Pokémon Go having full access to Google accounts was a mistake, fix coming soon

Pokémon Go Security

Update: Pokémon Go has been updated to version 1.0.1 with security fixes.

  • Trainers do not to have to enter their username and password repeatedly after a force logout.
  • Added stability to Pokémon Trainer Club account log-in process.
  • Resolved issues causing crashes.
  • Fixed Google account scope.

The internet blew up on Monday after it was discovered that some Pokémon GO players had unknowingly granted the game's developer Niantic full access to their Google accounts. Signing up for the game using your Google profile grants Nintanic permission to view and modify all the information stored in your account, including your Gmail and Google Drive documents. Users can only sign up to Pokémon GO through Google or with an existing Pokémon Trainer account, which means Niantic has access to a lot of Google profiles.

Niantic quickly responded to the controversy by releasing a statement to ABC on Monday.

"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected."

"Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."

Nobody accused Niantic of knowingly collecting user data because it is hard to believe a company with a hit App Store game would assume it could access millions of Google accounts without being discovered. Even systems architect Adam Reeve, one of the first people to publicaly address the security risk, stated that he didint think Niantic was planning a "global personal information heist." Reeve said the entire ordeal was "probably just the result of epic carelessness," and it looks like he was correct.

As noted in the statement above, Pokémon GO was meant to only accesses basic profile information, and Niantic made a huge error that gave its hit game a black eye. Google will allegedly reduce the permissions in a future update allowing Pokémon trainers across the world to rest easily.

If you are still worried about the security risk, you can sign up for a Pokémon Trainer account at pokemon.com. This account can be used to create and access a Pokémon GO profile without using Google.