Get started Bring yourself up to speed with our introductory content.

Risk & Repeat: Catching the Pokémon GO app permissions flaw

Listen to this podcast

In this Risk & Repeat podcast, SearchSecurity editors try to catch some answers to the controversy around the Pokémon GO app and its permissions flaw.

While the Pokémon GO mobile game has quickly become a nationwide phenomenon, the application has also sparked concern about an apparent permissions flaw within Google's authentication system.

Specifically, the Pokémon GO app for iOS was obtaining full account access status to users' Google accounts without notifying those users -- players can use their Google accounts to sign in to Pokémon GO. Security researchers discovered that the app permissions were being granted to Pokémon GO via a full-access token from Google's OAuth authentication system.

Experts also discovered that the token didn't actually grant complete full account access, which would have allowed the Pokémon GO's developer Niantic Inc. to read and send email as the user as well as modify and delete documents and data stored within those Google accounts. But experts also noted that it was possible to execute a token exchange attack by swapping the Pokémon GO token for what's known as an uberauth token, which would grant the attackers complete control of a Google account.

Niantic issued a statement on the controversy stating that the Pokémon GO app "erroneously" requested full access to iOS users' Google accounts. The developer issued a fix for the permissions flaw and claimed that no unauthorized Google account info or data had been obtained by Niantic. But questions about the permissions flaw still remain. How was Niantic able to obtain this OAuth token? And why was such a token, which can bypass iOS' app permissions notification system, used in a mobile game?

In this episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and more in a discussion about the Pokémon GO app permissions controversy and what it means for Google's authentication system and mobile security overall.

Next Steps

Risk & Repeat: Breaking down the Clinton email server probe

Risk & Repeat: Project Zero finds more critical Symantec bugs

Risk & Repeat: Acer breach highlights payment security shortcomings