Pokémon Go has probably given itself permission to read your emails.
The app is automatically granting itself permission to people’s Gmail and Google Drive accounts, according to security researchers.
Signing up to use the app – which has been done by tens of millions of people, as the app has become one of the most popular ever – seems to opt users into having their accounts accessed by the game’s developers. And there is no way to know that it has happened, since the app doesn’t seem to notify users that they have been signed to the problem policy.
When signing up to play the game, players choose either to login with their Google accounts or to use a Pokemon.com account. But the latter is no longer signing up new users and so most of the app’s new users will have joined with their Google account.
Once players have signed up using that Google account, the app appears to give itself full access to their Google account – emails, calendars, personal documents, location history and all. Users can see what Pokémon Go has given itself permission to read by heading to this page, which shows the permissions that every app connected to Google has.
Concerned users can head to the same page to revoke the permissions that Pokémon Go gives itself. When a user does that, they find themselves signed out of the app – but logging back in seems to restore the functionality of the app.
Since the permissions could be exploited by anyone who had access to developer Niantic’s servers, the login could be used by hackers to get access to users’ most sensitive information – as well as to break into other accounts outside of the Google network. For those reasons and more, developers are usually encouraged to ask for only the most limited permissions.
Security researcher Adam Reeve, who first pointed out the privacy problems, said that he thought it was unlikely that the issues had happened because of maliciousness, but rather by accident.
“Now, I obviously don’t think Niantic are planning some global personal information heist,” he wrote in a Tumblr post. “This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies.
“I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all. I’ve revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.”
It isn’t clear that the permissions will have been requested for every user of the app, and it seems to be limited to iOS users. ButAndroid users could also find themselves compromised by attempting to play Pokémon Go, because of malicious software that can hijack the hugely popular app.