I'm glad they involved google to make sure the change happens to anyone and also to verify their claims about access. This is the type of response we should expect/demand from other companies. Well done.
I agree it is helpful to involve Google so it can be changed for existing Pokemon Go users. But I don't see how Google has verified the claim, since Google themselves have yet to release a statement.
By the way, Google indorsed this comment. Believe me?
Web of trust I suppose. I trust Nintendo and I also don't think Google would allow such a brazen and public endorsement if it were untrue. If google does indeed reset permissions then you know they've at least been in contact.
If it were a smaller company I'd like to see proof.
I disagree. I think the bigger the company, the more likely they less care about users/support/their image. They're 'too big to fall' and the sheep are already on the ship. I believe there's plenty of examples out there, I can give you two straight away [1], [2].
Google cares a lot about user privacy. If only a few percent of their users change their default search engine from Google to DuckDuckGo, they will loose a lot of revenue.
Well, seems like a few people are already looking around for an alternative [1] when it comes to privacy [2]. I can see some effort [3] but I'm not sure if addressing user's privacy concerns is their main goal.
The bigger the company, the higher the chances that a public statement - especially one admitting to a mistake - has to pass through PR and legal, and that one of those stops you from implicating a third party company in your actions if they aren't really being a part.
Just to be entirely clear, Google (along with some other companies like Nintendo) have invested in niantic. So even though Google may not own Niantic, they are pretty interested in its success.
Exactly, that's what I'm more worried about - Google needs to present clear information about what access is provided BEFORE I accept the account connection. It's not necessarily Niantic's fault for asking for too much, it's Google's for not at least making me aware.
It's entirely plausible that Niantic didn't realize they were asking for too much specifically because Google didn't show the permissions being asked. So any time they tested their own app, they would have just seen what everybody else saw, which is that the app asked for access to the Google Account with no mention of what permissions.
Despite that, it is wexing that they wouldn't come across this issue during testing. Maybe it's a production issue. I am very interested in a technical explanation from either Google or Niantic. They surely had to test iOS app and check their Google permission page. Otherwise it would be really sloppy testing.
the thing is...as long as its a frame inside the app i have zero way of knowing whether im actually looking at googles login page, or if niantic is reading the traffic/javascript. At least when I get bounced out to safari I only have to trust apple, which I already implicitly do.
My comment was downvoted for some reason... perhaps I'm mistaken (haven't tried myself) but I'm fairly confident Charles can do this. I've heard of using it to reverse engineer APIs from mobile apps that use SSL, Robinhood for example.
I thought that Google and other app writers weren't keen on blindly accepting generated certificates, and used certificate pinning. Do they really accept anyone's google.com certificates?
I haven't tried it with a Google API specifically but here's their description:
> Charles does this by becoming a man-in-the-middle. Instead of your browser seeing the server’s certificate, Charles dynamically generates a certificate for the server and signs it with its own root certificate (the Charles CA Certificate). Charles receives the server’s certificate, while your browser receives Charles’s certificate. Therefore you will see a security warning, indicating that the root authority is not trusted. If you add the Charles CA Certificate to your trusted certificates you will no longer see any warnings – see below for how to do this.
> Note that some apps implement SSL certificate pinning which means they specifically validate the root certificate. Because the app is itself verifying the root certificate it will not accept Charles's certificate and will fail the connection. If you have successfully installed the Charles root SSL certificate and can browse SSL websites using SSL Proxying in Safari, but an app fails, then SSL Pinning is probably the issue.
I went through the updated app (v1.0.1) and the oAuth flow clearly indicated what I was granting access to. I'd be very curious if this was a fix by Google, a Google bug where requesting "full access" is missing that step, or Niantic changed the way they do oAuth (still a Google issue, the method lacking confirmation shouldn't exist).
It was some JavaScript injected into the WebView that automatically clicked confirm and sent a message to reposition the WebView offscreen as soon as that happens.
If they did that, they don't deserve a second chance at trust. That is outright malicious, and definitely a dark pattern. Their app deserves to be deleted and not used again.
Oauth2 has some serious holes - I have no idea if the Google login page is served by Google, or is simply a copy of their landing page designed to phish for credentials. This needs to be fixed as Oauth is becoming increasingly prevalent. We need some type of web of trust like SSL EV that gives me attestation the Oauth login page is being served by the company that I think it is.
This is why providers like FitBit require that you use APIs such as Chrome Custom Tabs or SafariViewController, where the OS presents an out-of-process limited web view that the host app doesn't have access to.
Isn't this a bit: "Accidentally left open gate to castle. Now closed. No fix in place to make sure other people working closely with Alphabet/Google won't leave door open again. Share and enjoy." ?
