July 14, 2016

Share Everywhere

Pokémon Go Security Issues

It’s been an interesting week as Pokémon fever has taken over the country. Whether on your way to work, out shopping in town, or even looking out your front windows, you’ve probably seen random groups of people running around, cellphones in hand, frantically searching for Pokémon characters. The game they’re playing, Pokémon Go, is a mobile game that creates an augmented reality world — and it has become an overnight success for Nintendo.

Amid the buzz, however, have been reports that Pokémon Go has a major security flaw that allows the game’s developers to access players’ Google accounts. Niantic Labs, the company that developed the game, released an update on July 12 that allegedly addresses the security problem, but here’s what you need to know about what happened (and how to fix it).

The Pokémon Go Security Flaw

There are two ways to sign up for Pokémon Go after downloading the app: signing up for a Trainer Club account through the game’s website, or by linking your Google account through the app. Many players didn’t think twice before connecting through their Google accounts because it was the quicker, easier option and they had no reason to believe it wasn’t safe.

Adam Reeve was the first person to call attention to the security risk when he realized that using your Google account to sign up meant that Pokémon Go would have full access to your information. According to Google, full account access means:

“…the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf.”

Google doesn’t break it down for you, but basically, this means Niantic Labs can read your e-mail, send e-mail as you, check your calendars, access any documents you have in Google Drive, see your search history, view your Maps navigation history, and take a look at any photos you have in Google Photos. You probably wouldn’t even share most of this information with your closest friends — so why would you share it with the developers of a Pokémon game?

Niantic Labs Fixes the Problem

It appears that this issue was isolated to Apple’s iOS operating system, so at this point, it doesn’t look like Android users were affected. Niantic Labs responded to the finding by saying that Pokémon Go really only accesses basic account information and that the “full account access” permission was a technical error. They released an update on July 12 that fixes smaller problems like log-in issues and crashes, but it also says that it “fixed Google account scope.” Now, the developers can only see your Google ID and e-mail address.

Have you fixed the flaw on your phone yet? If you are playing Pokémon Go using an Apple product, you need to:

  • Download the update
  • Sign out
  • Sign back in

Once you do that, you’ll see a new permission request screen — one that asks for a lot less information. From there, your game should be up-to-date and you’ll be ready to “catch ‘em all” again.

It seems like Niantic Labs truly did not mean to enable full account access, but it’s an important lesson for everyone who downloads apps. Any app developers can enable full access, but many people don’t pay enough attention to notice. Before you download anything, make sure you understand the amount of privacy you’re about to give up and the potential security risks because this is the type of everyday carelessness that identity thieves rely on.

Image courtesy of Flickr user Sadie Hernandez.

Melanie Medina

Sr. Director of Digital Marketing at IdentityForce
Melanie is a native of Bolivia who has lived in Boston for over 10 years. She likes to make time to travel, jog, read, and play backgammon. Fueled by copious amounts of coffee, Melanie stays on top of her to-do list while also keeping abreast of identity theft issues. Serious data breaches are happening all the time in the U.S. and Melanie loves being part of a solution that brings peace of mind to families across the country.

Latest posts by Melanie Medina (see all)

2 Responses to Pokémon Go Security Issues

  1. Tyson says:

    Can you link to the location of the update? Or is this as simple as deleting the app and then re-installing it?

    Thanks, Mel!

    • Identity Force says:

      Hi Tyson,

      You should be able to update it directly from the App Store on your iOS device.

      Hopefully that helps!

Join The Discussion

Your email address will never be published.