"Normally you’d see a little message saying what data the app is going to be able to access - something like “This app will be able to view your email address and name”. For some reason that’s not shown in this case"
I was not asked. I put in my username, password, 2FA, and that was it. No permissions dialog - I certainly wouldn't have given it admin rights to my Google Account.
Not really. There is absolutely no reason for a game, or pretty much any other kind of software, apart from maybe an operating system, to have full access to your Google account. It adds a new single point of failure for everything somewhere you have no control over – I don't think "huge security risk" is unnecessary editorial in this case.
I fond of e-sport. So it’s interesting for me to test new game. Pokemon go stole the scene at a grate pace. But this game is a really risky for cybersecurity. Maybe we don’t need such program.
Just chiming in that I am another person (using a OnePlus One with cyanogenmod) that does not even see pokemon go in my "Apps Connected to your Account".
on iPhone 6s, checked and saw it had full access. I revoked access and opened the app up. It was stuck loading so I logged out and back in. Went back to check app permissions on google and it had full access again.
Yes. I'm not sure if I need to re-log in the app or not though. Maybe if it didn't freeze and I didn't have to re-log then it might have left the access revoked. But it seems that once I re-log the full access goes back into effect.
ditto. Recent android phone. This worries me almost as much as the full access issue, cause I definitely signed it to my google account via the app yesterday.
Any idea how long the signup page is down? I made my account yesterday and, when forced between using my google auth and making some pokemon.com account, it was a no brainer to not use my google account. It took me a few tries but since this is a game and not something in the realm of life-and-death, I found it wasn't horrible to actually wait. And try again.
The entire issue is predicated on using your google account credentials which isn't really mandatory. Maybe I'm overly cautious but I don't use my google account to auth anywhere. If that's the only option, and it's not a google product.. then it looks like I'm not using that service.
But, again, I made an account yesterday. <24h ago. So, is it _actually_ offline, or are people hitting the friendly little google button instead of just waiting? If it's the latter, then while I don't disagree about the gravity of requiring "All Perms" for a stupid game, I kind of feel like people deserve whatever happens for their impatience.
Don't just throw around account access, no matter how pervasive, in the name of impatience. Ever.
The game never asks for access, it's not clear in any way how much information you're giving them.
In the past I've tried to use Google to sign in to some games and been given a screen that I noped out of because of what it was asking for. That didn't happen here. I assumed they only got my email address (if that), not full email/contact/calendar history.
I checked my Google permissions. iOS has a fair amount, Mac OS X has a fair amount, Pokémon GO has more than both put together. Without asking. That's crazy.
And just like that I will never sign in with Google anywhere ever again. I just assumed that an app couldn't grant itself full permissions without notifying me, but now I can see why that might not be the case since they are free to present whatever UI they want in app.
In my dream world Google would revoke Niantic's API access forever in order to make an example out of them. Maybe, eventually, if they can prove that they didn't hoover up all the information they had access to they can be unbanned after a year.
Unlikely though considering they used to be a part of Google.
This issue only affects apps though. When granting OAuth permission via the web, you are actually redirected to google's website, and then afterwards redirected back to the site you were on.
Which probably isn't very helpful, as lots of users won't notice whether they are using a browser or not.
Does anybody know how Pokemon Go ends up interacting with accounts that have 2 factor authentication turned on? I sure wouldn't type my main password into some app, I'd at least use an app password:
The other day someone's web app I clicked on, and it automagically signed me in with Google and added itself to my connected apps. Cloudcraft.co, I think it was. When I hit their signup link, it auto-signed in with Google without me even clicking their Google button.
After I disconnected it, it didn't behave that way a second time. So I am kinda mystified what happened there. But it was pretty strange.
I am very hesitant to accuse the app of doing something intentionally shady like that. I don't really :know: what happened, and I couldn't replicate it myself after removing the app from my account and visiting it again.
> I just assumed that an app couldn't grant itself full permissions without notifying me, but now I can see why that might not be the case since they are free to present whatever UI they want in app.
Is that the case? Doesn't this still require going through the standard prompts?
Anecdote: On Android 6.0 the Pokemon Go game requested 4 permissions on first launch. Account, Camera, Storage, and one other I believe. I had to individually approve each one.
