Pokémon GO is a cultural phenomenon, and it’s incredibly interesting to see so many people around the world getting on their feet and hunting some fictional creatures. Pokémon fans, gamers and just interested others like are taking to the streets like no other app has encouraged before, but if you’re on iOS you might want to take a closer look at what Pokémon GO is doing. Because right now it has full access to your entire Google account.
By mistake. Oops.
Pokémon GO never prompts users to give it permission to your different parts of your Google Account, but as revealed yesterday it doesn’t seem to matter. The app current has access to anything linked to your Google account, including emails, documents, contacts and more. Right now there’s no evidence that developers Niantic have done anything with this information, but if you’re a personal security nut then you might want to know that the Zubat you just caught can also:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more
Obviously Niantic was contacted immediately after the new broke, and the company has already issued a statement saying that the permissions to your Google account were initiated accidentally. Niantic says that none of that information is required by the game, and that they’re working on a fix to restore your privacy when out trying to Catch ‘Em All.
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Until then however, the issue still exists on iOS. And if that’s a big problem for you, a hiatus until it’s sorted might be in order.
Last Updated: July 12, 2016