There’s no question that Pokémon Go has taken over the world in just a few short days. The app now has more users than Tinder, and single-handedly increased Nintendo’s market cap by $7.5 Billion over the weekend.
But users have started turning on its creator, Niantic, after a blog post by a former Senior Engineering Manager at Tumblr which labelled Pokémon Go malware and a “huge security risk”.
Adam Reeve, who is now Principal Architect at Red Owl Analytics, said Pokémon Go is granted “full account access” to user’s Google accounts when they log on with Google on iOS, giving Niantic unprecedented, and frankly, terrifying, access to your account.
Pokémon Go does indeed request “full account access” from some iOS users, but that could mean almost anything in tech jargon. Here’s what Reeve claimed the app could do in his blog post:
Let me be clear - Pokemon Go and Niantic can now:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more
But in a call with Gizmodo, Reeve backtracked his claims, saying he wasn’t “100 percent sure” his blog post was true. On the call, Reeve also admitted that he had never built an application that uses Google account permissions, and had never tested the claims he makes in the post.
Cybersecurity expert and CEO of Trail of Bits Dan Guido has also cast serious doubt on Reeve’s claim, saying Google tech support told him “full account access” does not mean a third party can read or send or send email, access your files or anything else Reeve claimed. It means Niantic can only read biographical information like email address and phone number.
Google tech support sent a statement to Guido, which he provided to Gizmodo:
In this case, we checked that the Full account access permission refers to most of the My account settings. Specific actions such as sending emails, modifying folders, etc, require explicit permissions to that service (the permission will say “Has access to Gmail”)
Guido says that based on his investigation, “a giant section of [Reeve’s] blog post might be wrong.”
Reeve told Gizmodo that he was inferring based on what Google says “full account access” means. It’s easy to understand how Reeve might have got the wrong idea:
Click on that “learn more” button and you’ll be guided to a website with the following confusing information:
When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).
Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.
This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.
If you’ve granted full account access to an app you don’t trust or recognize, we recommend that you revoke this permission by clicking the Revoke access button.
Google is the only entity that can clear up just what “full account access” means. The company has not responded to multiple requests for comment on the matter.
Update 7/11/2016 10:06PM EST: Niantic released a statement saying that “Pokémon GO only accesses basic Google profile information.” Here’s the full statement
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Update 7/12/16 7:57AM EST: Here’s even more confirmation that Pokémon Go never had the ability to access your Gmail or Calendar. A product security developer at Slack tested the token provided by Pokémon Go and found that it was never able to get data from services like Gmail or Calendar.