Subscribe

gotta catch all of your e-mails —

iOS version of Pokémon Go is a possible privacy trainwreck [Updated]

No user data has been accessed, and Google and Niantic are working on fixes.

-

If you sign in to <em>Pokémon Go</em> on iOS, you may be giving it more access than it needs.
If you sign in to Pokémon Go on iOS, you may be giving it more access than it needs.
Andrew Cunningham

Update: Niantic has confirmed in a statement that the Pokémon Go app requests more permissions than it needs but that it has not accessed any user information. Google will automatically push a fix on its end to reduce the app's permissions, and Niantic will release an update to the app to make it request fewer permissions in the first place. The full statement:

"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.

Further Reading

Armed muggers use Pokémon Go to find victims
Original story: A word of warning if you're playing Pokémon Go on iOS: signing into the app through Google currently gives the game full access to your Google account (hat tip to Adam Reeve for discovering the issue). External apps that you sign into with Google often ask for a small subset of permissions based on what they need to do—view your contacts, view and send e-mail, view and delete Google Drive documents, and so on. But Niantic's Pokémon Go iOS app doesn't ask, and with full account access, it can theoretically do all of those things and more. You can check on and revoke permissions for Pokémon Go and any other external app on this page.

We've independently verified that the game requests full account access on iOS, but the Android version doesn't appear to have the same problem; you can sign in with Google, but the app doesn't show up on the permissions page. And, of course, you don't need to use a Google account to play Pokémon Goan account created through the Pokémon site will also work. However, that site is currently having server problems, and you may not be able to create an account right now if you don't already have one.

Creating a Pokémon account is one option, but the site is having problems right now.
Enlarge / Creating a Pokémon account is one option, but the site is having problems right now.
Andrew Cunningham

It's very likely that this is an oversight or an error rather than an intentional, malicious move on Niantic's part, but we've contacted the company for more information and will update the article if we receive a response. Hopefully an app update can resolve the privacy and security issues.

Listing image by Andrew Cunningham

Andrew Cunningham Andrew is a Senior Technology Reporter at Ars Technica, with a focus on consumer tech including computer hardware and in-depth reviews of operating systems like Windows and macOS. Andrew lives in Philadelphia and co-hosts a weekly book podcast called Overdue.

Channel Ars Technica

Related Stories

    Today on Ars