Pokemon Go players sacrifice full Google account access, pair of fixes coming soon
Amid revelations that the popular Pok?mon Go game for iPhone offers universal access to Google accounts, Google and Niantic have said that user emails and other sensitive data are not being harvested, and that a pair of fixes are incoming.
Early Monday, analytics firm architect Adam Reeve claimed that installing Pok?mon Go and using a Google account to play the game granted full access to linked accounts on both Android and iOS, without informing the user. Apps with universal permissions, according to Google Play, "can see and modify nearly all information in your Google Account" but "can't change your password, delete your account, or pay with Google Wallet on your behalf."
The Google Play store is more transparent than the iOS App Store is for this title regarding what the app can access. On the Pok?mon Go page, the title is listed as having "full network access" and access to "accounts on the device."
Practically, full account access could allow developer Niantic the ability to peruse emails, send emails on behalf of the user, contacts, photos, and any other information stored by a Google account. Simple work-arounds exist, such as creating a Pok?mon Account when the servers recover, revoking full permission from the title which has caused crashing of the game, or using a temporary throw-away account to play.
"Pok?mon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected," Niantic said in a statement.
As a response, Niantic is implementing a client-side fix for Pok?mon Go to request permission for only basic Google profile information, corresponding to what the company claims that it is accessing. Niantic also notes that partner Google will soon reduce access permission to only basic data from the server-side as well. No timetable for either fix has been announced.
Pok?mon Gowas developed as a joint effort between Niantic and Nintendo, and first launched on iPhone last week. The title continues to hold the top spots on the iOS charts. The game is said to be generating between $3.9 million and $4.8 million per day worldwide.
Apple is even said to be earning more from iOS players than Nintendo is collecting directly, as part of a complex business arrangement involving the Pok?mon intellectual property.
Early Monday, analytics firm architect Adam Reeve claimed that installing Pok?mon Go and using a Google account to play the game granted full access to linked accounts on both Android and iOS, without informing the user. Apps with universal permissions, according to Google Play, "can see and modify nearly all information in your Google Account" but "can't change your password, delete your account, or pay with Google Wallet on your behalf."
The Google Play store is more transparent than the iOS App Store is for this title regarding what the app can access. On the Pok?mon Go page, the title is listed as having "full network access" and access to "accounts on the device."
Practically, full account access could allow developer Niantic the ability to peruse emails, send emails on behalf of the user, contacts, photos, and any other information stored by a Google account. Simple work-arounds exist, such as creating a Pok?mon Account when the servers recover, revoking full permission from the title which has caused crashing of the game, or using a temporary throw-away account to play.
"Pok?mon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected," Niantic said in a statement.
As a response, Niantic is implementing a client-side fix for Pok?mon Go to request permission for only basic Google profile information, corresponding to what the company claims that it is accessing. Niantic also notes that partner Google will soon reduce access permission to only basic data from the server-side as well. No timetable for either fix has been announced.
Pok?mon Gowas developed as a joint effort between Niantic and Nintendo, and first launched on iPhone last week. The title continues to hold the top spots on the iOS charts. The game is said to be generating between $3.9 million and $4.8 million per day worldwide.
Apple is even said to be earning more from iOS players than Nintendo is collecting directly, as part of a complex business arrangement involving the Pok?mon intellectual property.
Comments
All the data they wanted has been collected already during this massive rollout. This "fix" is a ruse, and will shade them from scrutiny.
https://support.google.com/googleplay/answer/6270602?hl=en
Passing the wrong OAuth scope like what happened here is a very easy mistake to make.
My issue is that Niantic fixed this same exact bug in Ingress on April 19th but failed/forgot to merge that change into Pokemon GO.
Is this true, or just poor reporting? Seems like it should read, 'The Pokemon GO app listing on the Google Play store is more transparent than its listing on the iOS App Store...' The difference being, it's up to the app vendor to determine what accesses the app requests. This isn't Google's Play store doing a better job than Apple's App Store; it's the app maker doing a better job when submitting the app on the Google Play store.
iOS has no Google account permission, so the Pokémon GO app must explicitly ask the user for their Google account email address and password to create the OAuth token.
The iOS App Store also has a requirement that an app must continue to work even if a user refuses to give an app a specific permission, the developer is only permitted to disable features that require that permission.
On versions of Android before Android 6.0, permissions were an all or nothing affair. If you wanted to use a free game app at all, you also had to give it access to your contacts, even if access to contacts was unrelated to the main functionality of the game. Therefore, the Google Play Store listed all permissions before you downloaded/purchased the app.
so im confused. Does Google still own and profit off Niantic?