Pokémon Go is the subject of security concerns as Google users discover that the game has full access to their accounts. A Tumblr post by Adam Reeve, who works for a security analytics firm, raised attention to the level of account permissions the game has by default, revealing that players who sign in through Google grant Pokémon Go developer Niantic Labs access into the entirety of their account data.
When launching the game, players can choose to either sign in through Google — the previous owner of Niantic Labs — or through the Pokémon Trainer Club. The latter site has currently suspended new account registration, leading many to choose logging in with their Google accounts. Yet doing so doesn't prompt a pop-up indicating the information that Niantic Labs will have access to through this method; instead, it loads up the game without giving the user a chance to edit permissions.
Looking at the security permissions tied to a Pokémon Go player's account shows that the game has "full account access" automatically. For iOS users, there's no option to edit these permissions; the only option is to revoke access entirely.
For people playing on Android, the game doesn't show up under Google account security permissions at all. The Google Play store includes a list of information Pokémon Go may have access to, however, including "accounts on the device" and "full network access."
"When you grant full account access, the application can see and modify nearly all information in your Google Account," according to Google's help page. "This 'Full account access' privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet."
"We collect certain information that your (or your authorized child's) mobile device sends when you (or your authorized child) use our Services, like a device identifier, user settings, and the operating system of your (or your authorized child's) device, as well as information about your use of our Services while using the mobile device," the policy reads. "We may use this information to provide the Services and to improve and personalize our Services for you (or your authorized child)."
These include The Pokémon Company, service providers and other third-parties. Players can email Niantic Labs to modify or rescind their consent to their information being shared between these sources, but in doing so may lose access to elements of the game. More information can be found on the company's website.
We've reached out to Niantic Labs about the access it has into players' accounts and will update accordingly. For now, learn more about Pokémon Go in our FAQ, and consult our tips on how to lower its overall data consumption.
Update: Niantic issued a statement to Polygon regarding iOS users giving Pokémon Go full access to their accounts by signing up for the game. The full response can be found below.
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.