Pokémon Go to remove full access to Google accounts

The hit AR game's developer Niantic claims that full access to a user's Google account was an error and that only basic Google profile information has been obtained.
Written by Jonathan Chadwick, Contributor

A permissions update to augmented reality game app Pokémon Go means it will no longer have full access to iOS users' Google accounts.

The app doesn't ask for for full account access when logging in with a Google user name and password, a feature usually reserved for trusted apps, and not for gaming apps.

The app's support page claimed that it had "recently discovered" the app erroneously requests full access to Google accounts at the start of the account creation process on iOS for iPhones and iPads, and that once they became aware of the error, began working on a client side fix to ensure access was reduced to basic.

According to the post, Google has verified that no user information had been accessed by Pokémon Go or developer Niantic other than basic Google profile information, specifically, user ID and email addresses.

Niantic added that the changes will be implemented "soon", and that users need not take any action themselves to enforce changes.

Ari Rubinstein of Product Security at Slack noted in a blog post that full access was most likely an honest mistake.

"There is an undocumented flow of being able to exchange a token with the https://www.google.com/accounts/OAuthLogin scope for a session token for google properties," he said. "I believe this is a mistake on Google and Niantic's part, and isn't being used maliciously in the way that was originally suggested.

"Given that Google is going to be retroactivelly re-scoping tokens to remove this possibility, Pokémon Go should be safe to play in the next couple of days on iOS, or even now."

He later said that the changes can be enforced by downloading and reauthorising the app.

ZDNet found that instead of explicitly asking permission for full account access, the app skips straight to terms of service, meaning it has access to your inboxes, personal information, Google Drive, and search and location history, and could also read and modify data.

In addition to this, based on information given in the game's privacy policy, it could also acquire and sell your personal data. The policy states that "information that we collect from our users, including PII, is considered to be a business asset".

It adds that in the event of going out of business or being acquired, "some or all of our assets, including your (or your authorized child's) PII, may be disclosed or transferred to a third party acquirer in connection with the transaction".

The game debuted earlier this month and is said to have more users than Twitter.

Editorial standards