It's worth noting that Niantic Labs (the folks who licensed Pokemon from Nintendo and made Pokemon Go) are actually owned by Google [0]. This is Google giving itself permission to do Google things. Dollars to doughnuts they tried to use some internal-only API because things kept falling over at pokemon.com. Is this a massive UX failure? Certainly. Is giving Google permission to access Google stuff a "Huge security risk"? No more than putting your stuff in Google's hands in the first place.
Niantic are also the folks behind Ingress, if you've heard of that.
Google has extremely strict safeguards in place to prevent eg. employee Joe from accessing ex-girlfriend Mary's Gmail. Very few people would have full access to individuals' Google accounts. This kind of privacy breach would be very damaging to Google.
Niantic is a tiny startup with around 50 employees. I would expect most developers within the team would have full access to the production database, or would be given access if they had a need for it. It's unlikely that there's any oversight over who can access data - it's just a 'game'.
Where are their backups stored? Are they encrypted? Who has access to the decryption keys? We don't know, but I would bet any amount of money that their systems are vastly less secure than Google's are.
The relationship between Google and Niantic isn't relevant as to whether they are capable of keeping these credentials secure.
> Google has extremely strict safeguards in place to prevent eg. employee Joe from accessing ex-girlfriend Mary's Gmail
I know a bit about google's internal privacy safeguards (including how long they've been in place), and I know a bit (nothing that wasn't in the news) about the NSA's internal privacy safeguards from a certain point in time.
Obviously I don't know what it's like at the NSA today, but it's worth laughing (or crying) at the fact that there was a time when Google placed more restrictions and security in place to protect its users from rogue employees than the NSA did.
That's because the NSA does a lot more thorough background checks and has a nation-centered mission, while Google hires people relatively unchecked and of all nationalities and all over the world.
And in terms of abuse (i.e. LOVEINT), which strategy do you think has proven to be more sound? Hiring only good people, as verified by a thorough background check? Or hiring probably good people, and then using robust checks and balances anyway?
Even if they are a startup within Google, what does that mean for my security as a user?
Do they store this API key with full access to a Google account the same way that an official Google app (e.g. Gmail itself) stores my secret data? If so, I probably trust it. Or do they just throw it in a GCE database without a whole lot of thought around a security policy since they're still a fast-moving startup, and maybe my credentials get logged somewhere, or synced to an analytics system that's not treated as classified and a whole bunch of employees can inadvertantly access, etc
Seems like I have no way of knowing (unless maybe it's in their terms of service?). It could very well be a "Huge security risk"
You're absolutely right - Niantic's history with Google does not preclude them having crummy security practices that we aren't aware of.
However, "Popular thing possibly has crummy security practices (we just don't know)" isn't HN-worthy, it's just FUD. I think both of us would prefer a HN full of well-researched articles over one full of clickbait FUD.
>However, "Popular thing possibly has crummy security practices (we just don't know)" isn't HN-worthy, it's just FUD.
Bullcrap. Best security policy is trust, but verify.
Assuming that well established businesses have good security practices without doing proper review is what allowed all those fraudulent SWIFT transactions to go through a few months ago. It's perfectly valid to ask why the hell Pokemon Go thinks it needs access to your private email.
Actually, that's all there is to "research" about this topic, as there is nothing available to read around what they could possibly use the full access tokens in any terms of service or application literature.
Not FUD to me. I am not going to install Pokemon Go until this is cleared up. I am glad he pointed it out, since I may have clicked through given I would have made quick judgements about them being Google-owned.
One thing the article is wrong about is that you can create a new account a pokemon.com (bypassing the google kerfuffle). You just need to keep reloading until it let's you past the "try again in an hour" message.
Right, so not only did they spend a significant amount of time steeping in Google itself, the big G then invested a significant amount of cash into the now-spun-out company. I'd say that qualifies as 'owned'.
How does that make the permission creep OK? If they were part of Google, and already had access to the data, that's one thing. But they aren't, and they don't.
