If you"ve been paying attention to just about anything over the past few days, you"ve heard of Pokémon GO, the new game that allows you to run around town catching Pokémon.
You"ll notice that when you first load the game, you can sign-in with either a Google or Pokémon Trainer Club account. Due to servers being down and the fact that you can"t create an account through the app, many have opted to sign-in through their Google accounts.
When you give something access to your Google account, you"d typically be prompted to log in, and then you"d be brought to a screen that tells you what permissions you"ll be granting, and then you can choose if you want to accept them or not. This second screen doesn"t seem to appear when signing in through the Pokémon GO game.
As it turns out, the game grants full access to your Google account. Adam Reeve, who discovered the issue, says that this is what Niantic now has access to:
Read all your email
Send email as you
Access all your Google drive documents (including deleting them)
Look at your search history and your Maps navigation history
Access any private photos you may store in Google Photos
And a whole lot more
This is not common behavior, as most apps should only be requesting basic contact information. Reeve doesn"t suspect malicious intent though; however, it is bothersome that Niantic now has a mass of information on its users, and those users have no way of knowing how Niantic safeguards all of that data.
The issue only seems to affect iOS users; however, Android users aren"t without issue. Those that have opted to side-load the APK may have stumbled onto malware.
Update: While Reeve"s report states that this is happening to iOS users, there are also reports of it happening to Android users. Niantic, however, released the following statement:
We recently discovered that the Pokémon Goaccount creation process on iOS erroneously requests full access permission for the user"s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed byPokémon Go or Niantic. Google will soon reducePokémon Go"s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.
Source: Adam Reeve