Pokémon Go developer working on a fix for iOS account permissions
You might have seen some security concerns about the Pokémon GO app being talked about on social media. These are very valid issues — the application can use its own webview container for login from your Google Account, and once approved it gives itself full access to all of your data.
We reached out to Niantic — which developed the Pokémon Go app. It issued a response to the media late Monday evening. ABC News was among the first to share it on Twitter — and Niantic then issue the same response to Android Central.
The statement reads thusly:
Original post follows:
The good(?) news is that this appears to be an iOS-only issue. On Android, the app appears to use the "right" way to log in with your Google credentials, and it doesn't ask for access to your sensitive account data. You can check for yourself right here. In fact, when we check on an account that hasn't used an iPhone to sign in, the Pokémon GO app isn't even listed as having any access. Don't be alarmed if you see the same thing.
The first concern — the webview container login page — isn't too troubling. Apple has secure methods for apps to do this sort of thing (though Google would rather the user be directed to the default web browser so the URL can be checked) and every app is vetted by Apple staff before it's published. Yes, even Apple can let something slip through, but the account authorization page is legit. We checked. And millions of users have checked.
The second concern — access to all of your Google account data — is much more troubling.
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
This level of access means that the publisher can see everything. According to Google:
When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can't change your password, delete your account, or pay with Google Wallet on your behalf).
Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.
This "Full account access" privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.
And more. Basically, anything you've ever done while signed in with Google, and everything you've ever saved in Drive or Photos is wide open to Niantic and the app itself.
Now we don't think Niantic or Nintendo is going to pore through your account data or look at your photos. But what happens if someone out there finds a way to hack Niantic? With access to the right database, any attacker can have a token that gives them all your "stuff." That's not good. Not good at all.
What we recommend is that you use a separate Google account if you're going to play Pokémon Go on your iPhone. Or you can decide to not play at all and delete the permissions from your Google security page.
The important thing is that you know what's going on.
Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Threads.