Pokémon Go developer working on a fix for iOS account permissions

You might have seen some security concerns about the Pokémon GO app being talked about on social media. These are very valid issues — the application can use its own webview container for login from your Google Account, and once approved it gives itself full access to all of your data.

We reached out to Niantic — which developed the Pokémon Go app. It issued a response to the media late Monday evening. ABC News was among the first to share it on Twitter — and Niantic then issue the same response to Android Central.

The statement reads thusly:

We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.

Original post follows:

Not good

The good(?) news is that this appears to be an iOS-only issue. On Android, the app appears to use the "right" way to log in with your Google credentials, and it doesn't ask for access to your sensitive account data. You can check for yourself right here. In fact, when we check on an account that hasn't used an iPhone to sign in, the Pokémon GO app isn't even listed as having any access. Don't be alarmed if you see the same thing.

The first concern — the webview container login page — isn't too troubling. Apple has secure methods for apps to do this sort of thing (though Google would rather the user be directed to the default web browser so the URL can be checked) and every app is vetted by Apple staff before it's published. Yes, even Apple can let something slip through, but the account authorization page is legit. We checked. And millions of users have checked.

The second concern — access to all of your Google account data — is much more troubling.

This level of access means that the publisher can see everything. According to Google:

When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can't change your password, delete your account, or pay with Google Wallet on your behalf).

Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.

This "Full account access" privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.

And more. Basically, anything you've ever done while signed in with Google, and everything you've ever saved in Drive or Photos is wide open to Niantic and the app itself.

Now we don't think Niantic or Nintendo is going to pore through your account data or look at your photos. But what happens if someone out there finds a way to hack Niantic? With access to the right database, any attacker can have a token that gives them all your "stuff." That's not good. Not good at all.

What we recommend is that you use a separate Google account if you're going to play Pokémon Go on your iPhone. Or you can decide to not play at all and delete the permissions from your Google security page.

The important thing is that you know what's going on.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.