If you signed up for Pokémon Go with your Google account, you might not know it but the game now has "full account access."
That can be a major security risk. Adam Reeve, who first documented the issue on his Tumblr blog, said it appears to be a problem isolated to iPhones and iPads. It's not thought to affect Android devices.
In
our testing on two iPhones, the Pokémon Go app didn't explicitly ask
permission for full account access when logging in with a Google
username and password. By this point, it should have told us what data
the app needs. Instead, it simply skipped straight to the app's terms of
service, which makes no reference to the full account access.
Under
the hood, you've given the app and its creators access to your search
history, personal information, Google Photos, everything in Google
Drive, search and location history, and more.
Not only can the app
read your data, inbox, calendar events, and search history, it can also
modify it. That's usually reserved for trusted apps, like browsers and
mail clients -- such as Google Chrome -- and not games or most other
apps.
Google says on its help pages
that the full account access privilege "should only be granted to
applications you fully trust, and which are installed on your personal
computer, phone, or tablet." Most apps and games generally ask for the
minimum requirements, such as your basic contact information.
Niantic, the game's creator,
said that "the Pokémon Go account creation process on iOS erroneously
requests full access permission for the user's Google account."
"However,
Pokémon GO only accesses basic Google profile information
(specifically, your User ID and email address) and no other Google
account information is or has been accessed or collected," it read.
"Google has verified that no other information has been received or
accessed by Pokémon GO or Niantic."
The hit augmented reality game debuted earlier this month, and is now said to have more users than Twitter in a fraction of the time.
Many
have used their Google accounts because the company is overwhelmed with
sign-ups. Because of the massive influx of users in the past week, the
account sign-up page is spotty and often unavailable. Given the
popularity of the game, many are instead signing up with their Google
accounts, but not realizing the massive privacy invasion.
At the time of writing, the Pokémon Trainer Club account page wasn't accepting new sign-ups. By publication, it was open again.
But if that wasn't enough, things get even worse.
The game's privacy policy
explicitly states that the data it collects -- including personally
identifiable information (PII) -- is "considered to be a business
asset." In other words, the policy states that if the company goes out
of business or is acquired, so does your personal data.
Now would be a good time to put your privacy first, and your game second.
You can revoke the app's access to your Google account, but the downside is that you may lose your game data.
Here's what you can do
If you did sign up with your Google account, here's how to revoke access:
- Log in to your Google account and open up the "Apps connected to your account" page.
- Scroll down to "Pokemon Go," then hit "Remove Access."
- Confirm by hitting "OK."
