Update: Niantic has confirmed in a statement that the pokemon go app is requesting more permissions than necessary, but that it cannot access user information. Google will automatically push a fix to reduce the app’s permissions, and Niantic will release an update to the app to make it ask for fewer permissions in the first place. The full statement:
“We recently discovered that the pokemon go account creation process on iOS incorrectly requests full access permissions for user’s Google account. However, pokemon go only has access to basic Google profile information (particularly your user ID and email address) and no other Google account information has been accessed or collected. Once we became aware of this error, we started working on a client-side solution to only request permission for basic Google account data, consistent with the data we actually have access to. Google verified that no other information was received or accessed by pokemon go or Niantic. Google will reduce soon pokemon go‘s permission to use only the basic profile data that pokemon go needs, and users do not have to take any action themselves.
Original Story: A word of warning if you are playing pokemon go on iOS: Logging into the app through Google currently grants the game full access to your Google account (hat tip to Adam Reeve for discovering the issue). Third-party apps where you sign in with Google often ask for a small subset of permissions based on what they’re supposed to do: view your contacts, view and send email, view and delete Google Drive documents, and so on. But Niantic’s pokemon go The iOS app doesn’t prompt, and with full account access it can theoretically do all those things and more. You can review and revoke permissions pokemon go and any other third-party app on this page.
We have independently verified that the game asks for full account access on iOS, but the Android version doesn’t seem to have the same problem; you can sign in with Google, but the app won’t appear on the permissions page. And, of course, you don’t need to use a Google account to play pokemon go—An account created through the Pokémon site will also work. However, that site is currently having server issues and you may not be able to create an account at this time if you don’t already have one.
It’s very likely that this is a mistake or error rather than an intentional, malicious move on Niantic’s part, but we’ve reached out to the company for more information and will update the article if we receive a response. Hopefully an app update can fix the privacy and security issues.
Frame image by Andrew Cunningham