Six Colors
Six Colors

by Jason Snell & Dan Moren

This Week's Sponsor

End users aren't your enemy! Kolide gets users to fix their own device compliance problems–and unsecure devices can't log in. Click here to learn how.

by Jason Snell

Pokémon Go gains full access to Google accounts

You can’t create an account for Pokémon Go because the servers are overwhelmed, so the easiest way to play is to log in with your Google account. The problem is, the app asks for complete access to all of your Google data, apparently bypassing even the standard Google permissions screen.

Adam Reeve:

Pokemon Go and Niantic can now:

  • Read all your email
  • Send email as you

  • Access all your Google drive documents (including deleting them)

  • Look at your search history and your Maps navigation history

  • Access any private photos you may store in Google Photos

  • And a whole lot more

What’s more, given the use of email as an authentication mechanism (think “Forgot password” links) they now have a pretty good chance of gaining access to your accounts on other sites too.

And they have no need to do this – when a developer sets up the “Sign in with Google” functionality they specify what level of access they want – best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.

Swift on Security:

Not great. Go here if you want to revoke access to your account. iMore recommends setting up a burner account.

—Linked by Jason Snell

Search Six Colors