iPhone users: Pokémon GO can spy on your entire Google account

“iPhone users of Pokemon GO, beware: the app has access to your entire Google account. That’s a major problem for fans of the game. Shockingly, there’s no warning about the extensive permissions either,” Thomas Fox-Brewster reports for Forbes. “For now, it’s unclear if Android owners are affected, though reports of sporadic Google account access have emerged.”

“To be clear, the app, as it stands, can read and write emails. It can also view your Google Docs, search history and Maps use. And your private photos,” Fox-Brewster reports. “Keen eyed security pro Adam Reeve warned about the issue last week, noting that he didn’t receive any warning about the permissions on download. ‘Now, I obviously don’t think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness,’ Reeve wrote. ‘But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all.'”

“Concerned users can do what Reeve did: revoke accounts and delete the app. They could still enjoy the game, however, and sign up via the website. But that feature is, inexplicably, not currently working. So right now, iPhone users have no option but to either risk their data or kill the app.”

Read more in the full article here.

MacDailyNews Take: Gee, that would be terrible – if we had “entire Google accounts” that weren’t fake, empty shells created for just such purposes, that is. You know, like our fake Facebook accounts that we use for game signups, coupons, etc. Nobody sane gives their real, personal data to Google and Facebook, right?

Alas, we recognized the value of privacy a long, long time ago, thanks.

Tim Cook attacks Google, U.S. federal government over right to privacy abuses – June 3, 2015
The price you’ll pay for Google’s ‘free’ photo storage – June 3, 2015
Apple CEO Tim Cook champions privacy, blasts ‘so-called free services’ – June 3, 2015
Passing on Google Photos for iOS: Read the fine print before you sign up for Google’s new Photos service – June 1, 2015
Why Apple’s Photos beats Google Photos, despite price and shortcomings – May 30, 2015
Is Apple is losing the photo wars? – May 29, 2015
How Google aims to delve deeper into users’ lives – May 29, 2015
Apple CEO Cook: Unlike some other companies, Apple won’t invade your right to privacy – March 2, 2015
Survey: People trust U.S. NSA more than Google – October 29, 2014
Apple CEO Tim Cook ups privacy to new level, takes direct swipe at Google – September 18, 2014
Apple will no longer unlock most iPhones, iPads for government, police – even with search warrants – September 18, 2014
U.S. NSA watching, tracking phone users with Google Maps – January 28, 2014
U.S. NSA secretly infiltrated Yahoo, Google data centers worldwide, Snowden documents say – October 30, 2013
Google has already inserted some U.S. NSA code into Android – July 10, 2013
Court rules NSA doesn’t have to reveal its semi-secret relationship with Google – May 22, 2013
Edward Snowden’s privacy tips: ‘Get rid of Dropbox,” avoid Facebook and Google – October 13, 2014


  1. Does ANYONE who cares ANYTHING about their data (personal or business) utilize a Google account or Facebook or any of their ilk.

    Personally, I believe that no one should use a Google account in any fashion for business — it’s even tackier than using an AOL account yea many years ago or a GENIE account before that. When someone gives me a gmail account as their official “business” account, I politely tell them that if they want me to email them anything they need to give me a different account. No exceptions.

    If you’re really 100% OK with the potential for the entire world to know anything and everything about you and what you do then go ahead and use a Google account and post your doings to Facebook, but know the risks before you do.

    1. I have the same policy, Shadowself. It has caused more than a few rolled eyes after explaining my reasons to colleagues, family, and friends. Most people don’t want to hear it, and a large majority respond that they simply don’t believe me. All of this information is accurate; I did my own research (oddly enough, at the time, via Google searches). By the way, I highly recommend using DuckDuckGo as your search engine.

      If you’re using Google services you should know that:

      — When you perform a search using Google, the text string of your query as well as the URLs you subsequently click are recorded. All of them. Every. Single. Time.

      — If you have any non-Gmail email account (including your own domain-based email account), are you aware what happens when you reply to anyone who sends an email message to you from their Gmail account? That’s right, the text in the originating message as well as the text in YOUR message are auto-scanned and analyzed upon passing through the Gmail servers. The results are added to your Google profile that is indexed under your own email address, and then utilized for ad profiling and and any other marketing purposes they see fit to use.

      — Contacts stored in a Gmail account are used for profiling and association with other Google-indexed accounts (including non-Gmail accounts).

      — The videos you watch on YouTube are also added to your profile. Ever click on a link to a (somewhat) inappropriate YouTube video? It’s in your profile.

      — The photos you upload to Google Photos absolutely do have facial recognition applied, with the results being cross-referenced with your Google profile and other Google profiles. In other words, they know who know.

      — Let’s be clear: Even if you don’t have a Gmail account, you have a Google profile from using Google search, watching YouTube, or exchanging an email with someone who uses a Gmail account. And this is linked with every single website you visit that has ads, because those are served and tracked by a variety of Google ad services such as Double-click, etc.

      — All of this information is retained forever by Google.

      None of this is paranoid conspiracy theory; it’s simply the way Google does business. And the overwhelming majority of people worldwide seem to have gladly accepted it.

  2. The only purpose for my google account is to access programs that require a Google account.
    However; If niantic allowed me to register at their web site I would have done that instead. But for the last three days the website has not been able to register players.

  3. I never (never) log into sites using Google, Facebook, Twitter accounts. If they offer a Discus login, then fine. But handing over access to social media sites and everything you do there is lunacy. Of course the marketing maniacs are going to abuse that access. Fake, dead end, no activity accounts would be a great alternative, if stuck with only social media sites as login choices.

    Meanwhile, it’s trivial to ID user IP addresses and track them. But that’s typically done with tracking cookies, which I highly suggest dumping on a constant basis, no matter where they’re from. Regular cookies (non-tracking) are worth keeping. Such, at least, is what I do. It turns out that Google has NO tracking data about me, heehee, haha, hoho.

    1. Well actually just by visiting this very site Google is tracking you. you like millions and millions of other online users are wittingly and unknowing handing over data to Google. This website does exactly the same thing….to you the Idiot who uses it!

      1. No actually. I use a cookie control app that dumps the Google tracking cookies, and all others, ever minute. That’s how I set up its timer. I also have a second cookie control app that makes sure I get any strays the first doesn’t catch. I say that Google has no tracking data on me because I went to Google to look for it and found nothing. About a month back there was an article here at MDN about how to look up your tracking data. Mine was blank.

        So who’s an idiot again? I’ve been studying computer security since 2005 and writing about it since 2007. Click my avatar and check it out, hater.

        1. The Google tracking on mdn doesn’t require cookies. Unless you are masking your IP address through a proxy network, and spoofing your agent, you’re at least sending that data to google, along with the date, time, and URL of every page visit on this site.

        2. Definitely, tracking WITHIN any site is not going to be preventable. But that’s now what we’re talking about.

          Tracking cookies specifically refers to surveilling browser users ACROSS sites, as long as those sites’ servers are set up to access the tracking cookie.

  4. “For now, it’s unclear if Android users are affected.” They have basically the same issue, only difference on Android is that it asks users to agree to it first, presenting extensive list of everything it has access to.

    Until their develepers fix it, the only way to really avoid this issue and still play game is to make a throwaway google account to play the game, and give it unlimited acces to that account.

  5. Yay for blind users. Pokemon Go isn’t even usable by voiceover. But that’s a good thing, lol. Saves at least one community from being a zombie. I don’t know why it’s so popular anyways. Come on conspiracy theorists, find out! Lol

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.