This is a fundamental security issue due to a combination of the OAuth protocol and UIWebView (and whatever the Android equivalent is), which I've posted about before [0]. Basically, the problem is that OAuth depends on web-based access granting, but an app has full permissions over the DOM of the WebView where the OAuth screen is. So you're entering your password into a WebView of a third party URL, but unlike a traditional safari page, the WebView is fully "owned" by the app, so the developers can inject arbitrary code into the DOM of the third party website.
There is no technical limitation to an app engaging in very nefarious activity. For example an app could modify the DOM on the sign-in screen to grab your password after you enter it. Of course the accountability of MITM and security reviews might mitigate this risk, but passwords are generally only a few bytes and could easily be obfuscated and passed surreptitiously over the wire.
I've seen a (quite popular) app implement this for facebook invitations, which should only have a limit of 50 friends, to secretly (in the background, without any action on your behalf other than logging in, or perhaps pressing a "continue" button) invite every one of your friends to download the app. Since facebook does not notify you when you send an inviation, you would not even know the app did this unless one of your friends who you invited asked you about it.
It's because the app has access to and control over the DOM of the UIWebView. Suppose some app called EvilGameFoo is asking you to authenticate with your Google account. They should kick you to a UI controlled by Google, which EvilGameFoo cannot in any way inspect or access, where you enter your credentials. Google then tells EvilGameFoo that they can vouch for you. Instead, UIWebView lets the app asking you to sign in via an identity provider inspect the DOM of the UK where you enter your credentials. Hence it lets EvilGameFoo read your password.
How are you supposed to know that it is actually a UI controlled by google and not a simulation of a UI controlled by google?
The OAuth model not only enables phishing directly even worse than that, it disarms people's natural skepticism towards phishing attempts. Its adoption was a terrible idea.
Well, on the web you're generally following redirects to a URL. You can verify the owner and authenticity of the host. (A phone app could kick you out to a browser app (not a web view) to authenticate.) Then after you've signed in and granted permission on, say, Google, Google will redirect you to a URL that the other app configured with Google. On a phone that URL should have a host or protocol that the app has registered with so your phone's OS will kick you back to the app after you signed in on the web browser.
Of course, you're absolutely right that it would be trivial to spoof, say, Google or Facebook or Twitter and collect credentials. I would _hope_ that behavior would be detected by Apple or Google during app security screening, but maybe not. Regardless, I totally agree with you about OAuth and security. It does present a lot of problems.
Google could send you a confirmation email which is the second factor in this oauth flow. It makes it more annoying, but more secure. It's always a trade off I guess.
Right, but what if they didn't use the UIWebView tactic and instead used custom chrome to submit the data. Couldn't they just tap it at that level?
Outside of the Android model where it does the auth for you upon request and only hands the app a token, I don't really see how you don't open yourself to this attack.
iOS really doesn't provide a way for other vendors in an inner ring of consumer trust and power to deal with this. While I'm not a fan of the decision to give full access to Pokemon Go, I didn't find it surprising that it did so on iOS and I had to make a conscious decision to "trust" Pokemon Go as part of the process.
Oh yeah, for sure, there are plenty of other ways a nefarious app could scrape a user's credentials during OAuth on iOS.
If UIWebView didn't allow the app access to the DOM then it wouldn't be possible this way. But,of course, the user has no way to know how the UI is implemented.
Elsewhere in the thread it is alleged that this is a bug (or misbehaviour) with Google's iOS authentication library. It's possible that Niantic is not requesting any permissions and the library defaults that to 'full access' and not 'no access'.
> In my dream world Google would revoke Niantic's API access forever in order to make an example out of them. Maybe, eventually, if they can prove that they didn't hoover up all the information they had access to they can be unbanned after a year.
I'm really glad you're not making that decision then. Banning some company based on their use of public, legal APIs would be an absolutely toxic decision for Google's platform.
It's Google's fault for allowing this kind of access with no notification (yes, the fault here might lie somewhere in OAuth, but there's plenty that Google could do to make this less serious). Don't blame people for leveraging options at their disposal.
"[T]his section of the privacy page on the Google account settings website is only showing up for those that have played on iOS and signed in using the Google button. Android users who used the same login method are not seeing the “Pokemon Go Release” at all on the permissions site (nor do they see Ingress), so we’re not sure yet if those users have trusted Niantic with their entire Google account as well." source: http://9to5google.com/2016/07/11/psa-pokemon-go-full-access-...
Yeah it's not showing anything in my google app permissions. I assume it signed in using google play services (it was automatic, I never selected anything), and that's where the in app purchases seem to go.
