Pokemon Go-mania is sweeping the nation, and it isn’t hard to see why. For a lot of us, the reality of wandering about, capturing Pokemon, and battling at gyms is a dream come true. As the honeymoon wears off, however, users are starting to find issues with the new app, and one of them may be compromising the security of your entire Google account, according to analytics architect Adam Reeve.
In order to play, users have to either create a Pokemon Club account, or sign in with an existing Google account. The latter is almost always the more secure option, as you can carefully control each site’s access, and revoke it if something goes wrong. Niantic labs, the Pokemon Go developers, simply request access to your Google account. Usually that means an email address and basic info, but for Pokemon Go it requests full access to your account. That’s a pretty scary proposition, according to the Google support page on app access.
“When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf)…This ‘Full account access’ privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.”
Niantic and the Pokemon Company quickly responded with the following joint statement, claiming that it was a mistake which will soon be corrected:
We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access.
Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Until the issue is resolved, however, that means the Pokemon Go app could theoretically delete everything in your Google Drive, or email its contents to everyone in your address book. It’s not a matter of necessity either, as other users have pointed out that Ingress only asks for a minimal amount of information when connecting to a Google account. Developers decide to ask for however much access they need, so somewhere along the line, someone at Niantic decided to ask for the keys to the house.
Any iOS users who are uncomfortable with this overreach can revoke the app’s access, but know that in the process you’ll be deleting your progress and will be unable to play the game. Android users have a trickier go of it, as a number of users have reported that Pokemon Go doesn’t even show up on their security access page.
Updated on 7-12-2016 by Will Fulton: added Niantic’s reponse.