Just days after Pokemon Go sent Nintendo shares soaring in Tokyo, the game’s developers were scrambling to close a massive privacy hole.
The iOS version of the mobile game — which superimposes figures onto real-world environments through augmented reality technology — apparently had a default setting that required users to grant broad permissions to access their Google accounts.
The blockbuster game reportedly had been downloaded more than 15 million times from the App Store and Google Play as of Wednesday, and alarm bells over the data exposure drew the attention of Sen. Al Franken, ranking Democrat on the Senate Privacy and Technology Subcommittee.
Franken on Tuesday fired off a letter to Niantec President John Hanke, asking pointed questions about the app’s permissions and collection of data, particularly from children, who are a major segment of Pokemon Go’s fan base.
“While this release is undoubtedly impressive, I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent,” Franken wrote.
The company had not yet replied as of Wednesday, the senator’s spokesperson, Michael Dale-Stein, told TechNewsWorld. Franken’s letter asks Hanke to respond within a month.
The account creation process on iOS erroneously requested full access permission for a user’s Google account, according to Niantic, although the developer actually accessed only basic profile information, including user ID and email address.
“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with data that we actually access,” Niantic said in a statement provided to TechNewsWorld by spokesperson Chris Kramer. “Google has verified that no other information has been received or accessed by Pokemon Go or Niantic.”
Google has reduced Pokemon Go’s permission to only the basic profile data, and users do not have to take any action themselves, Niantic said.
“This app was developed by some of the same people that built Google Earth and Maps,” noted Andrea Castillo, program manager of the Technology Policy Program at George Mason University’s Mercatus Center.
“It necessarily tracks users’ location and video capture,” he told TechNewsWorld.
Niantic is a group of seasoned developers, Castillo noted, and is “surely aware of the data-hacking risk this poses,” and will take appropriate steps to remedy the situation.
Niantic Labs was previously part of Google.
“Still, this early oversight reminds users that sometimes even the best developers make mistakes,” Castillo said.
The Pokemon Go data-collection problem is part of a growing class of threats due to third-party apps asking for massive permissions that can lead to large-scale data loss, observed Kevin O’Brien, CEO of GreatHorn.
“From Google Apps to Slack, Office 365 to Skype, we live in a post-BYOD world, where not only do users self-select their own productivity toolchain, but they also integrate even more tools into these environments,” he told TechNewsWorld. “Pokemon Go is just the tip of an iceberg that’s been growing for three to five years.”
There are two separate classes of risk, according to GreatHorn. One involves vendors whose applications can be hacked directly and used to exfiltrate data from customers, or that have databases in which user information is stored and subject to compromise. The other involves malicious attackers who clone popular applications and trick users into installing them, just to compromise user data.
Pokemon Go does not have a self-protection mechanism built-in to prevent that type of vulnerability, Wu Zhou, staff research scientist at FireEye, told TechNewsWorld.
In addition, many apps built for Android allow side-loading of third-party apps from untrusted sources.