Update: Niantic has issued the following statement:
We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.
Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.
Google lets you see the apps connected to your account at the My Account section of its website, and today we noticed something interesting: Pokémon Go, the new hit smartphone game that’s pretty much taking over the world, is getting full access to many users’ Google accounts. That’s the same privilege that Google Chrome and Chromecast get. Currently, this appears to affect those that have used the Google sign in feature in the iOS app…
Here’s what Google’s official support document says about apps that have full access to your Google account (emphasis ours):
When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).
Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.
If you head over to the privacy page on Google’s site, you should see the below section, titled “Pokemon Go Release” alongside the Authorization date and the option to revoke access. The first thing that comes to mind here is that Niantic and Google are so closely tied that this could just be an accident, but that’s somewhat alarming considering that Niantic spun out of Google as Niantic, Inc. in October 2015.
There’s no obvious reason that the game (which, might I add is already hot on the heels of Twitter in terms of mobile adoption) should have access to literally all of your Google account. To double check that this is in fact not normal, we installed Niantic’s sibling game, Ingress (those familiar will know that Pokémon Go is built on basically the same backbone), and found that it only requests the usual “Basic account info” including email address and profile info.
We’ve tested this for several of us here at 9to5, and for the moment, this section of the privacy page on the Google account settings website is only showing up for those that have played on iOS and signed in using the Google button. Android users who used the same login method are not seeing the “Pokemon Go Release” at all on the permissions site (nor do they see Ingress), so we’re not sure yet if those users have trusted Niantic with their entire Google account as well.
We’ve reached out to Google and Niantic and we’ll update when we hear back.