When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Pokémon GO is a big security risk to your Google account [Update]

former Senior Editor for North America Neowin · · Hot! with 33 comments

If you've been paying attention to just about anything over the past few days, you've heard of Pokémon GO, the new game that allows you to run around town catching Pokémon.

You'll notice that when you first load the game, you can sign-in with either a Google or Pokémon Trainer Club account. Due to servers being down and the fact that you can't create an account through the app, many have opted to sign-in through their Google accounts.

When you give something access to your Google account, you'd typically be prompted to log in, and then you'd be brought to a screen that tells you what permissions you'll be granting, and then you can choose if you want to accept them or not. This second screen doesn't seem to appear when signing in through the Pokémon GO game.

As it turns out, the game grants full access to your Google account. Adam Reeve, who discovered the issue, says that this is what Niantic now has access to:

  • Read all your email

  • Send email as you

  • Access all your Google drive documents (including deleting them)

  • Look at your search history and your Maps navigation history

  • Access any private photos you may store in Google Photos

  • And a whole lot more

This is not common behavior, as most apps should only be requesting basic contact information. Reeve doesn't suspect malicious intent though; however, it is bothersome that Niantic now has a mass of information on its users, and those users have no way of knowing how Niantic safeguards all of that data.

The issue only seems to affect iOS users; however, Android users aren't without issue. Those that have opted to side-load the APK may have stumbled onto malware.

Update: While Reeve's report states that this is happening to iOS users, there are also reports of it happening to Android users. Niantic, however, released the following statement:

We recently discovered that the Pokémon Goaccount creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed byPokémon Go or Niantic. Google will soon reducePokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.

Source: Adam Reeve

Report a problem with article
Next Article

The iPhone 7 and iPhone 7 Plus dummy models get shown off in full glory

Previous Article

Qualcomm announces Snapdragon 821 processor

Join the conversation!

Login or Sign Up to read and post a comment.

33 Comments - Add comment