The massively popular Pokémon Go game, released just a few days ago, obtains full access to a Google account when it’s chosen as an authentication option while setting up the app in iOS. Android is unaffected. While the iOS app also allows using a Pokémon Trainer Club account, the option to create a new club account is unavailable at this writing, apparently due to system overload.
Adam Reeve, a principal architect at analytics firm Red Owl, posted a warning on his personal blog on Friday about this Google account issue. Most apps request a minimum amount of account access (or “basic profile information,” as Google terms it) to provide a link, partly because of frequent blowback from users, pundits, and sometimes regulators when apps ask for too much.
In confirming Reeve’s report in iOS through testing, when the Google account option is selected, the app presents a standard Google in-app login, including requiring a second factor if that’s enabled. However, neither the app nor Google’s login process discloses that the app gains full access. Visiting a Google account’s Connected Apps & Sites link reveals the app’s access status. (In Android, authentication happens without granting access, confirmed in testing and with several Android users. Only local permissions for contacts, camera, and other features are granted, with separate prompts for each.)
Why this could be troubling
Full access allows an app or website to act effectively as if it were the account owner, including access to email, contacts, and Google Drive files. Full access isn’t inherently a security flaw, but it does open Niantic’s users to risk should its systems be compromised either by an internal or external party. And it gives the company a rope by which it could hang itself, if it should choose to exercise this high level of access, such as sending Gmail on behalf of users.
The risk from attack comes from how the Google account linkage works. With a locally managed account system, like the Trainer Club, an account database contains a mix of unencrypted entries for elements like a user’s account name and email address, and encrypted entries for passwords. With good cryptographic system design, even should an attacker obtain an entire database, the passwords can’t be extracted, even with enormous effort. (Weak systems allow brute-force attacks.)
However, apps and sites that use accounts for authentication run by other sites—like Google, Twitter, and Facebook—don’t store a password, encrypted or otherwise, for that third-party site. Rather, after a user logs into the third-party site and the account is verified, a developer receives a token, just a short piece of unique text, that’s stored and used to handle interaction.
An attacker need only obtain that token to make use of the linked account, whether posting messages on Twitter or reading email on Google.
As Reeve notes, access to email alone can be the thin edge of a wedge to hijack someone’s identity and accounts at multiple sites. Many people use Gmail as their primary or secondary email address, and so other sites would send password-recovery emails to that Gmail account. An attacker with email addresses and tokens could try to reset passwords at popular sites at which it’s likely Pokémon Go users had accounts, and then take over those related accounts.
We’ve contacted Google and the game’s developer and system operator, Niantic, for comment, and will update this story when new information arises. (Niantic was once owned by Google, and was spun off as a freestanding company in October 2015 with investment from Google, the Pokémon Company, and Nintendo, which owns a third of the Pokémon Company.