We warned you about the Pokémon GO app permissions from the APK versions of it that users were downloading outside its official release regions, but now it looks like the original app maker had included one permission that was putting users’ security at risk, access to your Google account.
Mashable reports that the Pokémon GO developer acknowledged the existence of this permission in a statement:
‘We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Security experts are concerned about just how much data the developers have access to from this permission. If a user has not checked their app permissions yet, they should and look for this specific permission:
Google warns against granting ‘Full Access’ to apps unless you completely trust them. On its support page it says:
When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).
Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.
This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.
If you’ve granted full account access to an app you don’t trust or recognize, we recommend that you revoke this permission by clicking the Revoke access button.
If this full access to users’ Google accounts is manipulated, it could lead to access to other sites/applications linked to your Google account, increasing the chances of data theft, ID theft and password compromisition.
Check if your Pokémon GO app has full access here.