Pokémon Go developer working on a fix for iOS account permissions

You might have seen some security concerns about the Pokémon GO app being talked about on social media. These are very valid issues — the application can use its own webview container for login from your Google Account, and once approved it gives itself full access to all of your data.

We reached out to Niantic — which developed the Pokémon Go app. It issued a response to the media late Monday evening. ABC News was among the first to share it on Twitter — and Niantic then issue the same response to Android Central.

The statement reads thusly:

We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.

Original post follows:

Not good

The good(?) news is that this appears to be an iOS-only issue. On Android, the app appears to use the "right" way to log in with your Google credentials, and it doesn't ask for access to your sensitive account data. You can check for yourself right here. In fact, when we check on an account that hasn't used an iPhone to sign in, the Pokémon GO app isn't even listed as having any access. Don't be alarmed if you see the same thing.

The first concern — the webview container login page — isn't too troubling. Apple has secure methods for apps to do this sort of thing (though Google would rather the user be directed to the default web browser so the URL can be checked) and every app is vetted by Apple staff before it's published. Yes, even Apple can let something slip through, but the account authorization page is legit. We checked. And millions of users have checked.

The second concern — access to all of your Google account data — is much more troubling.

This level of access means that the publisher can see everything. According to Google:

When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can't change your password, delete your account, or pay with Google Wallet on your behalf).

Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.

This "Full account access" privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.

And more. Basically, anything you've ever done while signed in with Google, and everything you've ever saved in Drive or Photos is wide open to Niantic and the app itself.

Now we don't think Niantic or Nintendo is going to pore through your account data or look at your photos. But what happens if someone out there finds a way to hack Niantic? With access to the right database, any attacker can have a token that gives them all your "stuff." That's not good. Not good at all.

What we recommend is that you use a separate Google account if you're going to play Pokémon Go on your iPhone. Or you can decide to not play at all and delete the permissions from your Google security page.

The important thing is that you know what's going on.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

46 Comments
  • "Pokémon GO security concerns appear only affect iOS" You only had one job.
  • ((jedi mind wave)) you saw nothing... You will go back to finding me a Lapras or an Entei... ((waves again, whispers)) is this working?
  • Isn't Pokémon GO gen 1 only? Entei is gen 2, so you won't find one. Closest available is Growlithe+ imagination. Posted via the Pokémon Central App
  • I know that, I just don't care. Give me Entei... ((waves harder)) Posted via the Android Central App
  • Your pitiful tricks won't work on me, Jedi! *Starts searching for an Entei* Posted via the Pokémon Central App
  • Just seeing if anyone was actually paying attention. CARRY ON. :p
  • This is going to be very entertaining commentary on this week's podcast. ;-) Posted via the Android Central App
  • Correction: it only affects Google accounts in iOS. And that is if you sign in with your Google account rather than set up a Pokemon.com account. Posted via the Android Central App
  • LolOS. Posted via the Android Central App
  • LOL bad app design
  • lol i really appreciate the pokespam \ trolling
  • Security is a legitimate issue. I don't mind this Pokémon Go article. Posted via the Android Central App
  • Yep Posted from my cracked Nexus 6/Nexus 7 2013/Surface Pro 3
  • Enough of the likeminded crap.
    Or are you being paid to push a stupid bloody game !
    It is played by a small niche group of sad people without real lives.
    The rest of us,the huge majority are already bored with constant crap about it..
    The
  • spiderman.png
  • http://www.theverge.com/2016/7/11/12149510/pokemon-go-fighting-isis-kurd... Yep, real sad person with no life here.
  • Burn! Boy one should think before they type. ;-) Posted via the Android Central App
  • Ignore them then, you bloody ****. Or maybe you want to pay their bills?
  • You can't ignore them. They are drowning out the real content.
  • "small niche?" An app with the 2nd highest number of active users in just a few days constitutes a "small niche?" Seriously, go home troll, you're drunk! Posted via the Android Central App
  • The pet rock was quite a trend as well.
  • The fact that Pokemon Go doesn't yet support Android N makes feel annoyed by all these Pokemon Go articles. I WANT TO PLAY TOO Posted via the Android Central App
  • Or you could sign up for a trainer club account... You don't have to use a google account for everything lol Posted via the Android Central App
  • **** got serious, Jerry's posting them now... Posted via the Android Central App
  • Android > ios Posted via the Android Central App
  • Not for this reason. This hole is due to the app publisher not Apple hardware or software.
  • Lol Apple hardware... Posted via the Android Central App
  • Please, dear everything that is holy to Android. Let's stop with all these Pokémon GO stories! We get it, it's a fun game, but this is a bit much. Posted via the Android Central App
  • http://slickdeals.net/f/8915135-motorola-moto-360-2nd-gen-mens-womens-42...
  • Good to know!
    Good thing I have a few user profiles for gaming on my Priv.
    I'm interested in seeing what this is all about once it's opened up to the rest of the world. Posted via Priv
    STV100-3 on Rogers
  • Holy ****... 11 out of the 13 latest posts are Pokémon Go posts..
  • Are people not having sex anymore? Posted via the Android Central App
  • Lol exactly Posted via the Android Central App
  • Sex on the go ;) #TeamFrosty Nexus 6P
  • Guess I'm officially old but I'm already sick of all of these Pokémon posts. Yeesh. Posted via the Android Central App
  • Pretty much everyone older than 10 is sick of these posts. Posted via the Android Central app on my Nexus 5X with Project Fi
  • I understand that Pokemon Go is a thing right now, but most of the front page is devoted to that game. Slow Android news day?
  • $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
  • http://www.gsmarena.com/twitter_now_supports_gifs_up_to_15mb-news-19337.php - More on Techno News Sent via Tandy Color Computer
    -----------------------------------------------
    before you see the light, you have to deal with the darkness
  • http://www.phonearena.com/news/Verizon-is-the-first-U.S.-carrier-to-publ... - More on Techno News Sent via Tandy Color Computer
    -----------------------------------------------
    before you see the light, you have to deal with the darkness
  • Wow, 100x faster than 4G! Too bad it's 4 years out.
  • Too bad it's Verizon lol Posted via the Android Central app on my Nexus 5X with Project Fi
  • Wait I thought iOS was the most secure os in the entire universe... According to iPhone users that is of course S7 edge...Soon to be Note 7 edge
  • Pokemon go sucks and will never get on my phone. Posted via the Android Central App
  • **** Jerry and Phil doing Pokemon go articles. I thought Phil was mature enough to not too stoop to this level for clicks. this article however is not that. But still be a mature editor and think what the audience wants. If alienating their fans for clicks and money for short term you guys might not get enough in the future when you guys do real news as we would all have left. think Phil. don't do what Rene tells you to (I believe that Rene is the mobile nations chief) Posted via the Android Central App
  • Pokemon poisoned Apple.