On another note, from the "privacy policy":
1. REVISIONS TO THIS PRIVACY POLICY
Any information that is collected via our services is covered by the privacy policy in effect at the time such information is collected we may revise this privacy policy from time to time if we make any material changes to this privacy policy, including any change that we propose that will have retroactive effect, we’ll notify you of those changes by posting them on the services or by sending you an email or other notification, and we’ll update the “last updated date” above to indicate when those changes were made
So, they'll let you know if they apply retroactive changes to the policy? How is that any different from "lol, you give data, we do what we want, ok?"
> No fix in place to make sure other people working closely with Alphabet/Google won't leave door open again.
Niantic Labs did not create and does not own the permission model and therefore by definition they can't fix it.
All they can do is improve their review process to reduce chances that bad code somehow makes it into production. (as probably most of us do)
That is not to say that there aren't valid and reasonable use cases for even the most powerful/dangerous permissions. People even root their phones to give some of their apps access to permissions they otherwise couldn't use because there's a lot of cool/interesting stuff you can do that way.
> So, they'll let you know if they apply retroactive changes to the policy?
Pretty standard for a lot of apps and web services. The alternative is not to use them, or to be very conscious about what data you supply them with. Most people just click accept (as with any EULA).
Seems like a privacy policy that amounts to "lol, whatever" can't possibly be lagally binding in the EU at least. If it is (found to be) void they could be required to delete all customer data - as they have no legal grant to store it or use it for any purpose?
Though, I always feel kind of bad about the whole torch-and-pitchforks almost certainly resulting in some poor sap(s) working 24/7 to fix the issue ASAP when it really could have been fixed, oh, Thursday. (assuming the absence of malice, it's just important it get fixed reasonably soon) Especially considering they doubtless have all kinds of other major issues on their plate- like the server load problems.
As much as I don't like the torch and pitchforks approach; this is the kind of oversight that should be found long before an app is released. It also shows that the market won't tolerate broad security overreaches.
I certainly want to try Pokemon Go, but after seeing these articles, I decided to wait.
On Android, Pokemon Go requests permission to access your contacts. I declined this access, and the app still seems to work (modulo the crashes & bugs that others have reported).
Accessing the camera and location I can understand, but I don't want to give Pokemon Go access to my contacts.
Not documented, Pokemon Go now asks for Notification permissions. (Which is typical of mobile games and should have been done at launch, but ironic given current circumstances.)
Typically the user should be primed, given reason for what the notifications will entail, how frequent they might be and so on. It makes users much more receptive to them if you tell then why they should want to have this optional feature enabled, rather than a blind notification popup in first launch.
Exactly - I just meant not the default popup as soon as you launch without any explanation or justification.
This is what developers would do in the past with location access also, but as privacy awareness takes hold people are far more likely just to deny these permissions.
In iOS it's a pain for a user to actually reenable the setting after the fact.
I'm slightly curious how we prove the statements to be true.
There wasn't the normal "this app wants ___ permissions, is that cool?" message from the Google OAuth dialog. I had not idea I'd authorized Niantic to go scrape all my emails, access Google's own processing on them for advertisement system training or review my location history, for example.
I'm not so sure why I should believe they didn't do that.
The difference here is the "grant full access" screen was never shown to users. That shouldn't be possible and speculation is that either the app somehow hijacked past the screen, or Niantic being an ex-google company was whitelisted to avoid this.
I can easily see how the second would happen, I wonder if Ingress (their previous inside google app) even showed up on your list of authorized third parties?
From what others have posted here, any native app that loads the oauth flow in a web view control or whatever it's called, has full control over it, and so can do anything it wants.
I didn't think they were doing anything nefarious but you never know. I think I will install it now, to see what my grandchildren have been talking about.
The concern (at least for me) wasn't that Niantic was doing anything nefarious, it was that if they didn't even know they were asking for full permission are they professional enough to prevent that full permission from being misused by a malicious actor? The app is so popular that an exploit could be a gold mine for black hats.
Glad to see Google patching the permissions server-side, as I bet a lot of people just checked the app out once out of curiosity and won't launch the updated version.
Seeing as the Android version only required the LOWEST possible Google permissions scope, my guess is someone checked the wrong box, or for some reason was doing something in development that required slightly more permissions and simply forgot to switch it back.
And most folks will click "Approve" without really reviewing the list. That said, Twitter and Facebook (two other popular OAuth providers) heavily restrict certain "full" access to only trusted applications that they either have a business relationship with or otherwise review the application before allowing those scopes to be requested or used. This incident may prompt Google to do more of that, which isn't entirely great news for the more responsible developers with purpose-built apps.
