While Pokémon GO has become a major phenomenon in less than a week, researcher Adam Reeve has noted a major flaw in the game, calling Pokémon GO “a huge security risk.” Pokémon GO players have two ways to sign on to the game — through a Google Account, or a Pokémon Trainer Club account. The latter is having major problems, so most users are signing on using their Google Account. And as Reeve points out, for some iOS users, Pokémon GO has been granted full access of that account. This means that the game and/or developer could conceivably read and send email from your account, delete emails and Google Drive documents, and much, much more.
Reeve points out developer Niantic has “no need to do this.” After all, Niantic’s similar geolocation game, Ingress, only requests basic Google Account information, as pointed out by TouchArcade. While the issue only seems to be affecting some iOS users at the time, we’d recommend that all iOS players revoke the app’s privileges to Google Account access, and refrain from playing the game until Niantic has issued a fix and some sort of explanation, at the very least.
Update: Game maker Niantic has issued a statement that Pokémon Go’s full access to user’s Google accounts in iOS was an error, claiming the game only accesses basic information like User ID and email addresses, and that no other user information has been collected. “Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access,” the statement reads. “Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.”