Niantic, Inc. – the company behind the ubiquitous, can’t-go-10-minutes-without-hearing-about-it Pokémon GO game – said Monday night it wasn’t the company’s intent to request full access permission of its users’ Google accounts.
The company, a Google spinoff, was put in the crosshairs over its security, or lack thereof, earlier this week after it was discovered the app had been granted full access to users’ Google accounts, a level of access usually only given to Google-specific apps like Chrome.
Upon signing up, prospective Pokémon Trainers are given two options: Sign in using their Google credentials or sign in using a Pokémon Trainers Club account. Nintendo, which owns Pokemon, has limited the creation of such accounts, citing an overwhelming demand, forcing many users to use their Google credentials.
In an emailed statement to Threatpost on Monday night the company clarified that the app only accesses basic Google profile information, like a users’ ID and email address, and that it hasn’t accessed or collected further information.
According to the statement, as soon as Niantic became aware of the error, it began to fix it.
> “Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic.”
Several experts sounded the alarm over the app’s security this week, warning that the way they construed it, both Pokémon GO and Niantic could essentially have free reign over a user’s Google account. It was surmised by many at the time that if they wanted to, the company could potentially read users’ email, send email as users, access users’ Google Drive documents, review users’ search and Google Maps history, access private photos stored in Google Photos, and more.
Niantic’s statement, sent to publications Monday night, cleared the air but that didn’t stop Ari Rubinstein, a security engineer with Slack from spending the night digging through the app’s permissions. He verified that Pokémon GO only requests users’ openID and email tokens but agreed the app needs to change its permissions.
“I believe this is a mistake on Google and Niantic’s part, and isn’t being used maliciously in the way that was originally suggested,” Rubinstein wrote in a technical breakdown of the app on Github, Tuesday, “It appears that using this token in the way that was initially suggested would still be difficult with this grant as the type of use for it is not programmatic.”
The whole fiasco comes days after Pokémon GO was first uploaded to both the Apple Store and Google Play. In just six days the number of users on the app has already oventaken popular dating app Tinder and – if it hasn’t already – is set to surpass the number of daily Twitter users soon. The app has been so popular over the last few days that the game’s servers have been strained, prompting Niantic to postpone the launch of the app in Europe and Asia until later this week.
For now Pokémon GO is only available in the U.S., Australia, and New Zealand, but fear of missing out has driven some users not in those countries to sideload illegitimate versions of the app. On Android, this usually requires users to enable the installation of third party APK files from untrusted sources, a risky practice that could lead to malware, experts claim.
Even the official Pokémon GO app on Twitter cautioned users against doing so on Monday:
> Trainers, only install Pokémon GO via the Play Store or App Store. Downloads from other sources may contain malware or viruses. > > — Pokémon GO (@PokemonGoApp) July 11, 2016
The warning came after researchers with Proofpoint stumbled upon a malicious APK that looks strikingly similar to Pokémon GO but in reality, contains a RAT that installs a backdoor on Android devices.
The backdoored APK was spotted on a malicious file repository service but experts claim it could only be a matter of time until similar, rigged APKs make the rounds in the wild.
“The use of popular online games as a vehicle for installing malware is well known, so it is likely to be only be a matter of time before programs such as the one reported in the media are released on unsuspecting consumers,” Vladimir Kuskov, a security expert at Kaspersky Lab said Tuesday, “The best way to protect yourself and your device is to only install apps from official app stores and to complement this with an appropriate security solution. Don’t take short cuts, disable device security or download software from an unverified source; it’s just not worth it.”