that said "This app will read your
email" a _ton_ of people would react. Not 100%, but a ton.

Especially parents.

------
Alexsandros
I fond of e-sport. So it’s interesting for me to test new game. Pokemon go
stole the scene at a grate pace. But this game is a really risky for
cybersecurity. Maybe we don’t need such program.

