Pokemon Go: A Security Risk for iPhones?

iOS users who choose to log in to the game via their Google accounts give Pokemon Go full access to all their Google data.

by Dwight Silverman, Houston Chronicle / July 12, 2016

(TNS) -- Pokemon Go, the hot new smartphone game, was released just last week but it's already so popular that it has surpassed the dating app Tinder for user installations, with Twitter in its sights next. The game has players scurrying about in the real world, capturing animated creatures in what is probably the first hit title to rely on augmented reality.

But for iPhone users, Pokemon Go has a serious catch. Adam Reeve, a security expert with RedOwl, discovered that iOS users who choose to log in to the game via their Google accounts give Pokemon Go full access to all their Google data.

As Reeve puts it:

"Let me be clear - Pokemon Go and Niantic can now:

Read all your email

Send email as you

Access all your Google drive documents (including deleting them)

Look at your search history and your Maps navigation history

Access any private photos you may store in Google Photos

And a whole lot more

What's more, given the use of email as an authentication mechanism (think 'Forgot password' links) they now have a pretty good chance of gaining access to your accounts on other sites too."

In other words, if you've got any data generated by a Google product or service, the Pokemon Go can see it, change it, even send it elsewhere.

This not the way a Google login is typically handled. Usually, apps are given the minimum permissions they need. An app taking full access is highly unusual - particularly since Pokemon Go users are not given a warning about the app requiring it during setup.

This issue only affects Pokemon Go players who have the app on an iOS device - an iPhone, iPad or iPod Touch. The Android version doesn't take this kind of access.

As Reeve points out, it's unlikely that Niantic, the developer of the game for Nintendo, plans to do anything nefarious. He refers to it as "epic carelessness." But evildoers who might hack into Niantic's systems could, in theory, gain access.

You can see if Pokemon Go has full access to your Google account by checking the apps section of Google's security settings. Reeve recommends that you revoke access to Pokemon Go if it has full access, and delete the app from your iPhone - at least until Niantic updates the game with more reasonable access.

©2016 the Houston Chronicle. Distributed by Tribune Content Agency, LLC.

Platforms & Programs