Hacker News new | past | comments | ask | show | jobs | submit login

If google auth as a platform grants full access to your google account without any sort of confirmation, isn't that the security risk? Whether or not it's intentional or malicious on the part of Niantic, that seems like the real problem here.



Yes! I did notice there wasn't a "This app will have access to…" screen when I signed up (I've never seen that before), but that just made me assume they were asking for like the absolute minimal permissions possible or something.

"[random game on a whim] has Full Access to your Google Account" is scary


To my knowledge, this is known bug in iOS that the Google auth grant inadvertently gives all permissions. You'll note that other users below report this only happening on iOS and not Android which shifts the risk away from Niantic/ Pokemon Go and towards Google itself, as you've mentioned.


How could iOS be responsible for the auth between two third-party services?

Isn't it more likely to be a bug in the iOS version of Pokemon Go?


They probably meant the Google Auth library for iOS.


Yes, thanks for clarifying.


Yeah, I had no idea when I signed into Pokemon Go with my Google account that it was doing anything scary. I didn't even consider it would be granting full access to my account. It's almost like Google treats that as the default case, and it's an exception that they style differently when the app requests a particular scope to limit its access.


Yeah, I agree. I strongly suspect that the scope of permissions requests was an oversight (e.g. Just ask for everything now, we'll pair it down once we know what data we need). Additionally, while I don't like the idea of having Niantic having access to my entire Google account, let's remember that Niantic started as a Google company, and is now under the Alphabet umbrella, so have a vested interest in keeping things on the up-and-up. Lastly, Nintendo is up 35% thanks to this game (about $7B), and I strongly doubt that there is anything they could gain from scraping/abusing these Google accounts that would come even close to that type of impact. My money is on "bad development process and oversight", and this is just one of many rough edges that I've already noticed in the software.


> I strongly doubt that there is anything they could gain from scraping/abusing these Google accounts that would come even close to that type of impact.

I'd have said the same about VW's emissions cheating scandal before it broke.


Hanlon's Razor


So here's the interesting thing... apparently if you sign in with the same google account on another phone, you have to start over as a new player.


Not true, don't worry :)


Not true at all. I've wiped the app from multiple devices and accounts today and it's always restored the player's progress after you log back in.


This was the case on an android phone using Google login. His nexus 6X was on a beta build so he was unable to install the app. He started playing the game on an older device while he downgraded his 6X. After it was complete, he logged into his 6X using his google credentials and it prompted him to start over.


Probably because he was previously playing the Pokemon Go field test. All of the field test data was wiped, accounts and all. Everyone started over.


I've gone between three phones this week for various reasons, and this has not been an issue.


Seriously? What happens if I delete the app? Do I delete all of my progress?


Then you reinstall and all is fine. I went from using it on my Nexus 7 to my Nexus 5X and all of my progress was there.


I've yet to try that, but I can. I'll report back in a few. Having trouble logging into my iPod... will see if I can get my coworker to remove it from his older device.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: