To say Pokémon GO is wildly popular would be a vast understatement. To say the app’s use of your Google Account is wildly insecure would also be a vast understatement. You should revoke its access to your account now. (But don’t worry, there’s a way to keep playing.)
Update: Niantic has released a patch that fixes this problem. We’ll be leaving this article here for posterity, but as long as you have the latest version of Pokémon GO on your device, you should be free of the concerns outlined below.
What’s the Big Deal?
Pokémon GO is insanely popular. It’s free-to-play mobile game, developed by Niantic on Nintendo’s behalf, and is available for both iOS and Android. In the first few days since it was released, it has been downloaded millions upon millions of times, skyrocketed up the mobile app charts, and given investors such a confidence boost in Nintendo that Nintendo stock surged 7.5 billion dollars and the company saw the biggest single day surge in stock value that it’s seen since 1983.
So what’s the problem? The game plays it pretty fast and loose with the security of your Google account.
The game allows you to create either a Pokémon account (a third party account designed expressly for Pokémon GO and other Pokémon stuff) or to use your Google account. Almost everyone is opting to use their Google account because the Pokémon account system is getting slammed with too much traffic.
That shouldn’t be a big deal, right? Tons of websites allow you to use your Google account for credentials instead of creating a separate login. But here’s the problem: unlike other apps and websites that only grab permissions for a few things, blogger Adam Reeve pointed out that Pokémon GO is given full access to your Google account–and it takes it without even asking you.
Yes, you read that right: Full. Access. As a result, the can, according to Google, “see and modify nearly all information in your Google Account” (though it can’t change your password, delete your account, or pay with Google Wallet on your behalf). What exactly this means is very unclear (thanks, Google), but it is undoubtedly an overreach, as Pokémon GO should not require nearly that level of permission. If you want to check your own account, log into your Google account and visit this URL to check your permissions.
So far, this problem appears to mostly affect iOS devices. Although there are reports floating around about some Android devices being affected too, we were unable to replicate it on any of our Android devices–but it’s almost definitely happening to some phones. We were able to replicate it consistently on iOS.
So Niantic secretly thieving data on purpose? We think it’s unlikely. It’s probably just a simple (albeit very very stupid) oversight on their behalf rather than something nefarious. After all, Pokémon GO unseated the top two iOS freemium games in a matter of days. Using just the iOS charts as an indicator combined with estimated income of the two unseated games (Mobile Strike and Game of War), we can safely assume the game is pulling down millions of dollars a day. Who needs to be a criminal when people throw bricks of money at your head?
Jest aside, let’s take a look at what you should do immediately and what you should do to keep playing the game if you can’t stand to be away from it.
Update: This article originally claimed that, according to Reeve, the app could “read your email, send email from your address, see your contacts, grab your files and photos from Google Drive”. While talking to Gizmodo, however, Reeve backtracked on this, saying he was not “100 percent sure” his claims were true. They very well could be, but Google’s description is very, very vague. We’ve updated the information above to reflect this. In addition, Niantic has issued a statement to Engadget–they did not expand on what those permissions entailed, though they claimed they only use it to access your user ID and email address. They will soon be issuing a fix that reduces Pokémon GO’s permissions to the correct level.
How to Revoke Pokémon GO’s Access to Your Google Account
As we noted in the previous section, you can easily and immediately check the status of app and service permissions on your Google account. Uninstalling the game will not revoke the access granted to the game. You must login to the Google account permissions page and look for the entry “Pokemon Go Release”. Click on it for a detailed view and then, as seen in the screenshot below, click the giant “REMOVE” button.
Note that when we tested this on our Android devices, we didn’t see the Pokemon Go Release option show up at all. As far as we know, if you don’t see “Pokemon Go Release”, you are unaffected by the problem.
Clicking Remove will immediately revoke the app’s access to your Google account. Unsurprisingly, this also means the app will stop working (although some users on Twitter have reported the ability to continue playing after the revocation–if that’s you, congratulations, you are lucky). In our tests, the app either crashes the next time you open it, or demands you log in again. In some cases, you may even have to reinstall the app to get it to stop crashing–but it’s better than Niantic having access to your entire account.
This leads us to our final trick: playing without compromising your primary Gooogle account.
Want to Keep Playing Anyway? Use a Burner Google Account
Okay, we get it. You want to keep playing, but are (rightfully) dubious about handing over your account. Here’s a little workaround: create another free Google account, with nothing in it, and use that to sign into Pokémon GO.
We have to admit we feel a bit silly for not doing this in the first place, but this is the first time we’ve really been burned by bad permissions in a game. To create a burner account, just log out of your regular Google account on your computer and then visit www.gmail.com to sign up for an account like superawesomepokemontrainer2016@gmail.com. Use that account to log into Pokémon GO and you’re golden. No matter how bad the account permissions remain, you can continue to play the rather addictive game without any privacy concerns.
You will, however, have to start over from scratch, and you’ll lose all your Pokémon. But that’s a small price to pay. Alternatively, you can wait and hope Niantic releases their update fixing this problem–which should hopefully happen soon.