Gamers who downloaded the augmented reality game Pokémon Go were freaked out on Monday, after noticing that the app had apparently gained “full access” to their Google accounts.
taken at face value, the permissions would have represented a significant security vulnerability, although it only seemed to affect players who signed up to play with their google account on apple devices.
The discovery sparked a wave of fear that playing the game could allow its developers, Niantic Labs, to read and send email, access, edit and delete documents on Google Drive and Google Photos, and access browsing histories and maps.
p>
In fact, both Google and Niantic Labs claim that “full access” means nothing of the sort, a claim supported by independent security researchers.
The issue appears to be due to the fact that Niantic Labs uses an outdated version of Google’s shared login service. This approach is typically used by app developers to make registration faster and easier for players: it uses existing credentials stored on your phone so you don’t have to create another online account. Apps generally only require basic information such as your name, email, gender, and location, and this is clearly explained at the time of registration.
Used correctly, shared logins should ask the user what permissions they want to grant the app, and any permissions beyond the basic requirements are clearly highlighted. but it seems that because niantic labs used an unsupported and outdated version of the login process, that permission granting step was skipped, causing google to warn users by default that the app had “full access “to your accounts. .
slack security engineer ari rubenstein has confirmed that despite the misleading entry, only basic permissions are granted to the app. “‘Full account access’ is not the best wording, and should probably be changed by Google,” rubenstein wrote. “my best guess of what’s going on is that one of the scopes is a ‘login’ scope inherited from oauth1 which may be taking the UI to ‘full account access’ by default, when in It actually just has the above permissions.”
rubenstein was unable to access users’ emails or calendars, two of the most personal types of data in most google accounts, using the permissions granted to niantic, suggesting that the episode really is the result of mislabeling.
There is nothing to suggest that Niantic Labs intentionally sought to gain access to users’ personal data, and the company quickly issued a statement saying that the information had not been accessed and that it was working with Google to fix misleading permissions. the company’s other augmented reality game, ingress, only asks for basic user profile information.
“We recently discovered that the Pokemon Go account creation process on iOS mistakenly requests Full Access permission for the user’s Google account,” Niantic said. “however, pokémon go only accesses basic google profile information (specifically, your user id and email address) and no other google account information has been accessed or collected.
“Once we became aware of this bug, we started working on a client-side solution to request permission for only basic google profile information, in line with the data we actually access. Google has verified that Pokémon Go or Niantic have not received or accessed any other information. Google will soon reduce Pokemon Go’s permission to just the basic profile data it needs, and users don’t need to take any action themselves.”
It is not yet clear to what extent the blame for the scare should be shared between google and niantic. While it was Niantic’s decision to use an outdated login method for no apparent reason, it was Google, the much larger and more security-conscious company, that misrepresented the limited permissions granted as “full access.”
The scare is just one of the many ways the stratospheric rise of Pokémon Go has led the security community to become more focused. security researchers at proofpoint detected a malicious version of the pokémon go android app that was infected with a remote access tool that gives attackers full control over a victim’s phone.
The malware has not yet reached the google app store, but was discovered on an online file storage service and marketed to unsuspecting users as the original game. Since the game has not yet been released globally, some users have been downloading Pokemon Go from third parties, running the risk of infecting their devices with unofficial software.
“rogue applications can be difficult to distinguish from real applications. It’s a really scary proposition and it’s getting progressively worse,” said Stephen McCarney of security firm Arxan Technologies.
Domingo Guerra, founder of the mobile application security company appthority, agrees.
“It looks like it was done by mistake,” he said, warning users to reconsider downloading the game until the problem is fixed. “Once you grant access, you never know what a third party might do with your account,” he said.
Having access to your email account could allow a malicious attacker to change passwords on all sorts of services, including online banking, he warned.