Millions of people who downloaded the runaway hit “Pokémon Go” game to their iPhones over the past week granted massive amounts of user data to the game’s developer. The company, Niantic Inc., fixed the issue Tuesday with an app update, but the episode is a reminder of how easy it is for smartphone users to give carte blanche access to private data—and how much other information apps like this regularly collect.
The issue occurred when iPhone users signed in to Pokémon Go through their Google account, and Niantic requested full access. With the update, Niantic is only requesting access to basic account information, such as a user’s name and Gmail address.
Any app with full account access can “see and modify nearly all information in your Google Account,” according to Google’s My Account privacy controls. The app can’t change passwords, delete accounts, or make Google Wallet payments, but it can see the contents of Gmail, Google Docs, Google Drive and Google Calendar.
Niantic said that the request was a mistake, and that it never did dive deep into the Google accounts of iPhone users. Ari Rubinstein, a security engineer at Slack Technologies Inc., found that, as Niantic said, it doesn’t collect any data beyond a Google username and email address, according to his post at the code-sharing website GitHub.
Niantic’s new permission request only asks for “basic Google profile information, in line with the data that we actually access,” it said. Players who installed “Pokémon Go” on an Android device and logged in with their Google accounts only granted Niantic access to their Google username and email address.
The issue occurred when iPhone users signed in to Pokémon Go through their Google account, and Niantic requested full access. With the update, Niantic is only requesting access to basic account information, such as a user’s name and Gmail address.
Any app with full account access can “see and modify nearly all information in your Google Account,” according to Google’s My Account privacy controls. The app can’t change passwords, delete accounts, or make Google Wallet payments, but it can see the contents of Gmail, Google Docs, Google Drive and Google Calendar.
Niantic said that the request was a mistake, and that it never did dive deep into the Google accounts of iPhone users. Ari Rubinstein, a security engineer at Slack Technologies Inc., found that, as Niantic said, it doesn’t collect any data beyond a Google username and email address, according to his post at the code-sharing website GitHub.
Niantic’s new permission request only asks for “basic Google profile information, in line with the data that we actually access,” it said. Players who installed “Pokémon Go” on an Android device and logged in with their Google accounts only granted Niantic access to their Google username and email address.
Comments