Even if Google Inbox were asking for full permissions I'd be extremely sketched out about that, but it wouldn't happen because Google developers are, by and large, on top of things.
A third-party company, even with significant investment and history with Alphabet, requesting full access to my Google account despite needing ZERO access (i.e. for what they need, requesting no permissions would suffice) is sketchy and inherently untrustworthy.
Pretty much. Google was trying to cram the entire Chrome OS platform in their browser a while back (remember Chrome's Windows 8 mode?), although they've kind of taken a step back from it lately.
Niantic Labs became independent from Google during the forming of Alphabet so it is to say you are still giving an independent third party access to your google account.
This doesn't mean shit. You still give another legal entity access to your data. Different company, different people, different management, different EULA.
I saw the prototype of Pokemon Go in 2014 as an April 1st campaign by Google Maps, surely this is a very tight bond with Google. I won't worry about it either.
>Dollars to doughnuts they tried to use some internal-only API
Not at all necessary for this situation to occur. I just finished implementing a system (nothing to do with Pokemon) that also requests permission from external sites in a similar way. The mechanics for doing this are fiddly and checking this is actually set up correctly is likely well down the priority list provided things at least appear to work.
It is entirely possible that someone who had never done it before set it up in a hurry then everyone in the dev team just blindly clicked through without ever properly reading what was being requested because they were all in a rush to finish their stuff.
Most tech people realized 20 years ago email is a terrible place for confidential information unless you have OPSEC and use PGP. If you trust your plain text email traveling around the world and stored in Google's cloud it seems stupid to worry about someone accessing it.
Also Gmail allows you to create more than one account. Instead of all this alarmism in media just tell people they should create a separate account in Gmail just for games instead of using the one you are worried about some big billion dollar company accessing it (which they already do).
"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."
I actually just finished wrangling social log in for a system that is waaaay less popular than Pokemon GO. Rather amusing to see an organization operating at a vastly bigger scale still hitting the same sorts of speed bumps.
If google auth as a platform grants full access to your google account without any sort of confirmation, isn't that the security risk? Whether or not it's intentional or malicious on the part of Niantic, that seems like the real problem here.
Yes! I did notice there wasn't a "This app will have access to…" screen when I signed up (I've never seen that before), but that just made me assume they were asking for like the absolute minimal permissions possible or something.
"[random game on a whim] has Full Access to your Google Account" is scary
To my knowledge, this is known bug in iOS that the Google auth grant inadvertently gives all permissions. You'll note that other users below report this only happening on iOS and not Android which shifts the risk away from Niantic/ Pokemon Go and towards Google itself, as you've mentioned.
Yeah, I had no idea when I signed into Pokemon Go with my Google account that it was doing anything scary. I didn't even consider it would be granting full access to my account. It's almost like Google treats that as the default case, and it's an exception that they style differently when the app requests a particular scope to limit its access.
Yeah, I agree. I strongly suspect that the scope of permissions requests was an oversight (e.g. Just ask for everything now, we'll pair it down once we know what data we need). Additionally, while I don't like the idea of having Niantic having access to my entire Google account, let's remember that Niantic started as a Google company, and is now under the Alphabet umbrella, so have a vested interest in keeping things on the up-and-up. Lastly, Nintendo is up 35% thanks to this game (about $7B), and I strongly doubt that there is anything they could gain from scraping/abusing these Google accounts that would come even close to that type of impact. My money is on "bad development process and oversight", and this is just one of many rough edges that I've already noticed in the software.
> I strongly doubt that there is anything they could gain from scraping/abusing these Google accounts that would come even close to that type of impact.
I'd have said the same about VW's emissions cheating scandal before it broke.
This was the case on an android phone using Google login. His nexus 6X was on a beta build so he was unable to install the app. He started playing the game on an older device while he downgraded his 6X. After it was complete, he logged into his 6X using his google credentials and it prompted him to start over.