Yep, though they also soon after made a further investment in Niantic. It may sound bizarre at first, but there might be good reasons why they did that. For instance, Nintendo might've been less likely to team up with a wholly Google-owned Niantic. (purely speculation on my part)
more like google wants 2 layers of protection from the inevitable lawsuits from stalking victims and families of car crash victims caused by ingress or go.
I strongly suspect a direct Google/Nintendo tie was considered less favorable than some little ex-Google company that still uses Google servers working on a Nintendo game. The announcement timing was pretty close.
> So now Google has access to our Google data? Don't see the issue.
Even if they were still owned by Google, a compromised phone with Pokemon Go has a nice juicy access token with admin rights to your account to siphon off.
Having been created by ex-Googlers you would think they knowingly chose to get full-access permissions. I wonder if there is a some ulterior motive to the app. Some have suggested up-to-date street-view mining; that wouldn't require full google account access though.
Isn't Niantic actually affiliated with (part of?) Google in some way? So it would seem natural, if odd, that it doesn't ask for full permissions for the account is actually already has full permissions to. In the same way google docs doesn't ask, but gets, full permissions to your google account, or google+ doesn't ask, but gets, full permissions to your google account.
Well then that is a strange security lapse on Google's part. A spin-off company that had internal high-level access privileges, is spun off, and can still retains those high-level access privileges? That seems like a mistake somewhere.
I don't know the android ecosystem well. Can any random app ask for and be granted full access without informing the user of that elevated access request?
I tend to trust easy to revoke, well tried auth mechanisms over someone's home-grown version—especially judging by e.g. playstation network's terrible history. I simply don't trust Nintendo to not require me to reset my password with a breach, and I'm lazy as hell.
Yikes, I had no idea who Monte Davidoff was. I've actually read his floating point routines! This is embarrassing; I wish I could edit my other post still.
Anyway, my point stands—Bill started as a coder, good enough to code on the pdp-11(?); Steve never was one.
Who uses their "main" Google account for these one off services anyway? I can't imagine it would be too popular to keep pseudo-anonymity. you don't want to post lol cats from the same account you use to send your resume, I would think.
Is that a rhetorical question? Probably 99% of people playing this game who sign in using Google use their main (only) Google account. I'm sure it never even occurred to them to make a second one for something like this -- that would just be a hassle.
Here I thought the article was going to be on how Pokemon Go encourages people to wonder into dangerous or restricted areas while paying attention to their phone. The odds of someone getting attacked in a rough area would seem to go up with such an app given how critical situational awareness is. I don't know enough about how the app works to assess that, though.
One app that got me thinking about these things was Google Maps. I noticed it directed me through The Hood of a murder capital to save 3 minutes on a route. An area where people are known to surround cars or level guns on their owners. I had to wonder how much more risk like this is in any GPS-enabled app that sends you from point A to B.
Just look up top 10 cities or metro areas for violent crime. Memphis Metro Area, in and around Memphis TN, is one of them on most years. We have lots of good areas and things going on with the worst stuff mainly in impoverished, minority areas. Lots of street gangs that maintain efficiency and image with armed robbery, murder to solve disputes, and/or initiation by murder of innocent, harmless people. Impoverished, white areas are fairly safe with their crooks mainly doing property crime or con jobs. Rarely violent. Most impoverished areas I've been have a mix, though. Middle-class and upper-class areas are also fairly safe outside property crime regardless of mix. Last I checked, city was going mostly Black with lots of Latinos coming in and Whites moving out due to crime. Actually, exits from all races for that. Often outside of Memphis but having jobs inside it. Economy & education keep going downhill predictably. Many companies refuse to deliver to certain areas or leave the city since theft overtakes profits quickly. Many make it, though, with beefed up security. Local grocer has 8 security guards for one store. Police themselves guard best, Chinese, food place. Haha.
That's backdrop. Relevant here, North and South Memphis are largely the worst in terms of violence. You do not want to be in certain neighborhoods regardless of color. Even cops avoid them. Others are a risk more if you're white or look like you have property to take. Local media & cops suppress the worst of it to maintain tourism revenue (eg Elvis, BBQ) although the murders naturally get reported. Examples of censorship were kicking out The First 48 show and rape kit scandal. That Google Maps takes you right near those areas is probably why lots of people think the whole city is hood and trashed rather than just those parts. They never see the good parts unless specifically visiting them family, friends, jobs, or tourism.
