A blog post from software architect Adam Reeve last night stated that Pokemon Go's Google account settings gives Niantic full access to your emails and documents. This is actually not the case, while Pokemon Go is using Google's 'full account access,' this doesn't actually grant anyone these specific permissions.
In a statement given to Gizmodo on the matter, Google says "In this case, we checked that the Full account access permission refers to most of the My account settings. Specific actions such as sending emails, modifying folders, etc, require explicit permissions to that service (the permission will say 'Has access to Gmail') ." This basically means that you can sleep easy and Niantic isn't paddling about in your Google docs and mail. However, the team is dialling back the access just to basic, as that's all it was always using.
Here's the full statement given to Kotaku from Niantic:
"We recently discovered that the Pokemon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokemon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected."
"Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokemon GO’s permission to only the basic profile data that Pokemon GO needs, and users do not need to take any actions themselves."
So don't worry, carry on training, people.
If you're just starting out, here's some Pokemon Go tips, find out what it's like to live in a house that's also a Pokemon Gym and read how the future of Pokemon Go means we'll be trading with friends soon. Plus, here's why your local landmarks are Pokestops in the game.
Pokemon Go has quickly taken over the lives and towns of countless players since it started rolling out last week, but it could also literally take over your digital life. Multiple players, including myself, have discovered that signing into the game on iOS via Google grants Pokemon Go full access to your account.
Software architect Adam Reeve was the first I saw to publicly cry foul about the issue in an informative blog post. The problem isn't that Pokemon Go can use your Google Account to sign in - it makes sense, since it uses a lot of Google technology - the problem is that it automatically gives itself way more access to your Google Account than it should ever need. Here's the description of what giving an app something full account access does from a Google support page: "When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf)."
The issue seems to be limited to people who play the game on iOS, and not everyone's account has been affected. You can check yours on Google's account security page - if you see "Pokemon Go Release" listed and it "Has full access to your Google Account", you can revoke it right from there. But if you ever sign out from the game and log back in, it will get full access again. You could avoid the issue by signing in with a Pokemon Trainer Club account from Nintendo, but the club is limiting new sign-ups at the moment because of high traffic.
It's doubtful that developer Niantic Labs intends to do anything malicious with all this access. It was probably just an oversight. But intentions aside, if any malicious folks hack their way in from the outside, they could get an unparalleled level of access to your sensitive information. You can decide how serious the problem is for yourself, but I'm going to bid farewell to my menagerie of GPS monsters until Niantic fixes this.
Seen something newsworthy? Tell us!