I've yet to try that, but I can. I'll report back in a few. Having trouble logging into my iPod... will see if I can get my coworker to remove it from his older device.
And just like that I will never sign in with Google anywhere ever again. I just assumed that an app couldn't grant itself full permissions without notifying me, but now I can see why that might not be the case since they are free to present whatever UI they want in app.
In my dream world Google would revoke Niantic's API access forever in order to make an example out of them. Maybe, eventually, if they can prove that they didn't hoover up all the information they had access to they can be unbanned after a year.
Unlikely though considering they used to be a part of Google.
This is a fundamental security issue due to a combination of the OAuth protocol and UIWebView (and whatever the Android equivalent is), which I've posted about before [0]. Basically, the problem is that OAuth depends on web-based access granting, but an app has full permissions over the DOM of the WebView where the OAuth screen is. So you're entering your password into a WebView of a third party URL, but unlike a traditional safari page, the WebView is fully "owned" by the app, so the developers can inject arbitrary code into the DOM of the third party website.
There is no technical limitation to an app engaging in very nefarious activity. For example an app could modify the DOM on the sign-in screen to grab your password after you enter it. Of course the accountability of MITM and security reviews might mitigate this risk, but passwords are generally only a few bytes and could easily be obfuscated and passed surreptitiously over the wire.
I've seen a (quite popular) app implement this for facebook invitations, which should only have a limit of 50 friends, to secretly (in the background, without any action on your behalf other than logging in, or perhaps pressing a "continue" button) invite every one of your friends to download the app. Since facebook does not notify you when you send an inviation, you would not even know the app did this unless one of your friends who you invited asked you about it.
It's because the app has access to and control over the DOM of the UIWebView. Suppose some app called EvilGameFoo is asking you to authenticate with your Google account. They should kick you to a UI controlled by Google, which EvilGameFoo cannot in any way inspect or access, where you enter your credentials. Google then tells EvilGameFoo that they can vouch for you. Instead, UIWebView lets the app asking you to sign in via an identity provider inspect the DOM of the UK where you enter your credentials. Hence it lets EvilGameFoo read your password.
How are you supposed to know that it is actually a UI controlled by google and not a simulation of a UI controlled by google?
The OAuth model not only enables phishing directly even worse than that, it disarms people's natural skepticism towards phishing attempts. Its adoption was a terrible idea.
Well, on the web you're generally following redirects to a URL. You can verify the owner and authenticity of the host. (A phone app could kick you out to a browser app (not a web view) to authenticate.) Then after you've signed in and granted permission on, say, Google, Google will redirect you to a URL that the other app configured with Google. On a phone that URL should have a host or protocol that the app has registered with so your phone's OS will kick you back to the app after you signed in on the web browser.
Of course, you're absolutely right that it would be trivial to spoof, say, Google or Facebook or Twitter and collect credentials. I would _hope_ that behavior would be detected by Apple or Google during app security screening, but maybe not. Regardless, I totally agree with you about OAuth and security. It does present a lot of problems.
Google could send you a confirmation email which is the second factor in this oauth flow. It makes it more annoying, but more secure. It's always a trade off I guess.
Right, but what if they didn't use the UIWebView tactic and instead used custom chrome to submit the data. Couldn't they just tap it at that level?
Outside of the Android model where it does the auth for you upon request and only hands the app a token, I don't really see how you don't open yourself to this attack.
iOS really doesn't provide a way for other vendors in an inner ring of consumer trust and power to deal with this. While I'm not a fan of the decision to give full access to Pokemon Go, I didn't find it surprising that it did so on iOS and I had to make a conscious decision to "trust" Pokemon Go as part of the process.
Oh yeah, for sure, there are plenty of other ways a nefarious app could scrape a user's credentials during OAuth on iOS.
If UIWebView didn't allow the app access to the DOM then it wouldn't be possible this way. But,of course, the user has no way to know how the UI is implemented.
