Pokemon Go players sacrifice full Google account access, pair of fixes coming soon

Posted:
in iPhone
Amid revelations that the popular Pok?mon Go game for iPhone offers universal access to Google accounts, Google and Niantic have said that user emails and other sensitive data are not being harvested, and that a pair of fixes are incoming.




Early Monday, analytics firm architect Adam Reeve claimed that installing Pok?mon Go and using a Google account to play the game granted full access to linked accounts on both Android and iOS, without informing the user. Apps with universal permissions, according to Google Play, "can see and modify nearly all information in your Google Account" but "can't change your password, delete your account, or pay with Google Wallet on your behalf."

The Google Play store is more transparent than the iOS App Store is for this title regarding what the app can access. On the Pok?mon Go page, the title is listed as having "full network access" and access to "accounts on the device."




Practically, full account access could allow developer Niantic the ability to peruse emails, send emails on behalf of the user, contacts, photos, and any other information stored by a Google account. Simple work-arounds exist, such as creating a Pok?mon Account when the servers recover, revoking full permission from the title which has caused crashing of the game, or using a temporary throw-away account to play.

"Pok?mon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected," Niantic said in a statement.

As a response, Niantic is implementing a client-side fix for Pok?mon Go to request permission for only basic Google profile information, corresponding to what the company claims that it is accessing. Niantic also notes that partner Google will soon reduce access permission to only basic data from the server-side as well. No timetable for either fix has been announced.

Pok?mon Gowas developed as a joint effort between Niantic and Nintendo, and first launched on iPhone last week. The title continues to hold the top spots on the iOS charts. The game is said to be generating between $3.9 million and $4.8 million per day worldwide.

Apple is even said to be earning more from iOS players than Nintendo is collecting directly, as part of a complex business arrangement involving the Pok?mon intellectual property.

Comments

  • Reply 1 of 15
    TurboPGTTurboPGT Posts: 355member
    Bullshit.

    All the data they wanted has been collected already during this massive rollout. This "fix" is a ruse, and will shade them from scrutiny.
    cali
  • Reply 2 of 15
    Funny how so many blogs reported this as an iOS issue, and not a Niantic issue. 
    cali
  • Reply 3 of 15
    GrimzahnGrimzahn Posts: 64member
    "The Google Play store is more transparent than the iOS App Store is for this title regarding what the app can access." True and misleading. For Android you need to live with the access to the data an app has. Its either install or don't install. On iOS the user controls what access an app may have.
  • Reply 4 of 15
    RosynaRosyna Posts: 87member
    It's moot in this particular case as the iOS app explicitly asks for your Google username and password.




  • Reply 5 of 15
    singularitysingularity Posts: 1,328member
    Niantic have released this statement 

    We recently discovered that the Pokémon Goaccount creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed byPokémon Go or Niantic. Google will soon reducePokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.

  • Reply 6 of 15
    RosynaRosyna Posts: 87member
    Niantic have released this statement 

    We recently discovered that the Pokémon Goaccount creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed byPokémon Go or Niantic. Google will soon reducePokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.

    That statement is quoted in the article.
  • Reply 7 of 15
    staticx57staticx57 Posts: 405member
    Grimzahn said:
    "The Google Play store is more transparent than the iOS App Store is for this title regarding what the app can access." True and misleading. For Android you need to live with the access to the data an app has. Its either install or don't install. On iOS the user controls what access an app may have.
    This is false, Android affords this feature as well.
  • Reply 8 of 15
    This app could have been designed and developed to respect user privacy from Day One. The developers of the app chose not to do this until people started to complain about the app and companies having unfettered access to users' Google accounts. An apology and a promise to provide a fix sometime in the future for a problem that should have never existed shows the companies need to be closely monitored to confirm they are not harvesting user data. Google has been caught and fined for collecting user data in the past. 
    cali
  • Reply 9 of 15
    gatorguygatorguy Posts: 24,178member
    Grimzahn said:
    "The Google Play store is more transparent than the iOS App Store is for this title regarding what the app can access." True and misleading. For Android you need to live with the access to the data an app has. Its either install or don't install. On iOS the user controls what access an app may have.
    As does more current versions of Android. I wouldn't expect most here to be aware of that as it's certainly a fairly recent change. Apple has long allowed for pick-n-choose permissions, so not so great that Google took so long to implement it.  
    https://support.google.com/googleplay/answer/6270602?hl=en
  • Reply 10 of 15
    lkrupplkrupp Posts: 10,557member
    Somehow I know this is all Apple’s fault. @rogifan_new, can you explain to us why this is a failure on Apple’s part and another nail in their coffin?
    edited July 2016 cali
  • Reply 11 of 15
    RosynaRosyna Posts: 87member
    This app could have been designed and developed to respect user privacy from Day One. The developers of the app chose not to do this until people started to complain about the app and companies having unfettered access to users' Google accounts. An apology and a promise to provide a fix sometime in the future for a problem that should have never existed shows the companies need to be closely monitored to confirm they are not harvesting user data. Google has been caught and fined for collecting user data in the past. 
    Niantic was a Google company until last year. So they would have had total access to your google account regardless.

    Passing the wrong OAuth scope like what happened here is a very easy mistake to make.

    My issue is that Niantic fixed this same exact bug in Ingress on April 19th but failed/forgot to merge that change into Pokemon GO.


  • Reply 12 of 15
    radarthekatradarthekat Posts: 3,842moderator
    "The Google Play store is more transparent than the iOS App Store is for this title regarding what the app can access."

    Is this true, or just poor reporting?  Seems like it should read, 'The Pokemon GO app listing on the Google Play store is more transparent than its listing on the iOS App Store...'  The difference being, it's up to the app vendor to determine what accesses the app requests.  This isn't Google's Play store doing a better job than Apple's App Store; it's the app maker doing a better job when submitting the app on the Google Play store. 
    edited July 2016
  • Reply 13 of 15
    RosynaRosyna Posts: 87member
    "The Google Play store is more transparent than the iOS App Store is for this title regarding what the app can access."

    Is this true, or just poor reporting?  Seems like it should read, 'The Pokemon GO app listing on the Google Play store is more transparent than its listing on the iOS App Store...'  The difference being, it's up to the app vendor to determine what accesses the app requests.  This isn't Google's Play store doing a better job than Apple's App Store; it's the app maker doing a better job when submitting the app on the Google Play store. 
    Android has a Google account permission that apps can access, so Pokémon GO uses that when possible to get your username and email address instead of creating a new OAuth token and lists "account access" in the permissions.

    iOS has no Google account permission, so the Pokémon GO app must explicitly ask the user for their Google account email address and password to create the OAuth token.

    The iOS App Store also has a requirement that an app must continue to work even if a user refuses to give an app a specific permission, the developer is only permitted to disable features that require that permission.

    On versions of Android before Android 6.0, permissions were an all or nothing affair. If you wanted to use a free game app at all, you also had to give it access to your contacts, even if access to contacts was unrelated to the main functionality of the game. Therefore, the Google Play Store listed all permissions before you downloaded/purchased the app.
    radarthekat
  • Reply 14 of 15
    calicali Posts: 3,494member
    Why doesn't this give options to use Facebook or something else? Not even a MyNintendo account.

    so im confused. Does Google still own and profit off Niantic?
Sign In or Register to comment.