So, yeah, it's a real issue. I double-check Google Maps if I'm going anywhere Downtown, Midtown, North, or South as it doesn't differentiate risky vs non-risky areas. I regularly have to force it to make safer routes. Straight-up avoid certain areas of the city unless I'm packing heat & with backup. Otherwise, still all kinds of good things to get involved in over there with most folks being alright. We just in a rough area and economy. :)
Note: As another example, BLM protestors sieged our Interstate (I-40) last night for hours then dispersed into Downtown. Local news cautioned everyone to stay away from that area for safety as it's normally dangerous but now unpredictable. Bad route at the least. Google routes still offering me a speedy trip through there, though. Unreal.
There was a lot of controversy previously about mapping applications having "Avoid" areas. They were basically neighborhoods with high crime rates which also happened to be neighborhoods with high minority populations. Small business owners/home owners didn't like being grouped as "avoid" when they didn't have any real control over it. Or something like that.
A prior comment related to Amazon Prime's apparent discrimination. I pointed out that Prime was avoiding crime not minorities. Local drivers, which Amazon outsources to, confirmed it for me personally in an unofficial sense where they agreed & personally wouldn't deliver to those areas.
So, it's a recurring theme but the crime angle is usually downplayed by left-leaning media. I agree with Microsoft's approach but I urge companies focus on crime statistics. There are many areas that are white and have tons of violent crime. Many areas are black with little violent crime. It needs to be about avoiding violent areas rather than minority areas specifically.
I detected that immediately when I signed up with google at first. No double-checking what I was ok with sharing with the company. Had to remove their permission from my account settings right away. Signed up with their email/password system, much better.
uh... genius... niantic IS google. they can already read all your email. they already have full access. they have more access than you've ever had or could ever grant to anyone else.
Caveat: I've seen a number of players state or imply that playing this game has been the first decent exercise they've had in years. Lack of exercise is a far greater threat to your well-being than having your Google account hacked, so if that's what it takes, go ahead and play the game anyway.
> Lack of exercise is a far greater threat to your well-being than having your Google account hacked...
This is by no means universally true. Plenty of people get enough exercise outside of the app, and plenty of people have Google accounts for which compromise could be very significant.
It should at the very least be disclosed in the OAuth flow that I'm giving away admin rights to the app. Facebook's flow won't even let me give away my email address without an explicit decision to do so. The current silent-but-deadly flow is inexcusably risky.
Pokemon Go, like most apps, is likely just a fad. In a few months, only a few thousand die hards will still be playing it. But the full access permissions will still be there.
Point. If you use a lot of things that require access permissions, maybe it should be part of your spring cleaning or some such to look through what you've given permission for, and cancel anything you haven't used in the last six months or whatever.
You should try the Go game. It may have some lasting power I haven't seen yet, but its not the normal Pokemon game by any stretch. The core gameplay is actually pretty boring once you've done it for a little while (i.e. once the initial euphoria of catching things wears off).
Oh I have been playing and while it is far inferior to the core Pokemon gameplay, I have met over 30 new people because of this game in less than a week. People who I've never talked to at work, I am now talking to.
I have honestly never used an app that has brought me closer together to the people around me. I don't see this being a fad.
But isn't that what the app needs from your phone? I always thought that was difference then what you are giving an app permission to do when using OAuth
On Android they're able to use the OS APIs to access that information because the google account is closely tied to the OS so the permissions there are basically permissions to the phone data because with Android they're pretty much one and the same.
"Pokemon Go Release" has "full access" and yet "Ingress" (a game very similar to Pokemon Go from the same company) only has "basic account info". I removed the access and when I started the app, it crashed right away. (I'm on iOS, by the way.) Subsequent launch I'm stuck on the "LOADING..." screen, and then it says "Failed to get player information from the server." I hope the servers are just down and I didn't lock myself out. (Or maybe I should be glad until this fix this breach.) Edit: Deleting the app and reinstalling allowed me to log in again.
It appears to be the iOS version only that's doing this, according to this article:
When I checked this morning Ingress also had full perms. I revoked and reconnected and Ingress only had basic account info. I was also queried appropriately.
Possibly this was fixed on Ingress sometime in the last X months but not on Pokemon Go.
This seems like a massive security fail on Google's part. There's no reason the OAuth flow should be able to request admin privileges silently. As a user, I really must get a prompt asking me (and warning me!).
