Security Watch

Keeping Track of patches and hacks in the IT security world.

Pokémon Go Privacy Issues Bring to Light Challenge of Permissions

The popular Pokémon Go mobile game fixes a Google accounts permissions problem. Will others follow?

Download the authoritative guide:

Pokemon Go

Just days after its debut, Pokémon Go is already one of the most popular apps in the world. However, one thing that people noticed early on with the iOS version of Pokémon Go was that when using a Google account to authenticate, the app required permissions that were somewhat intrusive.

At first glance, it appeared as though the Pokémon Go app asked for permissions to get full access to a user's Google account, which could have enabled the app vendor to send and read the user's email as well as see all of the user's contact information. It's a situation that Niantic, the lead developer of Pokémon Go, has admitted to and is now fixing.

"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account," Niantic stated. "However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected."

Niantic now has a client-side fix in place to adjust the permissions request so as not to get access to more data than is needed. The company emphasized that Pokémon Go didn't actually get more information than what was needed.

Niantic's quick response to this issue is admirable, and it seems clear to me that this was just an oversight with no intention to violate user privacy. The whole permissions system that is used to connect to Google accounts to validate a user is, however, somewhat problematic. The authentication for Google accounts is granted by way of the OAuth protocol, which is commonly used across the modern Internet.

Security researcher Dan Guido took a look at how OAuth was implemented in Pokémon Go and found it to be somewhat lacking.

"The OAuth login flow fails to adequately describe what permissions are being requested and silently re-enables them after they've been revoked," Guido wrote in a blog post. "Further, the available documentation fails to adequately describe what the token permissions mean to anyone trying to investigate them."

Pokémon Go, of course, isn't the only mobile app that makes use of Google accounts or OAuth to authenticate. I've had more than my share of concerns about many different applications, mobile and desktop, that implement OAuth in a way that appears to be risky to personal privacy. For example, there are lots of different chat room-type clients that first require an OAuth authorization using the user's password, and sometimes those apps ask for more permissions than are needed.

As Guido points out, with Google, it's a good idea to check what apps you've granted permission to with the Google Security Checkup. It's also a good idea to make use of two-factor authentication.

Google isn't the only OAuth provider that sometimes may be providing too much access. Facebook and Twitter can as well, so be sure to check out the applications you have authorized for those platforms too.

Whether you like Pokémon Go or not, one thing here is for sure: It has now raised the issue of app permissions to a new level.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.