Pokémon Go has been all over my newsfeed today. I tried it over the weekend and found it oddly compelling – the mix of the real world, accentuated by the Pokémon world layered on top of it – makes me want to walk a few blocks to check out what’s there.
The app uses a common shortcut to identify users – logging in via Google. When you do this you grant access to your Google account. Most apps ask for just the access they need – “basic access” is common – this grants the app your name, email address, gender and country without giving it access to your files, photos, email, location history and all the other stuff that Google knows about your life.
Unfortunately, Pokémon Go wants “full access” to your account – that means it can access everything your Google account knows about you. While this is most likely just an oversight by Pokémon Go’s developers, even if they never do anything nefarious with this, we don’t know how they protect the token that grants them access to your account. If malicious third parties gain access to it (which, let’s face it, seems to happen at least several times a day with other web sites and apps) then they’ve got access to a whole lot of information that you’d like to keep private.
Google should be confirming the level of access you’re granting when you sign in with it – for some reason under iOS I didn’t see this happen I signed up for Pokémon Go. That’s a huge fail. There’s quite a discussion of this going on in SecuriTAY’s Twitter feed right now.
So if you’re using Pokémon Go or know people who are, take a moment right now and disable its access using Google’s Security settings – Lifehacker has a detailed writeup on the whole issue if you’d like a hand with it. And encourage the Pokémon Go players in your life to do this too.