> In my dream world Google would revoke Niantic's API access forever in order to make an example out of them. Maybe, eventually, if they can prove that they didn't hoover up all the information they had access to they can be unbanned after a year.
I'm really glad you're not making that decision then. Banning some company based on their use of public, legal APIs would be an absolutely toxic decision for Google's platform.
It's Google's fault for allowing this kind of access with no notification (yes, the fault here might lie somewhere in OAuth, but there's plenty that Google could do to make this less serious). Don't blame people for leveraging options at their disposal.
Elsewhere in the thread it is alleged that this is a bug (or misbehaviour) with Google's iOS authentication library. It's possible that Niantic is not requesting any permissions and the library defaults that to 'full access' and not 'no access'.
This issue only affects apps though. When granting OAuth permission via the web, you are actually redirected to google's website, and then afterwards redirected back to the site you were on.
Which probably isn't very helpful, as lots of users won't notice whether they are using a browser or not.
Does anybody know how Pokemon Go ends up interacting with accounts that have 2 factor authentication turned on? I sure wouldn't type my main password into some app, I'd at least use an app password:
The other day someone's web app I clicked on, and it automagically signed me in with Google and added itself to my connected apps. Cloudcraft.co, I think it was. When I hit their signup link, it auto-signed in with Google without me even clicking their Google button.
After I disconnected it, it didn't behave that way a second time. So I am kinda mystified what happened there. But it was pretty strange.
I am very hesitant to accuse the app of doing something intentionally shady like that. I don't really :know: what happened, and I couldn't replicate it myself after removing the app from my account and visiting it again.
> I just assumed that an app couldn't grant itself full permissions without notifying me, but now I can see why that might not be the case since they are free to present whatever UI they want in app.
Is that the case? Doesn't this still require going through the standard prompts?
Anecdote: On Android 6.0 the Pokemon Go game requested 4 permissions on first launch. Account, Camera, Storage, and one other I believe. I had to individually approve each one.
"Pokemon Go Release" has "full access" and yet "Ingress" (a game very similar to Pokemon Go from the same company) only has "basic account info". I removed the access and when I started the app, it crashed right away. (I'm on iOS, by the way.) Subsequent launch I'm stuck on the "LOADING..." screen, and then it says "Failed to get player information from the server." I hope the servers are just down and I didn't lock myself out. (Or maybe I should be glad until this fix this breach.) Edit: Deleting the app and reinstalling allowed me to log in again.
It appears to be the iOS version only that's doing this, according to this article:
When I checked this morning Ingress also had full perms. I revoked and reconnected and Ingress only had basic account info. I was also queried appropriately.
Possibly this was fixed on Ingress sometime in the last X months but not on Pokemon Go.
on iPhone 6s, checked and saw it had full access. I revoked access and opened the app up. It was stuck loading so I logged out and back in. Went back to check app permissions on google and it had full access again.
Yes. I'm not sure if I need to re-log in the app or not though. Maybe if it didn't freeze and I didn't have to re-log then it might have left the access revoked. But it seems that once I re-log the full access goes back into effect.
Just chiming in that I am another person (using a OnePlus One with cyanogenmod) that does not even see pokemon go in my "Apps Connected to your Account".
ditto. Recent android phone. This worries me almost as much as the full access issue, cause I definitely signed it to my google account via the app yesterday.
"[T]his section of the privacy page on the Google account settings website is only showing up for those that have played on iOS and signed in using the Google button. Android users who used the same login method are not seeing the “Pokemon Go Release” at all on the permissions site (nor do they see Ingress), so we’re not sure yet if those users have trusted Niantic with their entire Google account as well." source: http://9to5google.com/2016/07/11/psa-pokemon-go-full-access-...
Yeah it's not showing anything in my google app permissions. I assume it signed in using google play services (it was automatic, I never selected anything), and that's where the in app purchases seem to go.
