People who sign up for Pokemon Go to catch them all could end up giving all their personal data away.
The hit game asks for a surprising amount of permission to access users' Google accounts, the internet discovered on Monday. Redowl engineer Adam Reeve has the best writeup on his blog.
Basically, if you log into Pokemon Go through your Google account on an iPhone — which is the first option provided — it gives "full access" to your account. According to Google's help page, that should only be "granted to applications you fully trust."
I went through my Google permissions and found that I had unwittingly given Pokemon Go permission to my entire account — and I'm pretty sure I never agreed to do anything like that. That's the same level of permission that I give to Google Chrome, my browser.
Niantic provided the following statement to Recode:
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).
Now, I obviously don’t think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all.
On Android, many users are reporting that they can play Pokemon Go without giving the company full access to their Google accounts.
Niantic used to be part of Google before it was spun off last year, so its developers likely know how Google's authentication works. If this is an oversight or a bug, you can expect it to be changed soon — so you won't need to hand over access to your mail and photos to catch some pocket monsters.