The Washington PostDemocracy Dies in Darkness

Pokémon Go had ‘full access’ to the Google accounts of some iPhone players

See how Pokémon Go works, and why everyone's so crazy about it. (Video: Jhaan Elker/The Washington Post)

Update: Niantic has released an update for the iOS version of the app that resolves the full account access issue. Users who had issues playing the game after revoking its access to their Google accounts may need to re-install the app to get back to catching 'em all. 

Some Pokémon Go players who signed up for the game with their Google accounts are facing new privacy fears after a security researcher pointed out that the game automatically gained "full account access" to their Google accounts.

Researcher Adam Reeve initially highlighted the issue in a recent Tumblr post for people who registered for the game on an Apple device. It's not entirely clear what "full access" means, and Google declined to comment when The Post requested clarification. However, the company's help page says that an app with full access "can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf)." The page also said that this level of permission "should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet."

Reeve interpreted that explanation broadly, saying that Pokémon Go likely has the ability to do things such as read all players' emails, send emails on their behalf, access documents on their Google Drive, and "a whole lot more." However, when questioned about those claims by tech site Gizmodo, Reeve said that he had not tested to verify what type of information an app with such access would have. Other experts have also said the issue was not as severe as Reeve initially reported.

Niantic Labs, the game developer behind Pokémon Go, did not immediately respond to a Post inquiry about the access. But the company did acknowledge an access level issue in a recent statement to gaming site Polygon. The company said that the "full account" permission granted to the app was an error and that the game "only accesses basic Google profile information" like User ID and email addresses and has not accessed or collected any other information.

"Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic," the statement said. The company also added that Google would soon reduce the games permission to only access basic profile information, and that users should not need to take any action.

The issue appears to only affect users who signed up with an Apple device, and the game does not explicitly ask for "full account access" during the set-up process. Users can tell if the app currently has that level of access by visiting this page — and remove it by clicking the revoke button associated with the app. Unfortunately, doing so may stop players from being able to keep catching 'em all.

Players can also choose to use the app with a Pokémon Trainer Club account, rather than a Google account, but users have encountered issues with that method because of the overwhelming demand for the game.