There is a security risk pointed out that Pokemon GO (iOS) will automatically have viewing authority for Gmail, Google Drive, search history, and private photos

In game "Pokémon Go" where you can catch Pokemon and battle with each other while walking in real city, you need to link either account or Gmail account at the time of account registration. If you choose cooperation with a Google Account when registering an account with iOS version of Pokémon Go, you can view / send Gmail and view / edit / delete files in Google Drive, Google search history and Google Maps navigation history It has been found that the access right to all kinds of information such as browsing and browsing private photos saved in Google Photos is automatically approved.

Pokemon Go is a huge security risk - adam reeve

Pokémon Go is automatically granting permission to read your Gmail | The Verge

According to Adam Reeve, an IT architect who discovered this problem, Pokémon Go needs to work with either the account or the Google Account at the beginning of playing, but at the time of writing the article is new at Account registration can not be done. Therefore, someone who does not have a account must necessarily associate with a Google Account to play Pokémon Go.

Maintenance | The Official Pokémon Website |

When Reeve started Pokémon Go for iOS version and proceeded with cooperation with Google Account, it seems that it was redirected to the login screen, but on the screen that allows cooperation of accounts, "What kind of account information is the application I was told that the notice that "Do you want to access" was not displayed? Mr. Reeve suddenly caught up looking at the settings of the Google account and said that "Pokemon Go has been granted full account access to your Google account" as shown below.

Google support pageAccording to "If the application is granted full account access, almost all information of Google account can be displayed / changed". In other words, "Read Gmail's mail" "Send mail with Gmail" "Browse, edit and delete files in Google Drive" "Browse search history and map navigation history" "Stored in Google Photos Access privately-held photos "everything is authorized by Pokémon Go application automatically. Furthermore, if you set your Gmail address as a contact email address for another account, Pokémon Go and the developer's Niantic Lab will also have access to other accounts owned by the user.

Reeve seems to have deleted Pokémon Go 's application itself by instantly canceling the permission of Pokémon Go with his Google Account setting after noticing this specification. Reeve criticized that "Niantic is not trying to collect user's personal information through Pokémon Go, but it is too careless specification", and as for permission setting of the Google account, It explains that it is changeable from the page of.

Personal information and privacy settings

Note that Pokémon Go on Android version does not seem to automatically approve full account access of Gogle account like iOS version. Also, the same phenomenon does not occur for all users even in the iOS version, and the reason why such a situation is occurring is unknown.

Tech Insider at the news site said, "Because Pokemon Go will soon have Pokemon exchanging features, we may need these privileges to do so."

Pokemon Go will get Pokémon trading - Tech Insider

Niantic, the developer of Pokémon Go, said, "I found a problem in Pokémon Go's iOS application that I accidentally request full access to my Google Account when registering an account, and Pokémon Go has Google's user ID We only use basic information such as email address and email address and we will not gather information on the user's Google Account and we are currently working on fixing this issue and Google will also be using Pokémon Go and Niantic I am confirming that I have not accessed personal information. "

IOS version of Pokémon Go is a possible privacy trainwreck [Updated] | Ars Technica

in Mobile,   Software,   Game,   Security, Posted by darkhorse_log