Pokemon Go privacy rules are terrible (just like all your other apps)

Originally published at: http://boingboing.net/2016/07/11/pokemon-go-privacy-rules-are-t.html
…

Big day for Pokemon on BB. Who’d a thunk?

What’s particularly insidious here is that it doesn’t disclose that it’s doing this. Every other app in recent memory that you can link with a Google account brings up a special screen that displays the permissions the app wants and give you the opportunity to accept or deny (and naturally be locked out of the app).

It doesn’t appear that this app actually does this. Once you link your Google account it automatically consents itself into the highest level of trust possible for a 3rd party app giving it the ability to – among other things – read your email stored in gmail.

One reason this is extremely dangerous is that someone with this permission could essentially do this: go to web sites, request password resets on behalf of your gmail account, read the email with the password reset token, reset your password, and then delete the evidence. They also have read/write access to your Google drive storage, stored pictures, etc. In other words, far overreaching permissions.

OMG. What do you predict the consequences of this will be?

Mine did when I set it up. Got the standard ‘track this, do this, etc’ screens.

Is this on iOS or Android? On iOS for me I didn’t see any consent screen.

There’s a bug in the iOS version that grants it full access.

Android. No idea about iOS.

Got it. This appears to be specific to iOS.

Wow, that’s not enforced on the OS side, it’s an app developer thing? That seems insane.

Yeah, as I recall the click through for granting rights didn’t have any granularity. According to some nerd I talked to (and I haven’t the foggiest if it’s completely true) they rushed the release so it’s missing features they’d planned to get in and has a lot of bugs. Their servers are crashing constantly as well since they don’t have the scale to handle the user base. It’s pretty clear it’s just sloppiness, since the Android release does handle restricting privileges. I expect they’ll have an update in a while to fix it, since I see no legit reason for them to be doing this maliciously with the massive amount of cash they’re raking in from the expected non-malicious use case.

Also, having read their privacy policy it doesn’t really seem like much you wouldn’t expect for the use case of the app and seems to be loaded with boilerplate.

An app developer shouldn’t be able to skip those, is my point. That’s a huge iOS flaw if an app developer can ‘forget’ and still get full perms, because it leaves the door open for malicious devs to do so on purpose.

I would expect that it would be an OS-enforced permission issue as it appears to be on android (whenever an app tries to do something that requires permissions or at first launch, it pops up the window), but it’s possible android is just as broken.

iOS isn’t involved in the handling of rights for Google auth. (which isn’t all that surprising to me, given the relationship). There’s a Google SDK that apps use for it, so it looks like Google’s got a crappy SDK for iOS:
https://developers.google.com/+/mobile/ios/sign-in

Oh it’s google perms that we’re talking about, not phone/handset permissions? My bad.

I really, desperately want to be surprised - shocked, even - that Google’s authentication framework for iOS apparently has a flaw that lets an app silently grant itself full access to your Google account after authentication. Unfortunately, based on all of my past experience with Google’s own apps on every one of Apple’s platforms, I’m forced to conclude that whoever works in the “write code for Apple things” department is simply incompetent.

Wow, this is unbelievable. There was no reasonable indication that it would have full access. Even google products like Drive don’t have full access! Go check out your own account >>

I’m on android, I used my google account to sign in. According to my security settings it has none of these permissions. I think if you have an iOS device and sign in with google you have these issues.

Oh, it gets so much better. Some people are claiming this is all 100% deliberate. The ultimate goal?

So as you’re “catching ‘em all” with all the other sheep, you very well be creating a cache of high-res, data-rich images to get siphoned directly into the CIA’s greedy little pockets. Just picture it, a year from now when Trump-appointed CIA Director Liam Neeson is trying to figure out who helped The Washington Post reporters escape from prison, all he has to do is call over to Deputy Director Sutherland. “Check the Pokédex,” he’ll say, and up springs a Google Street View-esque simulation of the every building, nook, and closet within a five-mile radius—all updated in real time.

As user fight_for_anything explains, “What if that local church is a mosque they suspect of terrorist activity? And they want photos of it, or photos of the cars around it and their plates, or photos of the people coming in and out…” Meaning that, should Director Neeson need eyes somewhere, all he as to do is tell the game to stick a Pikachu in the room and some unassuming schlub will send him a photo in no time.

–Ashley Feinberg at Gawker