Pokémon Go is experiencing a momentous launch week, with an estimated 7.5 million downloads and nearly as many daily active Android users as Twitter in the United States. The rollout has not been entirely smooth, however, as the game has indirectly been at the center of crimes, robberies, and even car accidents.
Now, an even bigger potential concern has arisen, as systems architect Adam Reeve has discovered that Pokémon Go grants full access to a user's Google account linked during the iOS sign-up process. Players can alternatively link a Pokemon.com account, but the website is currently experiencing issues for many users.
When granted full account access, Pokémon Go developer Niantic is theoretically capable of viewing and modifying nearly all information stored in your Google account, including your Gmail messages, Google Drive documents, Google Maps navigation history, search history, and personal photos stored on Google Photos.
Now, I obviously don't think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don't know how well they will guard this awesome new power they’ve granted themselves, and frankly I don't trust them at all. I've revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there's no way it's worth the risk.
It remains unclear what information, if any, Niantic is actually collecting from users, but the permissions are concerning given the company's history.
Niantic was formed by Keyhole founder John Hanke in 2010 as an internal startup at Google, until it was spun out as an independent entity in October 2015. Google then partnered with The Pokémon Company and Nintendo to invest up to $30 million in Niantic, so it has a remaining interest in the company.
Google is known to collect and track data from its users, fueling the privacy and security concerns. Niantic told Ars Technica that it has "no comment to share at the moment" about the issue, prompting some players to uninstall the game until the potential privacy implications are addressed.
Pokémon Go is available as a free download on the App Store [Direct Link] in the United States, Australia, and New Zealand, but anyone can install the app now with a U.S. iTunes account. The game is expected to expand to the U.K. and additional countries in the near future. Read more about Pokémon Go here.
Update: Niantic tells The Verge that the company did not intend to request full Google account access and will issue a client-side fix to reduce the number of permissions.
"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."