Pokémon Go may have full access to your Google account

The app doesn't always gain explicit permission when iPhone and iPad users sign up to the game with their Google account.
Written by Zack Whittaker, Contributor

(Image: CNET/CBS Interactive)

If you signed up for Pokémon Go with your Google account, you might not know it but the game now has "full account access."

That can be a major security risk. Adam Reeve, who first documented the issue on his Tumblr blog, said it appears to be a problem isolated to iPhones and iPads. It's not thought to affect Android devices.

In our testing on two iPhones, the Pokémon Go app didn't explicitly ask permission for full account access when logging in with a Google username and password. By this point, it should have told us what data the app needs. Instead, it simply skipped straight to the app's terms of service, which makes no reference to the full account access.

Under the hood, you've given the app and its creators access to your search history, personal information, Google Photos, everything in Google Drive, search and location history, and more.

Not only can the app read your data, inbox, calendar events, and search history, it can also modify it. That's usually reserved for trusted apps, like browsers and mail clients -- such as Google Chrome -- and not games or most other apps.

(Image: ZDNet/CBS Interactive)

Google says on its help pages that the full account access privilege "should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet." Most apps and games generally ask for the minimum requirements, such as your basic contact information.

Niantic, the game's creator, said that "the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account."

"However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected," it read. "Google has verified that no other information has been received or accessed by Pokémon GO or Niantic."

The hit augmented reality game debuted earlier this month, and is now said to have more users than Twitter in a fraction of the time.

Many have used their Google accounts because the company is overwhelmed with sign-ups. Because of the massive influx of users in the past week, the account sign-up page is spotty and often unavailable. Given the popularity of the game, many are instead signing up with their Google accounts, but not realizing the massive privacy invasion.

At the time of writing, the Pokémon Trainer Club account page wasn't accepting new sign-ups. By publication, it was open again.

But if that wasn't enough, things get even worse.

The game's privacy policy explicitly states that the data it collects -- including personally identifiable information (PII) -- is "considered to be a business asset." In other words, the policy states that if the company goes out of business or is acquired, so does your personal data.

Now would be a good time to put your privacy first, and your game second.

You can revoke the app's access to your Google account, but the downside is that you may lose your game data.

Here's what you can do

If you did sign up with your Google account, here's how to revoke access:

  1. Log in to your Google account and open up the "Apps connected to your account" page.
  2. Scroll down to "Pokemon Go," then hit "Remove Access."
  3. Confirm by hitting "OK."
Editorial standards