Niantic, the developer of the popular Nintendo Pokemon app, is working on patch that will correct security issues related to the game. In a statement at Polygon, the company acknowledge the concerns that had been previously reported by security pro Adam Reeve.
Google is also working to change the privileges given to existing users.
Here is Niantic's statement:
"We recently discovered that the Pokemon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokemon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokemon GO or Niantic. Google will soon reduce Pokemon GO's permission to only the basic profile data that Pokemon GO needs, and users do not need to take any actions themselves,"
Adam Reeve, who works for a security analytics firm, raised attention to the level of account permissions the game has by default, revealing that players who sign in through Google grant Pokemon Go developer Niantic Labs access into the entirety of their account data.
Specifically, when launching the game, players can choose to either sign in through Google or through the Pokemon Trainer Club. The latter site has currently suspended new account registration, leading many to choose logging in with their Google accounts. Yet doing so doesn't prompt a pop-up indicating the information that Niantic Labs will have access to through this method; instead, it loads up the game without giving the user a chance to edit permissions.
Looking at the security permissions tied to a Pokemon Go player's account shows that the game has "full account access" automatically. For iOS users, there's no option to edit these permissions; the only option is to revoke access entirely.
For people playing on Android, the game doesn't show up under Google account security permissions at all.
The app, as it stands, can read and write emails. It can also view your Google Docs, search history and Maps use. And your private photos. It’ll also take data that’s standard for modern apps, like IP and email addresses. Given the app by necessity has to use location data, Niantic has access to private information of millions of individuals across the world.
Pokemon Go has become an instant hit, attracting more daily users than Twitter in a just a few days. The app can boost Nintendo profits by one or two billion yen (about $10-20 million) annually, since Nintendo has a 32% stake in Niantic.