Several news outlets reported on this yesterday.
Here’s the Forbes take:
iPhone users of Pokemon GO, beware: the app has access to your entire Google account. That’s a major problem for fans of the game. Shockingly, there’s no warning about the extensive permissions either. For now, it’s unclear if Android owners are affected, though reports of sporadic Google account access have emerged.
To be clear, the app, as it stands, can read and write emails. It can also view your Google Docs, search history and Maps use. And your private photos. It’ll also take data that’s standard for modern apps, like IP and email addresses. Given the app by necessity has to use location data, Niantic suddenly has access to incredibly private information of millions of individuals across the world.
Keen eyed security pro Adam Reeve warned about the issue last week, noting that he didn’t receive any warning about the permissions on download. ”Now, I obviously don’t think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness,” Reeve wrote. “But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all.”
Concerned users can do what Reeve did: revoke accounts and delete the app. They could still enjoy the game, however, and sign up via the website. But that feature is, inexplicably, not currently working. So right now, iPhone users have no option but to either risk their data or kill the app.
Niantic hadn’t responded to a request for comment at the time of publication.
The company has since responded. Via Recode:
Niantic Labs, the company behind the sudden smash-hit game Pokémon Go, says that it never intended for the game to get full access to users’ Google accounts.
According to the company, Google says that the app has not accessed any user data beyond “basic profile information,” and that Google will soon “reduce Pokémon Go’s permission” to only the limited info that it needs to access.
“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account,” the company said in a statement provided to Recode. “Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access.”
Just the latest lesson in the dangers of using tech you don’t understand.