Reports that Pokémon GO is a security risk have prompted a rapid response from game developer Niantic. The company, which is working with Nintendo and The Pokémon Company in developing the game, has issued a statement saying that a fix is coming and that Google has verified no unexpected information has been accessed.
Early adopters, digging through Google’s security settings, noticed that Pokémon GO appeared to have granted itself full access to a user’s accounts.
Niantic said in a statement:
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Pokémon GO has caused quite a stir in security circles, both virtual and physical. An Australian police force had to warn locals not to try to enter the police station just to retrieve the Pokéballs inside. Meanwhile, armed robbers in Missouri used the game to lure victims towards a parking lot, before robbing them. Three suspects have now been charged with armed robbery.
In the case of the Google access request, it sounds like Niantic did not intend to ask for the amount of data that it did. Until the fix is pushed out, it’s their word against what seems to be a big security risk.