That's due to a Clinton era law Children's Online Privacy Protection Act of 1998 (COPPA). It forbids companies form collecting personal info from children under 13 without their parents permission.
What's funny is that nobody seems to provide a workflow to actually create accounts for kids. I want to set up a supervised google account for my son for hangouts et al... and I have no idea how. I guess that's not a thing.
Haha, I remember getting this signed and then faxed by my dad when I was like 11. Funny seeing it here because I first learned HTML from Neopets (anyone else?). HTML brought me to javascript and computer programming in general. 15 years later, that form is still up and I guess kids are still playing Neopets. And now I am here, weird.
Yes, so if the age is under 13 the "Google" option to signup is disabled. So you are forced to use the "Pokemon Trainer" account which I know nothing about.
That's their stated policy, but we've previously been able to get an under-13 child account though support by verifying parental consent, which is all COPPA requires in the U.S.
Kids know they have to lie about their age online to get access to anything worth having. My 9-year-old has been doing it as long as she's been allowed to use the internet.
I have no comment as to whether this is a violation or not; I know nothing about Pokemon Go. I'm just pointing out there is already extensive regulation here.
Right, I meant I hoped they'd actually do some saber rattling or action.
When you first sign up you have to enter your age, I don't know if there is a minimum age for the game. As an adult I'm old enough to get through that prompt.
I checked that page already. I can only speak for myself but for me it has no listing on the Google Permissions page so it looks like it does permissions correctly to me.
If google auth as a platform grants full access to your google account without any sort of confirmation, isn't that the security risk? Whether or not it's intentional or malicious on the part of Niantic, that seems like the real problem here.
Yes! I did notice there wasn't a "This app will have access to…" screen when I signed up (I've never seen that before), but that just made me assume they were asking for like the absolute minimal permissions possible or something.
"[random game on a whim] has Full Access to your Google Account" is scary
Yeah, I agree. I strongly suspect that the scope of permissions requests was an oversight (e.g. Just ask for everything now, we'll pair it down once we know what data we need). Additionally, while I don't like the idea of having Niantic having access to my entire Google account, let's remember that Niantic started as a Google company, and is now under the Alphabet umbrella, so have a vested interest in keeping things on the up-and-up. Lastly, Nintendo is up 35% thanks to this game (about $7B), and I strongly doubt that there is anything they could gain from scraping/abusing these Google accounts that would come even close to that type of impact. My money is on "bad development process and oversight", and this is just one of many rough edges that I've already noticed in the software.
> I strongly doubt that there is anything they could gain from scraping/abusing these Google accounts that would come even close to that type of impact.
I'd have said the same about VW's emissions cheating scandal before it broke.
To my knowledge, this is known bug in iOS that the Google auth grant inadvertently gives all permissions. You'll note that other users below report this only happening on iOS and not Android which shifts the risk away from Niantic/ Pokemon Go and towards Google itself, as you've mentioned.
Yeah, I had no idea when I signed into Pokemon Go with my Google account that it was doing anything scary. I didn't even consider it would be granting full access to my account. It's almost like Google treats that as the default case, and it's an exception that they style differently when the app requests a particular scope to limit its access.
I've yet to try that, but I can. I'll report back in a few. Having trouble logging into my iPod... will see if I can get my coworker to remove it from his older device.
This was the case on an android phone using Google login. His nexus 6X was on a beta build so he was unable to install the app. He started playing the game on an older device while he downgraded his 6X. After it was complete, he logged into his 6X using his google credentials and it prompted him to start over.
268 comments
[ 4.7 ms ] story [ 250 ms ] thread"Normally you’d see a little message saying what data the app is going to be able to access - something like “This app will be able to view your email address and name”. For some reason that’s not shown in this case"
The title could still be more neutral/explanatory, though.
I am running on a Nexus 6 and signed in with my Google Account when I first launched the app.
Try revoking access and see what happens. Worst case, it might ask you to sign in again.
https://dl.dropbox.com/s/bgii07rzoddj504/Screenshot%202016-0...
Screen: http://imgur.com/YX9K8Ds
The entire issue is predicated on using your google account credentials which isn't really mandatory. Maybe I'm overly cautious but I don't use my google account to auth anywhere. If that's the only option, and it's not a google product.. then it looks like I'm not using that service.
Don't just throw around account access, no matter how pervasive, in the name of impatience. Ever.
