It’s been an interesting week as Pokémon fever has taken over the country. Whether on your way to work, out shopping in town, or even looking out your front windows, you’ve probably seen random groups of people running around, cellphones in hand, frantically searching for Pokémon characters. The game they’re playing, Pokémon Go, is a mobile game that creates an augmented reality world — and it has become an overnight success for Nintendo.
Amid the buzz, however, have been reports that Pokémon Go has a major security flaw that allows the game’s developers to access players’ Google accounts. Niantic Labs, the company that developed the game, released an update on July 12 that allegedly addresses the security problem, but here’s what you need to know about what happened (and how to fix it).
The Pokémon Go Security Flaw
There are two ways to sign up for Pokémon Go after downloading the app: signing up for a Trainer Club account through the game’s website, or by linking your Google account through the app. Many players didn’t think twice before connecting through their Google accounts because it was the quicker, easier option and they had no reason to believe it wasn’t safe.
Adam Reeve was the first person to call attention to the security risk when he realized that using your Google account to sign up meant that Pokémon Go would have full access to your information. According to Google, full account access means:
“…the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf.”
Google doesn’t break it down for you, but basically, this means Niantic Labs can read your e-mail, send e-mail as you, check your calendars, access any documents you have in Google Drive, see your search history, view your Maps navigation history, and take a look at any photos you have in Google Photos. You probably wouldn’t even share most of this information with your closest friends — so why would you share it with the developers of a Pokémon game?
Niantic Labs Fixes the Problem
It appears that this issue was isolated to Apple’s iOS operating system, so at this point, it doesn’t look like Android users were affected. Niantic Labs responded to the finding by saying that Pokémon Go really only accesses basic account information and that the “full account access” permission was a technical error. They released an update on July 12 that fixes smaller problems like log-in issues and crashes, but it also says that it “fixed Google account scope.” Now, the developers can only see your Google ID and e-mail address.
Have you fixed the flaw on your phone yet? If you are playing Pokémon Go using an Apple product, you need to:
- Download the update
- Sign out
- Sign back in
Once you do that, you’ll see a new permission request screen — one that asks for a lot less information. From there, your game should be up-to-date and you’ll be ready to “catch ‘em all” again.
It seems like Niantic Labs truly did not mean to enable full account access, but it’s an important lesson for everyone who downloads apps. Any app developers can enable full access, but many people don’t pay enough attention to notice. Before you download anything, make sure you understand the amount of privacy you’re about to give up and the potential security risks because this is the type of everyday carelessness that identity thieves rely on.
Image courtesy of Flickr user Sadie Hernandez.