UPDATE: In a statement to GameInformer, Niantic confirmed that adjustments have been made to limit the access the game has to your Google account.
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Niantic and The Pokémon Company have pushed an update for both iOS and Android that not only changes the Google account permissions, but also fixes some crash-causing elements, and includes enhanced support and stability.
The iOS game now asks for permission to send push notifications, which hopefully means that you can now be notified about nearby Pokémon, gyms, Pokéstops, and more.
ORIGINAL STORY: Just call me the Pokémon GO correspondent.
When you log in to external third-party apps with your Google or Facebook account, you’re often presented with a list of permissions – namely, what exactly these apps will be doing with your account once you give it to them. Often, its just access to your full name and email, or perhaps your friend list and birthday, and you’re allowed to pick and choose which permissions you’re giving the app. It seems like Niantic, however, has been granted full access to your Google account, without notifying players beforehand.
When you sign in to Pokémon GO on iOS, you either log in through your pokemon.com account or your Google account, but as of right now, the Pokémon website isn’t accepting new signups due to server problems, so if you didn’t already have one, you must go through Google – and everyone has a Google account.
As Adam Reeve pointed out on his own personal Tumblr, he noticed there wasn’t a permissions screen like the one I described above. “On a whim” he went to check which permissions the app was granted – and it turns out that Pokémon GO has full access to your Google account.
— SecuriTay (@SwiftOnSecurity) July 11, 2016
What does this mean? According to the Google help page, applications with full account access “can see and modify nearly all information in your Google account.”
This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.
The severity of the situation may be difficult to grasp, so here’s a handy list of what Pokémon GO and Niantic Labs can now do. They can:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more
Niantic Labs is a Google/Alphabet spin-off company, and relies heavily on Google Maps data, so in some basic way, this makes sense. However, this level of access is frightening when, as pointed out on Twitter, it turns out the app is not as secure as players would like it to be.
Pokemon Go… get yourself whatever you want because I can hook directly into the APIs with mitmproxy. No cert check pic.twitter.com/aR1VkwW2AD
— Den Delimarsky (@DennisCode) July 9, 2016
Hackers have already created a malicious version of the Pokémon GO software that can infect Android phones with a remote access tool, or RAT. This version is only available through third-party download websites, so as long as you download from an official store, you have nothing to worry about. It is concerning, however, for less tech-savvy players who may be caught up in the Pokémon GO cultural phenomenon and jump in uninformed.
The rapid growth and popularity of Pokémon GO combined with flimsy security leaves plenty of room for types who may want to take advantage of those wrapped up in newfound childhood nostalgia and awe. Hopefully a fix comes through fast, but in the meantime, you can revoke account access here.