Pokemon Go raises security concerns

Tiffany Butler

Photo by Jenn Mello.
Photo by Jenn Mello.

Pokemon Go seems to have become a phenomenon over night, but as people begin to look into how it works, some serious concerns are being raised about its privacy policy.

The app requires users to make an account, which can be done through Google or Pokemon’s own online network. Given the difference in popularity and functionality between the two, most users are making their accounts through Google, which is where things start to become questionable.

According to an article by security expert Adam Reeves, the app grants full access to users Google accounts. Under the default security settings, Pokemon Go and Niantic (the software development company behind the app) can:

  • Read emails
  • Send emails as you
  • Access and alter (even delete) Google drive documents
  • Access search and maps navigation history
  • Access private photos stored in Google photos

The post also warns that, because of the way email accounts are used for authentication, this likely means Niantic could access users accounts on other sites as well. iOS users can’t modify these settings. The only options to ensure a safeguarding of information are to delete the game or create a fake Google account to sign-in with.

For Android users, the game doesn’t show up under Google account security permission, but it’s access is outlined in the Google Play store. There it shows that the app can:

  • Modify, delete, or read the contents of users USB storage
  • Has full network access
  • Use accounts on the device
  • Access precise location through network and GPS
  • Prevent device from sleeping

Concerns are being raised as to why the company is requiring such permissions for the game, and the extent to which they are potentially collecting and using people’s personal information.

In response, Niantic released a statement acknowledging the extremity of these permissions and informs users they are working to adjust the game’s permissions to only access basic profile data, but there is no given inclination as to when this change will be made. The full statement reads:

We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO‘s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.

Pokemon Go’s privacy policy can be read here.

 

For more information or news tips, or if you see an error in this story or have any compliments or concerns, contact [email protected].