TECH
07/11/2016 09:55 pm ET Updated Jul 13, 2016

Pokémon Go Admits Data Access Fail, But The Fix Won't Ease Your Privacy Concerns

You may have handed over full access to your Gmail account for a pikachu, folks.
Credit: Aimie Rigas/The Huffington Post

Remember when you downloaded that hot new app called Pokémon Go three days and thousands of hours ago? Remember when you had to sign in with your Gmail account because you probably didn’t have a pokemon.com username? 

Unfortunately, if you’re playing the augmented reality superhit on an iPhone, this seemingly standard practice may have handed over full access to your Google account ― and all the data in it ― to Niantic, the creator of Pokémon Go.

RedOwl’s Adam Reeve first reported the “huge security risk” several days ago, after he discovered the app had been granted full permission to his Google account. With such access, Pokémon Go could theoretically read all of your email, send an email as you, look at your search history and access photos you store on Google.

Niantic erroneously requested such permission from some iOS users, but Pokémon Go “only accesses basic Google profile information (specifically, your User ID and email address),” a Niantic spokesperson told The Huffington Post. 

“No other Google account information is or has been accessed or collected,” spokesperson Sibel Sunar said in an email. “Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access.”

Sunar said Google will soon modify permission to only request basic profile data.

Still, the app’s privacy policy says all of this data can be shared with “third-party service providers” to conduct “research and analysis.”

The permissions issue has only been reported for the iPhone app edition of Pokémon Go, and only for some iOS users. I checked my Gmail account on Monday evening and saw this message after downloading the app when it first came out in Australia last week.

Credit: The Huffington Post

You can check your Gmail permissions here and revoke access for the applications that’ve gotten a little too cozy with your data. Niantic says users won’t need to do anything after Google deploys its fix.

As several news outlets have pointed out, users are usually notified before an app gains access to an account like Facebook or Gmail. But, as Reeve found, Pokémon Go definitely doesn’t do this.

Google has cautioned users to grant full account access only “to applications you fully trust.”

Despite the security worries, Pokémon Go has already garnered millions of downloads and caused Nintendo’s stock price to soar. People are spending nearly 45 minutes a day on the app.

Niantic’s privacy policy notes the company takes “appropriate administrative, physical and electronic measures designed to protect the information we collect.” But, as with all such notes, a disclaimer is attached.

“Please be aware, however, that no method of transmitting information over the Internet or storing information is completely secure. Accordingly, we cannot guarantee the absolute security of any information.”

More stories like this:

HuffPost

BEFORE YOU GO

CONVERSATIONS