The popularity of Pokemon Go has raised security concerns after the app accessed users' personal information, prompting the Australian privacy commissioner to intervene.
The augmented reality game uses GPS on mobile devices to detect fictional Pokemon characters which users then find by travelling to their location, has become wildly successful. But the app has also accessed Apple device owners' Google apps despite not needing to do so, prompting the office of Australian Privacy Commissioner Timothy Pilgrim to contact its developer.
Developer Niantic Labs say the access was requested in error and that they corrected the permissions in an update on Tuesday, but researchers say smartphone apps are increasingly rifling through sensitive personal information they do not need.
"The issue is not confined to this particular app... it is very, very common. It is estimated that more than half of the (Android) apps are accessing things they don't need," CSIRO's Data61 Networks Group research leader Dr Daali Kaafar said.
He said that, even though Pokemon Go was an example of accidentally accessing more data than necessary, it was endemic in a market that had become hungrier and hungrier for data.
The permissions apps request goes beyond simple collection of personal details and, in extreme examples, can let apps monitor text messages and track all browser traffic sent from a device.
Several simple torch apps on the Android market also request your location on download, Kaafar said.
Canberra University's Centre for Internet Security director Nigel Phair said users don't realise the value of the information they hand over.
"That's the problem: people don't value their personally identifying information ... we still haven't got this correlation between real world and online," Phair said.
He said it was pretty obvious that companies like Google carve most of their profits out other people's information by using it for lucrative targeted advertising. Phair urged the ACCC to be more active in policing the market.
"We need carrot and stick. The ACCC do a great job in so many other areas, this is just another consumer area they need to devote resources to," he said.
That's the problem: people don't value their personally identifying information... we still haven't got this correlation between real world and online.
The ACCC said it could get involved if Australian Consumer Law was breached by businesses misleading consumers about the information they collect.
Both Phair and Kaafar said it was unrealistic to expect users to read often opaque privacy policies, which in Pokemon Go's case is nearly 3,000 words long.
Phair said the onus shouldn't fall solely on consumers, and that a simple explanation of app permissions could properly inform users.
Pilgrim said his office had contacted Pokemon Go's developers to ensure they were managing personal data in accordance with the privacy act.
"This is a timely reminder that people need to read the privacy policies of all smartphone apps before signing up," Pilgrim said.