In the past I've tried to use Google to sign in to some games and been given a screen that I noped out of because of what it was asking for. That didn't happen here. I assumed they only got my email address (if that), not full email/contact/calendar history.
I checked my Google permissions. iOS has a fair amount, Mac OS X has a fair amount, Pokémon GO has more than both put together. Without asking. That's crazy.
In my dream world Google would revoke Niantic's API access forever in order to make an example out of them. Maybe, eventually, if they can prove that they didn't hoover up all the information they had access to they can be unbanned after a year.
Unlikely though considering they used to be a part of Google.
https://developers.google.com/identity/protocols/OAuth2Insta...
Which probably isn't very helpful, as lots of users won't notice whether they are using a browser or not.
Does anybody know how Pokemon Go ends up interacting with accounts that have 2 factor authentication turned on? I sure wouldn't type my main password into some app, I'd at least use an app password:
https://support.google.com/accounts/answer/185833?hl=en
After I disconnected it, it didn't behave that way a second time. So I am kinda mystified what happened there. But it was pretty strange.
Is that the case? Doesn't this still require going through the standard prompts?
"Pokemon Go Release - Has full access to your Google account"
Revoking access now. Glad I read HN!
There is no technical limitation to an app engaging in very nefarious activity. For example an app could modify the DOM on the sign-in screen to grab your password after you enter it. Of course the accountability of MITM and security reviews might mitigate this risk, but passwords are generally only a few bytes and could easily be obfuscated and passed surreptitiously over the wire.
I've seen a (quite popular) app implement this for facebook invitations, which should only have a limit of 50 friends, to secretly (in the background, without any action on your behalf other than logging in, or perhaps pressing a "continue" button) invite every one of your friends to download the app. Since facebook does not notify you when you send an inviation, you would not even know the app did this unless one of your friends who you invited asked you about it.
[0] https://news.ycombinator.com/item?id=11637209 (thanks molecule)
The comment's timestamp is a link.
Uh, seriously? I just suggested to our mobile team to integrate this way on Android (I implemented the OAuth 2 server).
I would've made the same suggestion to a 3rd party app vendor when the day comes.
I'm curious how exactly this is specific to the UIWebView implementation.
The OAuth model not only enables phishing directly even worse than that, it disarms people's natural skepticism towards phishing attempts. Its adoption was a terrible idea.
Of course, you're absolutely right that it would be trivial to spoof, say, Google or Facebook or Twitter and collect credentials. I would _hope_ that behavior would be detected by Apple or Google during app security screening, but maybe not. Regardless, I totally agree with you about OAuth and security. It does present a lot of problems.
I have a certificate signed by Symantec guaranteeing that it's authentic!
Outside of the Android model where it does the auth for you upon request and only hands the app a token, I don't really see how you don't open yourself to this attack.
iOS really doesn't provide a way for other vendors in an inner ring of consumer trust and power to deal with this. While I'm not a fan of the decision to give full access to Pokemon Go, I didn't find it surprising that it did so on iOS and I had to make a conscious decision to "trust" Pokemon Go as part of the process.
If UIWebView didn't allow the app access to the DOM then it wouldn't be possible this way. But,of course, the user has no way to know how the UI is implemented.
Some providers (e.g. Fitbit) require you use this instead of UIWebView in order to access their API, presumably to avoid accessing the DOM.
Not sure exactly how they are enforcing this though, since they don't provide their own OAuth library.
I've yet to see it confirmed, though.
I'm really glad you're not making that decision then. Banning some company based on their use of public, legal APIs would be an absolutely toxic decision for Google's platform.
It's Google's fault for allowing this kind of access with no notification (yes, the fault here might lie somewhere in OAuth, but there's plenty that Google could do to make this less serious). Don't blame people for leveraging options at their disposal.
This is interesting, I can't test this myself as I have previously played Ingress on both iPhone and Android.
My Android device is mostly for development/testing, so I'm not nearly as regular a user of the platform as I am for iOS.
Could any Android users comment on if this is normal to not see Android apps like Ingress on this authorization list?
https://nianticlabs.com/blog/niantic-tpc-nintendo/
2. The security risk isn't that Niantic is going to turn evil, it's that Niantic becomes an access point for other (evil) hackers.
Even if they were still owned by Google, a compromised phone with Pokemon Go has a nice juicy access token with admin rights to your account to siphon off.
What are you talking about?
It's developer laziness.
