iOS version of Pokémon Go is a possible privacy trainwreck [Updated]
Update: Niantic has confirmed in a statement that the Pokémon Go app requests more permissions than it needs, but that it has not accessed any user information. Google will automatically push a fix on its end to reduce the app’s permissions, and Niantic will release an update to the app to make it request fewer permissions in the first place. The full statement:
“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go‘s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.
Original story: A word of warning if you’re playing Pokémon Go on iOS: signing into the app through Google currently gives the game full access to your Google account (hat tip to Adam Reeve for discovering the issue). External apps that you sign into with Google often ask for a small subset of permissions based on what they need to do—view your contacts, view and send e-mail, view and delete Google Drive documents, and so on. But Niantic’s Pokémon Go iOS app doesn’t ask, and with full account access, it can theoretically do all of those things and more. You can check on and revoke permissions for Pokémon Go and any other external app on this page.
We’ve independently verified that the game requests full account access on iOS, but the Android version doesn’t appear to have the same problem; you can sign in with Google but the app doesn’t show up on the permissions page. And, of course, you don’t need to use a Google account to play Pokémon Go—an account created through the Pokémon site will also work. However, that site is currently having server problems and you may not be able to create an account right now if you don’t already have one.