That's why Facebook changed their APIs in 2014. Before any app could ask for anything. Now apps can only ask for public profile data, email address and a list of your friends that have also installed the app.
Before you could also get stuff like education and work history, family relationships, relationship status, sexual orientation and a whole load of other stuff that could potentially cause a lot of trouble. And people would happily click OK just to play FarmVille or whatever.
Now Facebook makes it so any app needing advanced permissions data has to be reviewed by Facebook first.
Great. Although this is really a left-pad situation: it's good that they fixed it, but that fact that it was a problem in the first place is pretty damn disturbing.
It is indeed fixed but updating iOS app alone does not change the permissions. I had to sign out of the app, revoke the permissions on google and then sign back in.
Played Pokémon GO yesterday (iOS 1.0 version) and it was very buggy. Many bugs looked like they were server side (requests freezing), but there were strange rendering errors (like seeing only waves on the ground where Pokémon are, and not the actual Pokémon on them) that could be fixed by restarting the app several times. The phone also got absurdly hot, I never play on it, I don't know if it's normal for it to get like that, but I could barely hold it in my hand.
I literally couldn't understand all the fuss about the game, it was unplayable for me...
When the network is up, it's very fun. But yeah, drawing certain UI elements seems to be dependent on the response from the server. You can tell when you're really lagging because the UI stops rendering. It also doesn't seem to have any concept of retrying dropped packets, it just gives up and you need to force-quit.
For those with battery concerns, turn on Battery Saver in the settings.
With that enabled, when the phone is rotated upside-down (i.e put in your pocket), brightness drops to 0% and 3D rendering is disabled, both of which help. A little. Constant GPS and battery sucking can't be fully mitigated.
This is a known bug with the app. In power save mode, sometimes the app will stop responding altogether. I had a few instances where I was in power save mode, found a Pokemon and tried to tap it and it would not recognize my actions. I had this happen on Android.
When the network is up it's surprisingly fun for a game with so many problems. Makes me hope they actually fix some of them soon we can play the game it should be.
Doesn't seem like they were anticipating the load their servers would get. I've had trouble logging in, and other lags from time to time that really seem to be server overload issues.
Not surprising given the incredible overwhelming number of people trying to play the game. I knew it would be huge, I never imagined it would be the phenomenon it is. (Go to a park at lunch or after work if you don't know what I'm talking about. Any park in the country.)
Especially that they launched US-only (?), but the whole world is playing anyway thanks to game's APK being spread on-line. I'm writing this from Poland, coming straight from 2 hours walk from work, catching Pokemon and leveling up on the way :).
It first launched in Australia, and is available in a few countries right now (Australia/New Zealand/USA). I believe the rollout to the UK/Asia/other countries is on hold due to issues with the huge volume of traffic overwhelming Niantic's servers.
Seems like this would be very easy for them to block since they know your GPS coordinates. They could just pop up a message saying "Pokemon Go is not yet available in your region," although, the good will demonstrated by allowing customers in other countries to play would probably be better than arbitrarily blocking them.
They could. If they did, they'd probably kill the game on the spot, or at least significantly curtail its popularity. As it is right now, the game is a global phenomenon, and it's getting immensely popular worldwide.
Yep. Lots of other people are getting this, too. And it sucks. They all seem to be server load problems, but what gets me is that some things just don't need server updates, and they do them anyway. Oh, so you need to check in with the server every time I toss a pokéball. Niantic, it's like you've never heard of caching, combining packets, and client side prediction, or anything clientside for that matter. Sure it's not as secure, but what are you more afraid of, people commiting fraud on your trivial pokeball tossing minigame, or people uninstalling your crashy, broken game, because you didn't understand that releasing a good, free game based on one of the most popular game series the world has ever known would result in a lot of popularity, and that you maybe should have optimized for bandwith? Mmm. I can almost taste the lag.
Yeah, the server loading indicator every ball toss is grueling. It would be OK if it was reliable and always loaded after a few minutes, but a large portion of the time it locks up after several failed attempts to talk to the server and you have to kill the app. Then starting the app again shows the server error page 9/10 times, then you have to try the ball toss again, which may or may not work.
Yep, that's about right. This app is shit on iOS. I thought the App Store was supposed to have a quality review process, but this thing crashes all the time.
Haven't played it, but testing an app without any significant load would seem to be pretty different from scaling up the backend to twitter-scale in a couple of days.
The app isn't very good on Android either. But then it is supposedly version 0.29? The original Ingress app wasn't that stable either, but with all the interest and revenue generation, I imagine it won't be too long before it stabilizes.