Caveat: I've seen a number of players state or imply that playing this game has been the first decent exercise they've had in years. Lack of exercise is a far greater threat to your well-being than having your Google account hacked, so if that's what it takes, go ahead and play the game anyway.
> Lack of exercise is a far greater threat to your well-being than having your Google account hacked...
This is by no means universally true. Plenty of people get enough exercise outside of the app, and plenty of people have Google accounts for which compromise could be very significant.
It should at the very least be disclosed in the OAuth flow that I'm giving away admin rights to the app. Facebook's flow won't even let me give away my email address without an explicit decision to do so. The current silent-but-deadly flow is inexcusably risky.
Pokemon Go, like most apps, is likely just a fad. In a few months, only a few thousand die hards will still be playing it. But the full access permissions will still be there.
You should try the Go game. It may have some lasting power I haven't seen yet, but its not the normal Pokemon game by any stretch. The core gameplay is actually pretty boring once you've done it for a little while (i.e. once the initial euphoria of catching things wears off).
Oh I have been playing and while it is far inferior to the core Pokemon gameplay, I have met over 30 new people because of this game in less than a week. People who I've never talked to at work, I am now talking to.
I have honestly never used an app that has brought me closer together to the people around me. I don't see this being a fad.
Point. If you use a lot of things that require access permissions, maybe it should be part of your spring cleaning or some such to look through what you've given permission for, and cancel anything you haven't used in the last six months or whatever.
Full access is bad enough, but the really dodgy thing going on is that you never get asked to approve or deny that access for Pokemon Go when doing the OAuth flow. You just log in, proceed through 2fa, and you're magically logged into the app. Pokemon Go Release then shows up as an authorised app... except I never authorised it.
My theory is that they're injecting JavaScript into the web view to automatically press the 'Approve' button and hiding that from the user. If true, that's very worrying. They'd be effectively circumventing the whole OAuth framework by forging the user's approval of the app. Every user should have been asked up-front whether or not they wanted to approve or deny Pokemon Go's full access.
A lot of aspects of Pokemon Go are less than polished from an app dev perspective. The way they ask for device permissions doesn't follow best practices at all (no explanation of why they need them). The interface has too much explanatory text in some places (how much useless backstory did I need to click through to start playing?) and not enough in others (it took me forever to figure out what I was supposed to do once I found a pokemon). My sister-in-law was complaining about how all the pokemon graphics are very 2D, when they could easily have sprung for some shading or shadows.
I suspect they built an MVP and launched it and it happened to take off, and we'll see some more polish in the future.
For this particular issue though - I'd bet that Niantic has some sort of data-sharing agreement with Google, anyway, making this point moot. They started as an internal startup at Google, and they make really heavy use of the Maps & Places APIs that would probably cost a fortune if they didn't have some sort of bulk data sharing agreement.
That's due to a Clinton era law Children's Online Privacy Protection Act of 1998 (COPPA). It forbids companies form collecting personal info from children under 13 without their parents permission.
What's funny is that nobody seems to provide a workflow to actually create accounts for kids. I want to set up a supervised google account for my son for hangouts et al... and I have no idea how. I guess that's not a thing.
Haha, I remember getting this signed and then faxed by my dad when I was like 11. Funny seeing it here because I first learned HTML from Neopets (anyone else?). HTML brought me to javascript and computer programming in general. 15 years later, that form is still up and I guess kids are still playing Neopets. And now I am here, weird.
That's their stated policy, but we've previously been able to get an under-13 child account though support by verifying parental consent, which is all COPPA requires in the U.S.
Kids know they have to lie about their age online to get access to anything worth having. My 9-year-old has been doing it as long as she's been allowed to use the internet.
Yes, so if the age is under 13 the "Google" option to signup is disabled. So you are forced to use the "Pokemon Trainer" account which I know nothing about.
I have no comment as to whether this is a violation or not; I know nothing about Pokemon Go. I'm just pointing out there is already extensive regulation here.
Right, I meant I hoped they'd actually do some saber rattling or action.
