Apparently, the huge number of Google account permissions Pokémon Go is asking from users is an error, according to the game’s developer.
Niantic emailed a statement to various news outlets, including Kotaku, explaining the situation:
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
The ratcheting down of permissions will mean Niantic won’t be deep into players’ Google accounts anymore, only using the IDs to allow them to sign in—the same as lots of other services. Just when that change will happen isn’t clear, though. Hopefully soon it’ll mean that Pokémon Go players will only need to concern themselves with the real-life dangers of the game, like getting robbed, wandering into traffic, or offending Holocaust survivors.
Original story below:
The makers of Pokémon Go can read your email.
The super-popular smartphone game uses players’ Google accounts to sign in to the app (unless you have an existing Pokémon website account, but new ones can’t be made right now for some reason), and as RedOwlytics programmer Adam Reeve discovered and documented, when you give developer Niantic access to your Google account to sign into the game, you’re giving it access to see everything you do on your Google account.
Full access is a big deal. It means Pokémon Go can see your browsing history (if you use Google Chrome), read your email, send email as you (hypothetically)—basically everything you do on Google, Pokémon Go and developer Niantic could potentially see it, alter it, record it, and do what they want with it.
The massive privacy and security hole in the game was confirmed by The Verge as well, and there’s zero reason Niantic would need all that access. The most likely scenario? Somebody hit the wrong button when adding the Google account functionality to Pokémon Go. But that’s still millions of users’ data available to everyone at Niantic, and if how often Pokémon Go freezes up and crashes is any indication, you probably don’t want all your personal Google info under their protection.
Reeve said on Twitter that it seems not every Pokémon Go account is giving full access to Google—but at least some of them are, including every account The Verge tested. So while seemingly everyone everywhere is having a blast catching ‘em all, the security threat posed by the game is probably a lot worse than the chance of someone using it to find and rob you.