[Update] Pokémon Go Update Fixes Google Account Security Issue
Update 3: A patch for the Android version of Pokémon Go is now rolling out. You may not see it yet, but you'll soon be updated to the very best version.
Update 2 (July 12, 2016 @ 1:16 p.m. Central): Niantic and The Pokémon Company have pushed an update for Pokémon Go on iOS devices. The headlining update is the change to the Google account permissions scope that caused security concerns yesterday.
Also included in the patch is enhanced support and stability for Pokémon Trainer login, fixes for some elements causing crashes, and a fix for having to enter your login information after a hard crash.
Upon loading the game after the update, Pokémon Go asked for permission to send push notifications. Hopefully, this means you'll get formal notifications when a Pokémon is nearby and ready for capture, when gyms change hands, and more.
Update 1 (July 11, 2016 @ 8:14 p.m. Central): Niantic has responded to our request for comment on this matter. You can see the company's response to how Pokémon Go uses your Google account information in its entirety below.
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
If you installed Pokémon Go on your iOS or Android device, you inadvertently gave it access to your entire Google account. Fear not though, it’s an easy thing to fix.
In order to revoke access, you’ll want to log into your Google account via PC or mobile (via this link). There, you can see which applications have access and to what degree.
Reports indicate that revoking access doesn’t interfere with the game. However, we have not fully tested this, and it’s possible you might run into a problem down the road.
The issue here isn’t so much that Pokémon Go has set itself up for access to your account. It’s that there’s no notification it’s doing so upon account creation or login.
We’ve inquired about what the app actually needs and how it uses its access. We’ll update should we hear back from The Pokémon Company.
Update: This problem appears to be largely focused on iOS devices, with some reports suggesting that a limited number of Android users are also experiencing the issue. Additionally, this seems to be a problem tied only to logging in with a Google account. Those opting (and able to secure) a Pokémon Trainer account should not be affected. Finally, if you do revoke access and log in again with a Google account, it appears access is re-authorized.
[Source: Adam Reeve on Tumblr]
This might be completely innocent, but there should be notification when an application can access your email, storage, contacts, and more. Some of these things (like storage and contacts) make perfect sense for an app with such a strong social component. However, given that this slid in under the radar, I’m curious to hear how The Pokémon Company and Niantic explain this.