When you first sign up you have to enter your age, I don't know if there is a minimum age for the game. As an adult I'm old enough to get through that prompt.
I tend to trust easy to revoke, well tried auth mechanisms over someone's home-grown version—especially judging by e.g. playstation network's terrible history. I simply don't trust Nintendo to not require me to reset my password with a breach, and I'm lazy as hell.
Yikes, I had no idea who Monte Davidoff was. I've actually read his floating point routines! This is embarrassing; I wish I could edit my other post still.
Anyway, my point stands—Bill started as a coder, good enough to code on the pdp-11(?); Steve never was one.
Who uses their "main" Google account for these one off services anyway? I can't imagine it would be too popular to keep pseudo-anonymity. you don't want to post lol cats from the same account you use to send your resume, I would think.
Is that a rhetorical question? Probably 99% of people playing this game who sign in using Google use their main (only) Google account. I'm sure it never even occurred to them to make a second one for something like this -- that would just be a hassle.
Isn't Niantic actually affiliated with (part of?) Google in some way? So it would seem natural, if odd, that it doesn't ask for full permissions for the account is actually already has full permissions to. In the same way google docs doesn't ask, but gets, full permissions to your google account, or google+ doesn't ask, but gets, full permissions to your google account.
Well then that is a strange security lapse on Google's part. A spin-off company that had internal high-level access privileges, is spun off, and can still retains those high-level access privileges? That seems like a mistake somewhere.
I don't know the android ecosystem well. Can any random app ask for and be granted full access without informing the user of that elevated access request?
Here I thought the article was going to be on how Pokemon Go encourages people to wonder into dangerous or restricted areas while paying attention to their phone. The odds of someone getting attacked in a rough area would seem to go up with such an app given how critical situational awareness is. I don't know enough about how the app works to assess that, though.
One app that got me thinking about these things was Google Maps. I noticed it directed me through The Hood of a murder capital to save 3 minutes on a route. An area where people are known to surround cars or level guns on their owners. I had to wonder how much more risk like this is in any GPS-enabled app that sends you from point A to B.
There was a lot of controversy previously about mapping applications having "Avoid" areas. They were basically neighborhoods with high crime rates which also happened to be neighborhoods with high minority populations. Small business owners/home owners didn't like being grouped as "avoid" when they didn't have any real control over it. Or something like that.
A prior comment related to Amazon Prime's apparent discrimination. I pointed out that Prime was avoiding crime not minorities. Local drivers, which Amazon outsources to, confirmed it for me personally in an unofficial sense where they agreed & personally wouldn't deliver to those areas.
So, it's a recurring theme but the crime angle is usually downplayed by left-leaning media. I agree with Microsoft's approach but I urge companies focus on crime statistics. There are many areas that are white and have tons of violent crime. Many areas are black with little violent crime. It needs to be about avoiding violent areas rather than minority areas specifically.
Just look up top 10 cities or metro areas for violent crime. Memphis Metro Area, in and around Memphis TN, is one of them on most years. We have lots of good areas and things going on with the worst stuff mainly in impoverished, minority areas. Lots of street gangs that maintain efficiency and image with armed robbery, murder to solve disputes, and/or initiation by murder of innocent, harmless people. Impoverished, white areas are fairly safe with their crooks mainly doing property crime or con jobs. Rarely violent. Most impoverished areas I've been have a mix, though. Middle-class and upper-class areas are also fairly safe outside property crime regardless of mix. Last I checked, city was going mostly Black with lots of Latinos coming in and Whites moving out due to crime. Actually, exits from all races for that. Often outside of Memphis but having jobs inside it. Economy & education keep going downhill predictably. Many companies refuse to deliver to certain areas or leave the city since theft overtakes profits quickly. Many make it, though, with beefed up security. Local grocer has 8 security guards for one store. Police themselves guard best, Chinese, food place. Haha.
