Playing ‘Pokemon Go’ Could Be Creating A Gigantic Security Risk For Your Personal Data

Not to put a damper on everyone’s enthusiastic chasing of fictional characters in the real world, but I have some potentially bad news regarding Pokemon Go.

As if gamers creeping around other people’s homes wasn’t a bad enough side effect of playing the game, now there is concern that playing the game could be compromising the security of your personal data.

The good news? If you are playing the game on Android it appears that all is well. However, if you are playing Pokemon Go using an iPhone there might be a problem.

That’s because if you are using an iPhone then you may have granted Niantic, the company that created the game with Nintendo, access to a WHOLE LOT of your personal information.

Adam Reeve, a data architect employed at security analytics platform RedOwl, discovered that when logging into the game using Google the Pokemon Go is granted FULL ACCESS to your Google account.

Here’s what he reported on his Tumblr…

I started the game, hit the Google button, and was redirected to log in. Normally you’d see a little message saying what data the app is going to be able to access – something like “This app will be able to view your email address and name”. For some reason that’s not shown in this case, but I went ahead and logged in anyway. Then on a whim I went to see which permissions it was granted (you can see for your own account right here). To say I was a little stunned is putting it lightly – it said:

Pokemon Go has full access to your Google account

Here are a couple of excerpts from the Google help page about what this means:

When you grant full account access, the application can see and modify nearly all information in your Google Account

This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.

Let me be clear – Pokemon Go and Niantic can now:

— Read all your email
— Send email as you
— Access all your Google drive documents (including deleting them)
— Look at your search history and your Maps navigation history
— Access any private photos you may store in Google Photos
— And a whole lot more

What’s more, given the use of email as an authentication mechanism (think “Forgot password” links) they now have a pretty good chance of gaining access to your accounts on other sites too.

Uh, that’s a little scary.

This is not to say that Niantic is going to do anything bad with your information, it’s just a warning that you’ve given up a lot of personal data just to chase virtual monsters.

Reeve added at his final take on it at end of his post, “I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all. I’ve revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.”

So, yeah, uh, have fun out there, folks.

H/T Death and Taxes

Doug avatar
Before settling down at BroBible, Douglas Charles, a graduate of the University of Iowa (Go Hawks), owned and operated a wide assortment of websites. He is also one of the few White Sox fans out there and thinks Michael Jordan is, hands down, the GOAT.