If you spent your weekend wandering around capturing cartoon monsters on your phone, you're likely one of millions addicted to Pokémon Go, the latest mobile game sensation. But if you played the game on an iPhone and signed in with your Google account, you also just handed the keys to your entire Google account to Niantic, the developer behind the game. As pointed out by Adam Reeve, a principal architect at Red Owl analytics, nothing in the sign up process indicates that you're giving the app full access to your account.
Indeed, according to the Google help page, this means that the application will now be able to "see and modify nearly all information in your Google account." That means that Niantic -- and, more importantly, anyone who has access to Niantic's servers -- will be able to read and access all your email, your Google drive docs, your search history, your private Google Photos and a lot more. To be clear, this wouldn't be a problem if you signed up for the game using Pokemon's own "Trainer Club" account, but Pokemon's servers appear to be down. Also, while this full access issue appears to happen predominantly on iOS, a few Android users have reported the same as well.
We've reached out to Niantic and to Google to get more information about what happened here. Right now, we hear they're still trying to clarify what's going on and we'll update you on their response if any. For now, however, we recommend revoking Pokemon Go's full account access by heading to this link and clicking "Remove." The game should still function if you have it open, but you'll probably have to reauthorize (and re-revoke) on future sign-ins.
Update: Good news! Niantic Labs and The Pokémon Company issued a response to Engadget, confirming that it's not actually reading your emails. Still, it has far more access than is necessary for the game and the company says that while it's working on a fix for the client to only request the correct permission, Google will reduce Pokémon Go's access on its end 'soon.'
Just in case there's any remaining confusion about what the app does or doesn't have access to, enter Slack security dev Ari Rubinstein. He's tested out the OAuth token used by Pokémon to see what has access to in a Google account, and posted the results on GitHub. Ultimately, what he's found is that the problem is likely more related to use of an out-of-date API that caused Google to display a message showing it had "full access" to your account, even though the app ultimately does not have permission to access things like your email or calendar even if it wanted to.
We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.
Stop Pokemon Go-ing crazy, it's OK to play. The truth about pokemon tokens (tldr: UI is important too): https://t.co/oE9p7ZmRUI— Ari (@arirubinstein) July 12, 2016