That's backdrop. Relevant here, North and South Memphis are largely the worst in terms of violence. You do not want to be in certain neighborhoods regardless of color. Even cops avoid them. Others are a risk more if you're white or look like you have property to take. Local media & cops suppress the worst of it to maintain tourism revenue (eg Elvis, BBQ) although the murders naturally get reported. Examples of censorship were kicking out The First 48 show and rape kit scandal. That Google Maps takes you right near those areas is probably why lots of people think the whole city is hood and trashed rather than just those parts. They never see the good parts unless specifically visiting them family, friends, jobs, or tourism.
So, yeah, it's a real issue. I double-check Google Maps if I'm going anywhere Downtown, Midtown, North, or South as it doesn't differentiate risky vs non-risky areas. I regularly have to force it to make safer routes. Straight-up avoid certain areas of the city unless I'm packing heat & with backup. Otherwise, still all kinds of good things to get involved in over there with most folks being alright. We just in a rough area and economy. :)
Note: As another example, BLM protestors sieged our Interstate (I-40) last night for hours then dispersed into Downtown. Local news cautioned everyone to stay away from that area for safety as it's normally dangerous but now unpredictable. Bad route at the least. Google routes still offering me a speedy trip through there, though. Unreal.
Yep, though they also soon after made a further investment in Niantic. It may sound bizarre at first, but there might be good reasons why they did that. For instance, Nintendo might've been less likely to team up with a wholly Google-owned Niantic. (purely speculation on my part)
I strongly suspect a direct Google/Nintendo tie was considered less favorable than some little ex-Google company that still uses Google servers working on a Nintendo game. The announcement timing was pretty close.
Having been created by ex-Googlers you would think they knowingly chose to get full-access permissions. I wonder if there is a some ulterior motive to the app. Some have suggested up-to-date street-view mining; that wouldn't require full google account access though.
> So now Google has access to our Google data? Don't see the issue.
Even if they were still owned by Google, a compromised phone with Pokemon Go has a nice juicy access token with admin rights to your account to siphon off.
This seems like a massive security fail on Google's part. There's no reason the OAuth flow should be able to request admin privileges silently. As a user, I really must get a prompt asking me (and warning me!).
On a sidenote: does anyone know why the fuck are the servers so overcrowded? In a world with a whole bunch of automated cloud management solutions and auto-scaling, where is the problem?
I'm running iOS 9.3.2, and signing in to Pokemon Go caused it to have full access to my Google account. Just revoked it and looks like I can still play the game just fine.
Perhaps they misconfigured the Google auth sign-in? It's rather worrisome that it's this easy for an application to gain full access to your account, though.
Did you check the permissions again? I did the same, running the same iOS version, and it just restored the same full-access when I opened the app again.
Here's a weird question. https://www.facebook.com/NationalMallNPS/photos/a.3795806520... Pokemon Go is designed to not only augment places where people already are but also to direct them to other places. My friend just ran down the Ninatic/Google connection. Can the app be used to direct people away from polling places and/or to congest areas around polling places?
To wit, would anyone be interested in tracking (I can do it for at least some locations) the locations of gyms in comparison to polling places? (I haven't used the app; can one get a location of gyms?)
[lol. let me clarify my interest would be in thwarting rather than harnessing this possibility.]
Any idea how long the signup page is down? I made my account yesterday and, when forced between using my google auth and making some pokemon.com account, it was a no brainer to not use my google account. It took me a few tries but since this is a game and not something in the realm of life-and-death, I found it wasn't horrible to actually wait. And try again.
The entire issue is predicated on using your google account credentials which isn't really mandatory. Maybe I'm overly cautious but I don't use my google account to auth anywhere. If that's the only option, and it's not a google product.. then it looks like I'm not using that service.
But, again, I made an account yesterday. <24h ago. So, is it _actually_ offline, or are people hitting the friendly little google button instead of just waiting? If it's the latter, then while I don't disagree about the gravity of requiring "All Perms" for a stupid game, I kind of feel like people deserve whatever happens for their impatience.
