Gamers who have downloaded the Pokémon Go augmented reality game were given a scare on Monday, after noticing that the app had apparently been granted “full access” to their Google accounts.
Taken at face value, the permissions would have represented a major security vulnerability, albeit one that only appeared to affect players who signed up to play the game using their Google account on Apple devices.
The discovery sparked a wave of fear that playing the game might allow its developers, Niantic Labs, to read and send email, access, edit and delete documents in Google Drive and Google Photos, and access browser and maps histories. In fact, both Google and Niantic Labs, say that “full access” counterintuitively means nothing of the sort, a claim backed up by independent security researchers. The issue appears to stem from the fact that Niantic Labs uses an outdated version of Google’s shared sign-on service.
Typically app developers use this approach to make sign-up quicker and easier for players – it uses existing credentials stored on your phone so you don’t have to create yet another online account. Usually apps only require basic information such as your name, email, gender and location and this is explained clearly at the point of sign-up.
Used correctly, shared sign-ons should ask the user what permissions they want to grant the app, and any permissions beyond the basic requirements are clearly highlighted. But it seems that because Niantic Labs used an unsupported, out-of-date version of the sign-on process, that permission-granting step was skipped, prompting Google to default to warning users that the app had “full access” to their accounts.
Slack security engineer Ari Rubenstein has confirmed that, despite the misleading entry, only basic permissions are granted to the app. “‘Full account access’ is not the best wording, and should probably be changed on Google’s end,” Rubenstein wrote. “My best guess for what is happening is that one of the scopes is a legacy ‘login’ scope from OAuth1 which may be leading the UI to default to ‘Full account access’, when in reality, it only has the above perms.”
Rubenstein was unable to access user emails or calendars, two of the most personal types of data in most Google Accounts, using the permissions granted to Niantic, suggesting that the episode really is the result of a mislabelling. There is nothing to suggest that Niantic Labs intentionally sought to gain access to users’ personal data, and the company rapidly issued a statement saying no information had been accessed and that it was working with Google to fix the misleading permissions. The company’s other augmented reality game, Ingress, only requests a user’s basic profile information.
“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account,” Niantic said. “However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected.
“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.”
The extent to which blame for the scare should be apportioned between Google and Niantic is still unclear. While it was Niantic’s choice to use an outdated log-in method for no obvious reason, it was Google – the much larger, more security-conscious company – that misrepresented the limited permissions granted as “full access”.
The scare is just one of many ways that the stratospheric rise of Pokémon Go has led to extra focus from the security community. Security researchers at Proofpoint have spotted a malicious version of the Pokémon Go Android app that has been infected with a remote access tool that gives attackers full control over the victim’s phone.
The malware hasn’t made its way on to Google’s app store yet, but it was discovered in an online file storage service, being marketed to unsuspecting users as the genuine game. Because the game hasn’t been rolled out globally yet, some users have been downloading Pokémon Go from third parties, running the risk of infecting their devices with the unofficial software.
“Rogue apps can be hard to differentiate from real apps. It’s a really scary proposition and it’s getting progressively worse,” said Stephen McCarney, of the security company Arxan Technologies. Domingo Guerra, founder of mobile app security company Appthority, agrees. “It seems to have been done by mistake,” he said, warning users to reconsider downloading the game until the problem has been fixed.
“Once you grant access you never know what a third party can do with your account,” he said. Having access to your email account could allow a malicious attacker to change passwords on all sorts of services including online banking, he warned.
110 Reykjavik, Iceland