The security policies for that sign-in system are not as granular as Android's security policies.
Normally an app would request permissions at run-time or install-time.
Why not just create a separate google account if one's so eager to play?
Anyway, my point stands—Bill started as a coder, good enough to code on the pdp-11(?); Steve never was one.
One app that got me thinking about these things was Google Maps. I noticed it directed me through The Hood of a murder capital to save 3 minutes on a route. An area where people are known to surround cars or level guns on their owners. I had to wonder how much more risk like this is in any GPS-enabled app that sends you from point A to B.
That's backdrop. Relevant here, North and South Memphis are largely the worst in terms of violence. You do not want to be in certain neighborhoods regardless of color. Even cops avoid them. Others are a risk more if you're white or look like you have property to take. Local media & cops suppress the worst of it to maintain tourism revenue (eg Elvis, BBQ) although the murders naturally get reported. Examples of censorship were kicking out The First 48 show and rape kit scandal. That Google Maps takes you right near those areas is probably why lots of people think the whole city is hood and trashed rather than just those parts. They never see the good parts unless specifically visiting them family, friends, jobs, or tourism.
So, yeah, it's a real issue. I double-check Google Maps if I'm going anywhere Downtown, Midtown, North, or South as it doesn't differentiate risky vs non-risky areas. I regularly have to force it to make safer routes. Straight-up avoid certain areas of the city unless I'm packing heat & with backup. Otherwise, still all kinds of good things to get involved in over there with most folks being alright. We just in a rough area and economy. :)
Note: As another example, BLM protestors sieged our Interstate (I-40) last night for hours then dispersed into Downtown. Local news cautioned everyone to stay away from that area for safety as it's normally dangerous but now unpredictable. Bad route at the least. Google routes still offering me a speedy trip through there, though. Unreal.
[0] http://www.npr.org/2012/01/25/145337346/this-app-was-made-fo... [1] www.citylab.com/tech/2012/01/gps-smartphones-and-dumbing-down-personal-navigation/1036/
https://news.ycombinator.com/item?id=12073592
A prior comment related to Amazon Prime's apparent discrimination. I pointed out that Prime was avoiding crime not minorities. Local drivers, which Amazon outsources to, confirmed it for me personally in an unofficial sense where they agreed & personally wouldn't deliver to those areas.
https://news.ycombinator.com/item?id=11545009
So, it's a recurring theme but the crime angle is usually downplayed by left-leaning media. I agree with Microsoft's approach but I urge companies focus on crime statistics. There are many areas that are white and have tons of violent crime. Many areas are black with little violent crime. It needs to be about avoiding violent areas rather than minority areas specifically.
adam reeve is an idiot.
This is by no means universally true. Plenty of people get enough exercise outside of the app, and plenty of people have Google accounts for which compromise could be very significant.
It should at the very least be disclosed in the OAuth flow that I'm giving away admin rights to the app. Facebook's flow won't even let me give away my email address without an explicit decision to do so. The current silent-but-deadly flow is inexcusably risky.
What is wrong with you?
I have honestly never used an app that has brought me closer together to the people around me. I don't see this being a fad.
It appears to be the iOS version only that's doing this, according to this article:
http://9to5google.com/2016/07/11/psa-pokemon-go-full-access-...
Possibly this was fixed on Ingress sometime in the last X months but not on Pokemon Go.
When something is free to play, and involves you walking around with geo services and a camera on, you and your data are the product.
This is just massive data collection disguised as a video game.
No one signed up to let Niantic read their email in exchange for free items.
Especially parents.
Pokemon Go can collect the bunches of the data it wants without having admin-level access to their users' Google accounts.
How is it possible that signing in didn't inform me what permissions I was granting? I didn't think I was giving anything except my email address.
https://support.google.com/accounts/answer/1350409?hl=en
http://www.neopets.com/coppa/consentform.phtml
Google doesn't care because it takes more effort for them to obey by the law than its worth for them at this time.
Why?
I have no comment as to whether this is a violation or not; I know nothing about Pokemon Go. I'm just pointing out there is already extensive regulation here.
When you first sign up you have to enter your age, I don't know if there is a minimum age for the game. As an adult I'm old enough to get through that prompt.
"[random game on a whim] has Full Access to your Google Account" is scary
I'd have said the same about VW's emissions cheating scandal before it broke.
Isn't it more likely to be a bug in the iOS version of Pokemon Go?