If you spent your weekend wandering around capturing cartoon monsters on your phone, you’re likely one of millions addicted to Pokémon Go, the latest mobile game sensation.
However, if you played the game on an iPhone and signed in with your Google account, you also just handed the keys to your entire Google account to Niantic, the developer behind the game. As pointed out by Adam Reeve, a principal architect at Red Owl analytics, nothing in the sign up process indicates that you’re giving the app full access to your account.
According to the Google help page, this means that the application will now be able to “see and modify nearly all information in your Google account.” That means that Niantic, and anyone who has access to Niantic’s servers, will be able to read and access all your email, your Google drive docs, your search history, your private Google Photos and a lot more. Google’s summary of the permissions reads as follows:
“When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).
Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.
This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.
If you’ve granted full account access to an app you don’t trust or recognize, we recommend that you revoke this permission by clicking the Revoke access button.”
To be clear, this wouldn’t be a problem if you signed up for the game using Pokemon’s own “Trainer Club” account, but Pokemon’s servers appear to be down. If you are successfully able to sign up for a Trainer Club account, you can remove Pokemon Go’s access to your Google account by following these steps:
- Go to your Google Security settings.
- Under Sign-in & Security, click Connected Apps and Sites.
- Click Manage Apps.
- Select Pokémon Go.
- Click Remove and then press OK.
While this full access issue appears to happen predominantly on iOS, a few Android users have reported the same as well.
Pokemon Go has not launched in Canada yet, however the game is set to launch in Canada and additional countries around the world within the coming weeks.
Update July 11, 8:10pm PDT: According to Recode, nothing beyond “basic profile information” has been accessed on Google accounts, according to Niantic, and they will make changes soon:
According to the company, Google says that the app has not accessed any user data beyond “basic profile information,” and that Google will soon “reduce Pokémon GO’s permission” to only the limited info that it needs to access.
“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account,” the company said in a statement provided to Recode. “Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access.”