You may have given 'Pokémon GO' the right to read your Gmail

Kif Leswing
Updated
Team Rocket
Team Rocket

Pokemon/BI Screenshot

People who sign up for "Pokémon GO" to catch them all could end up giving all their personal data away. 

The hit game asks for a surprising amount of permission to access users' Google accounts, the internet discovered on Monday. Redowl engineer Adam Reeve has the best writeup on his blog

Basically, if you log into "Pokémon GO" through your Google account on an iPhone — which is the first option provided — it gives "full access" to your account. According to Google's help page, that should only be "granted to applications you fully trust."

Here's some stuff that "Pokémon GO" can do with that level of permission, according to Reeve

  • Read all your email

  • Send email as you

  • Access all your Google drive documents (including deleting them)

  • Look at your search history and your Maps navigation history

  • Access any private photos you may store in Google Photos

I went through my Google permissions and found that I had unwittingly given "Pokémon GO" permission to my entire account — and I'm pretty sure I never agreed to do anything like that. That's the same level of permission that I give to Google Chrome, my browser. 

Pokemon Go Permission
Pokemon Go Permission

Pokemon/BI Screenshot

Niantic, the developer behind "Pokémon GO," doesn't need all that permission — other sites have "sign in with Google" without asking for, say, email permission. This doesn't mean that Niantic is collecting users' emails, but the Google permission means that they potentially have the ability to. 

The "Pokémon GO" privacy policy says that Niantic may collect users' IP address, email address, and other personal information.  

Here's what Google has to say about "full access:"

When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).

Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.

Reeve writes

Now, I obviously don’t think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all.

On Android, many users are reporting that they can play "Pokémon GO" without giving the company full access to their Google accounts. 

Niantic used to be part of Google before it was spun off last year, so its developers likely know how Google's authentication works. If this is an oversight or a bug, you can expect it to be changed soon — so you won't need to hand over access to your mail and photos to catch some pocket monsters. 

You can check your Google permissions here

NOW WATCH: 13 tips for becoming a 'Pokémon GO' master

  • Up next
  • Up next
  • Up next
  • Up next

Latest stories