If you, like everyone else, are playing Pokemon Go…

You need to read this. If you log in via your google account, you are giving the game total access to your email, google drive, etc. That is not acceptable. Go to your google security settings and see for yourself…and tell it no.

It’s a brilliant little game, but one thing a day of playing it has convinced me of — its implementation is crap. Buggy, inconsistent, and now also, a security risk.


  1. says

    Upon launch, it asked for four permissions:

    1) Location
    2) pictures and files
    3) contact list
    4) access to the camera.

    I denied it access to the middle two, and when I go to google security, it doesn’t show up on the list of apps connected to my account.

  2. dodecapode says

    It looks like it’s only a total privacy clusterfuck on iOS – the Android version asks for the permissions it needs and gives you the choice of denying them. I said yes to all the things it asked for and it still didn’t give itself total access to my Google account.

    I was using a throwaway Google account anyway though.

  3. Becca Stareyes says

    Huh, it looks like Ingress (by the same company and using similar data sets for landmarks) only asks for ‘basic profile information’. Wonder why Niantic changed things.

  4. Menyambal says

    Thanks, PZ. I was thinking about it, just to figure out how the geolocate bit works. But I just refused to update a bunch of apps that wanted access, so I’m not going to add another.

    A guy at work was going on about some people staking out critter locations and robbing folks. It probably happened somewhere.

  5. Nerd of Redhead, Dances OM Trolls says

    I’ve heard rumors of G**gle playing fast and loose with ideas like privacy. I avoid their software for the most part, other than G**gle Earth, where I save nothing.

  6. Rogue Scientist says

    Checked, it had full permissions on my google account (I use iOS). I revoked permission from the Google account and Go doesn’t seem to have any problems with it, even after I’ve logged out and back into the game.

    @4 – http://www.usatoday.com/story/tech/2016/07/10/four-suspects-arrested-string-pokemon-go-related-armed-robberies/86922474/ Apparently it did happen at least once. It just means while playing, don’t go anywhere you wouldn’t normally feel safe, even if you think other players are there.

  7. brett says

    I just revoked all permission for it from my Gmail account, and set up a second only-for-Pokemon-Go gmail account just for the app to use. It wasn’t stopping me from using it under my original gmail account after revoking full access, but I don’t want to put more time into that account only for it to potentially be pulled out from under me in the unknown future – better to just restart now with the new account while I’m still low-leveled.

  8. says

    #7: I just did the same experiment: revoked all access, then logged in, and it was fine.

    It also grabbed all access right back the instant I logged in.

    So I’ve revoked its access once more, and will not log back in unless they fix this.

    #8: that sounds like a better solution. I’m not enthused enough about the game to go to the trouble, though.

  9. Corey Fisher says

    Given that this isn’t happening on Android, I’m guessing it’s a massive screwup. I’d check back next time it updates, I’d be surprised if that’s not fixed…

  10. Rogue Scientist says

    @PZ Dang, I checked after revoking and restarting the game and it didn’t have access; but I just checked again and now it does. Ugh. Really don’t like that it can take back access without even popping up a warning.

    Do read the article @11 linked if you haven’t – Niantic has issued a response, and hopefully are following through.

  11. andyo says

    #1, #2, #10,

    This is not an iOS/Android thing. The OS permissions is something else (BTW Android only asks about those permissions since 6.0 “Marshmallow”). What they’re talking about in the post is when you log into the game itself, the type of login that many apps use, you can use your Google account, your FB, Twitter, etc. When you do that, it asks for different permissions on such accounts, which are separate from the OS. I log in with Google to most apps that request it, and always could revoke the permissions before logging in, but it’s not very clear that you can do it.

    Google does have privacy and security issues and sometimes even flat out refuse to recognize them as such. For example, with Chrome they show the passwords saved in it to the Windows user that’s logged in, they are unencrypted while the Windows (and I assume Mac) user is logged in. So shared computers, anyone can see your passwords. Their excuse is that if an attacker is logged into Windows, then all bets are off cause they cold run a keylogger or whatever. But if the passwords remained encrypted within the browser with an individual password, it would be much more difficult for the vast majority of malware to get them. They think of the worst hypothetical scenarios without considering the vastly more common ones, like maybe it’s not a super hacker you’re protecting against, but you just don’t want family members and the occasional friend to have access to all your passwords?

    Google’s thinking in general is weird, they do cool things, but from the perspective of out of touch nerd geniuses.

  12. andyo says

    I should have said, that was their response until a while ago, but after pressure mounted, they started requiring the Windows password to see the Chrome passwords (you can still freely see the login names and sites though). The problem is that it is easy for programs to extract the passwords and show them to anyone, so it’s pretty much moot if they aren’t encrypted within the browser’s sandbox.

  13. latsot says

    As others have said, it does look as though this was an IOS screw up and the company says it’s fixing it. But it is one major motherfucker of a bug and doesn’t give me much confidence in the rest of their security. They are storing a lot of data about users on their servers and the game’s popularity makes it an irresistible target for hackers. It will be breached sooner or later and their record so far says sooner is more likely. It also suggests that damage resulting from a breach might not be as contained as it could be.

    The company’s privacy policy is also a bit of a train wreck. There’s no control over how the data will be stored or used in the future.

    I don’t mean to scare anyone off using the app, just make sure your decision to do so is well-informed.

    It’s a bad idea to use your Google account to sign in, even if you’re using a separate Google account just for the game.

  14. Matrim says

    Easy solution: don’t use your Google account. Take the 90 seconds and make a Pokèmon Trainer account. I don’t mean to sound snide, but I generally take it as a given that if you’re linking things together you are compromising security. One of the reasons I don’t use sites or apps that link to your Facebook account

  15. Ariaflame, BSc, BF, PhD says

    @Matrim #16 I believe people tried that and the Pokèmon trainer site wasn’t creating new accounts.

  16. Matrim says

    @19, For a few hours while they dealt with the load. I ran into the issue, waited about 2 hours, tried again, worked fine. I don’t know if they’ve had reoccurring issues or not, but things seemed to have been sorted out.