Don't just throw around account access, no matter how pervasive, in the name of impatience. Ever.
The game never asks for access, it's not clear in any way how much information you're giving them.
In the past I've tried to use Google to sign in to some games and been given a screen that I noped out of because of what it was asking for. That didn't happen here. I assumed they only got my email address (if that), not full email/contact/calendar history.
I checked my Google permissions. iOS has a fair amount, Mac OS X has a fair amount, Pokémon GO has more than both put together. Without asking. That's crazy.
Thing like this is why i dont use google, facebook etc and only have 4 apps. I love technology but it looks like hardly anyone is looking out for the consumer,let alone a non tech savvy consumer.
I'm more worried about my daughter getting hit by a car (because she walks in front of it, or because the driver is playing) than I am about my google account being hijacked!
I detected that immediately when I signed up with google at first. No double-checking what I was ok with sharing with the company. Had to remove their permission from my account settings right away. Signed up with their email/password system, much better.
But isn't that what the app needs from your phone? I always thought that was difference then what you are giving an app permission to do when using OAuth
On Android they're able to use the OS APIs to access that information because the google account is closely tied to the OS so the permissions there are basically permissions to the phone data because with Android they're pretty much one and the same.
Seem like a issue with Google Auth on iOS. I've logged into Pokemon Go from my Android and iPhone. I revoked the access of "Pokemon Go release" from Connected Apps page then logged in again from my Android phone. "Pokemon Go release" doesn't show up in my Connected Apps page anymore even after a login from Android.
This is completely unrelated because it isn't exploiting anything (other than humanware)
Any modified APK for any App could be loaded in with a RAT asking for full permissions. It just happens PKMNGO is popular and people are trying to get their hands on it before it is officially released in their region.
Wow. This game must be the fastest thing to skyrocket into worldwide popularity. Yesterday I noticed someone on social media talking about it. "Some random game pokemon fans like" - I figured. Today it seems like everyone around the world is playing it. And it was released just a week ago? Never seen anything quite like it.
I got a number of permission requests at runtime the first time launching the app. If anything, it appears to be running into more of the Android 6 runtime permissions.
"Normally you’d see a little message saying what data the app is going to be able to access - something like “This app will be able to view your email address and name”. For some reason that’s not shown in this case"
Not really. There is absolutely no reason for a game, or pretty much any other kind of software, apart from maybe an operating system, to have full access to your Google account. It adds a new single point of failure for everything somewhere you have no control over – I don't think "huge security risk" is unnecessary editorial in this case.
I was not asked. I put in my username, password, 2FA, and that was it. No permissions dialog - I certainly wouldn't have given it admin rights to my Google Account.
I checked that page already. I can only speak for myself but for me it has no listing on the Google Permissions page so it looks like it does permissions correctly to me.
I can't tell whether this game is the most heavily marketed social-media blitz of all time or truly viral. A virtual treasure hunt game finally gets people outside? Come on.
Oh, are you chasing virtual pets 43 minutes 23 secondes per day in average too ? I'm sorry, really, I should think more positively of the future. My bad, will improve, promess ! Let's start by creating a facebook account, we will learn the pokemon thing after, one benefit per humanity at a time.
I'm all with you for general contempt for people on HN.
I read everyday here the HN crowd claiming urgent need for an elite to set up a globalized centralized European Federal Union to get rid of nations and populism. I see people being bashed and insulted for supporting their own nation and not living for the NYSE.
Let's just throw away states, cultures, religions, and build a global free market where everyone would be happy consumer. Maybe facebook and Jp Morgan can help in this mission.
Let's celebrate the day when everyone will be chasing virtual pets on their phone. We're so in love with the people !
Niantic are also the folks behind Ingress, if you've heard of that.
[0] Specifically, Alphabet owns a significant portion of Niantic, along with Nintendo: https://nianticlabs.com/blog/niantic-tpc-nintendo/ (they were previously wholly-owned by Google).