Just days after its debut, Pokémon Go is already one of the most popular apps in the world. However, one thing that people noticed early on with the iOS version of Pokémon Go was that when using a Google account to authenticate, the app required permissions that were somewhat intrusive.
At first glance, it appeared as though the Pokémon Go app asked for permissions to get full access to a user’s Google account, which could have enabled the app vendor to send and read the user’s email as well as see all of the user’s contact information. It’s a situation that Niantic, the lead developer of Pokémon Go, has admitted to and is now fixing.
“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account,” Niantic stated. “However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.”
Niantic now has a client-side fix in place to adjust the permissions request so as not to get access to more data than is needed. The company emphasized that Pokémon Go didn’t actually get more information than what was needed.
Niantic’s quick response to this issue is admirable, and it seems clear to me that this was just an oversight with no intention to violate user privacy. The whole permissions system that is used to connect to Google accounts to validate a user is, however, somewhat problematic. The authentication for Google accounts is granted by way of the OAuth protocol, which is commonly used across the modern Internet.
Security researcher Dan Guido took a look at how OAuth was implemented in Pokémon Go and found it to be somewhat lacking.
“The OAuth login flow fails to adequately describe what permissions are being requested and silently re-enables them after they’ve been revoked,” Guido wrote in a blog post. “Further, the available documentation fails to adequately describe what the token permissions mean to anyone trying to investigate them.”
Pokémon Go, of course, isn’t the only mobile app that makes use of Google accounts or OAuth to authenticate. I’ve had more than my share of concerns about many different applications, mobile and desktop, that implement OAuth in a way that appears to be risky to personal privacy. For example, there are lots of different chat room-type clients that first require an OAuth authorization using the user’s password, and sometimes those apps ask for more permissions than are needed.
As Guido points out, with Google, it’s a good idea to check what apps you’ve granted permission to with the Google Security Checkup. It’s also a good idea to make use of two-factor authentication.
Google isn’t the only OAuth provider that sometimes may be providing too much access. Facebook and Twitter can as well, so be sure to check out the applications you have authorized for those platforms too.
Whether you like Pokémon Go or not, one thing here is for sure: It has now raised the issue of app permissions to a new level.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.