What Pokémon Go Fans Should Know About Google Account Privacy

Pokemon go hackers cybersecurity malware
The augmented reality mobile game "Pokemon Go" by Nintendo is shown on a smartphone screen in this photo illustration taken in Palm Springs, California U.S. July 11, 2016. REUTERS/Sam Mircovich

The popular Pokémon Go game raised major red flags for privacy and security advocates Monday, as security researcher Adam Reeve revealed Pokémon weren't the only things captured by the app. For some users and their data, the app itself had gained some pretty epic Google account permissions -- without their knowledge or consent.

According to Reeve, iOS users who signed up to play Pokémon Go with their Google Accounts unwittingly gave the app "full access" permission for the account. For most apps, Pokémon Go included, this level of access is unnecessary and poses a threat to both the users' privacy and security.

Google support pages describes full access as a powerful permission that allows the application to "see and modify nearly all information in your Google Account."

Slack security engineer Ari Rubinstein dug into the issue further to discover just what "full access" means. According to Rubenstein, full access gives the Pokémon Go game a special token that on its own isn't a problem – it's what Pokémon Go uses to authenticate players' usernames for logins. . This token, however, can be exchanged with Google for an even fancier token called uberauth. With uberauth, the app gains the ability to open any of your Google properties (Gmail, Calendar, Google Docs etc.) and do things like create or edit documents or read and send emails.

In a statement on the Pokémon Go support page, Niantic fully acknowledged the mistake, assuring users it is working with Google on a fix:

"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."

Users who still feel uneasy about Pokémon Go having full access to their accounts, however, do have options. By visiting the Google account security page and scrolling down to connected apps and sites, you can see which apps have full access to your Google Account. If Pokémon Go is one of them, simply click the Manage Apps button, click on Pokémon Go and press the "Remove" button. This will remove all permissions for your Google account.

You won't be able to access your progress on your old account if you do this, but you can wait until Google updates the privacy settings and return to the game once you're comfortable. In the meantime you can create a new account through Pokemon Trainer Club or a dummy gmail address, but the progress won't sync up if you return to your original login.

If you are an iOS Pokémon Go player and used your Google account to sign up for the game, this news is likely disconcerting. However, according to Security Mouse Lab founder and researcher Don Bailey, users can rest in relative ease.

"Google has and continues to verify that Niantic has not abused its access to Google user's accounts," Bailey told Newsweek. "Google isn't a stupid company. They have exceptional security engineers and have set up a strict permissions model and system for monitoring application abuses. If Google is backing Niantic's claim that no abuses have occurred, I believe them."