While Pokemon Go may only be available in three countries at the moment, that hasn’t stopped fans around the world from getting the Android version via sideloading, or the iOS version by creating and using an Australian, New Zealand or US iTunes account. Those playing Pokemon Go appear to have suffered an apparent security breach. The game has full access to your Google account. Well, at least on iOS.
(See also: Pokemon Go Tips and Tricks)
This was discovered by Adam Reeve, Chief Architect at RedOwl Analytics. He shared his findings on Tumblr:
“Let me be clear – Pokemon Go and Niantic can now:
• Read all your emails
• Send email your way
• Access all your Google Drive documents (including deleting them)
• View your search history and map navigation history
• Access any private photos you may have stored in Google Photos
• There’s more to come”
That’s not all. According to Reeve, since the game uses email as an authentication mechanism, he believes there is “a good chance of accessing your accounts on other sites as well.”
(See also: Pokemon Go is responsible for these weird and scary things happening in real life)
This is not necessary either. Typically, when developers allow users to sign in through Google, they specify an access level. Usually this is just contact information.
Reeves later Tweet “It appears to affect some iOS users, not all. Don’t know what the criteria are yet.”
(See also: Playing Pokemon Go in India? Here’s everything you need to know)
We’ve checked this with the Google account we used on our iPhone 5S, and yes, Pokemon Go did grant full access to our account. This was not the case with our Android version of the game, although at the time of publishing this article, it was just a user According to reports, it does affect the Android version as well. reeves believe On “Android, it uses client permissions to get the data, while on iOS, it uses a Google account.”
Still, deleting the game isn’t enough if you don’t want Niantic to have full access to your account. You need to do the following to resolve this issue:
- Sign in to your Google Account.
- View available application permissions here.
- Click on the game to revoke access to the game.
For now, Niantic and the Pokemon Company are keeping quiet about this. Keep in mind that if you decide to venture out to play Pokemon Go again, you’ll need to give it access to your Google account. The game does have an option for you to log in with a Pokemon.com account, but the registration portion of the website has been unavailable since the game’s launch. Hopefully, this situation will be rectified in the coming days as Niantic and The Pokemon Company plan to launch the game globally as soon as possible.
Update, July 12, 2016: Niantic released the following statement:
“We recently discovered that the Pokémon GO account creation process on iOS incorrectly requested full access to the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically your user ID and email address) and does not access or collect other Google Account information.
Once we became aware of the bug, we began working on a client-side fix to only request permissions for basic Google profile information, consistent with the data we actually accessed. Google has confirmed that no other information was received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO permissions to just the basic profile data Pokémon GO requires, without requiring users to take any action on their own. “