Brian Jackson - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How did a full access OAuth token get issued to the Pokémon GO app?

A full account access OAuth token was mistakenly issued to the Pokémon GO mobile game by Google. Expert Michael Cobb explains the security risks and if this can happen with other apps.

The popular Pokémon GO mobile game has been a source of controversy because it erroneously obtained full account access to users' Google accounts and failed to notify players on iOS. The culprit, according to researchers, was an OAuth token that apparently was mistakenly issued by Google. Could this sort of error happen with other mobile apps, and if so, what are the security implications?

OAuth 2.0 is an authorization framework that enables third-party applications to access certain data in a user's account such as Google, Facebook and Garmin Connect without needing to divulge the credentials for the account to the third party. So for example, users' Strava accounts can access their Garmin Connect accounts without the users needing to share their Garmin username and password with Strava. Likewise, users can authenticate themselves to the Pokémon Go app through the Pokémon Trainer Club website or by using their Google account; OAuth allows them to do it without sharing their Google credentials with Niantic Inc., the company that developed the Pokémon Go app. The OAuth protocol requires apps to only request access to the minimum amount of data needed and to obtain the user's permission. However, researcher Adam Reeve of security firm RedOwl Analytics found that the account creation process of the iOS version of Pokémon Go requests and obtains a full-access OAuth token for the user's Google account without first asking permission. The OAuth token means the app could access biographical information from users' Google accounts like their email addresses and phone numbers. This is a privacy risk but not as dire as first reported by Reeve, who based his concerns on Google's own explanation of what full account access means -- that granting full account access allows the application to see and modify nearly all information in a user's Google account.

Research by Ari Rubinstein of collaboration and communication firm Slack found that although the OAuth token Pokémon GO obtains can't access data such as emails and appointments, it could potentially be exchanged through an undocumented mechanism /MergeSession for an access token with the scope. This token, called uberauth, can be used to open a web session with any Google property, leading to true full account access.

Niantic was previously owned by Google, but it's still unclear how Niantic was able to obtain this OAuth token and bypass the permissions notification that would normally accompany an application obtaining full account access. The available documentation fails to adequately describe what the token permissions actually mean and the authentication process is confusing and ambiguous. However, it's a security failing on Google's part that undocumented methods can yield a token with such excessive permissions to a non-Google app, and the OAuth implementation in Pokémon Go was not great either. Google and Niantic have since worked to reduce Pokémon GO's permissions to the basic data that the app requires.

Unfortunately, the occurrence of problems like weak APIs and the poor oversight of tokens are not unusual. Developers need to ensure that passwords, tokens and certificates are not exposed in their code or inadvertently uploaded to online repositories. This is a common error that can lead to a host of privacy and security risks. For example, many Slack users were found to be uploading their company's unique API key or token along with their Slack bot code to the repository hosting service GitHub. By not removing the Slack token, a third party could use it to access private Slack networks and the data stored on them. Debug code and deprecated API and system calls should also be removed from the production release version of any software, otherwise the appearance of unintentional vulnerabilities is inevitable.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn how insecure OAuth implementation leaves over a billion mobile app accounts at risk

Find out how to allocate time and resources to application updates

Read how a malicious app bypassed Google Play's app store security

This was last published in November 2016

Dig Deeper on Mobile security threats and prevention