Nintendo's new location-based augmented reality game Pokémon GO has been making rounds since its launch just a few days ago. People are so excited to catch 'em all that brought Nintendo's market-value gains to $7.5 Billion (£5.8 Billion) in just two days – the highest surge since 1983.

Due to the huge interest surrounding Pokémon GO, even hackers are using the game's popularity to distribute malicious versions of Pokémon GO that could install DroidJack malware on Android phones, allowing them to compromise user's devices completely.

However, the latest threat is related to the privacy concerns raised about the iOS version of the official Pokémon GO app.

Pokémon GOA Huge Security Risk

Adam Reeve labeled the game "malware," saying that Pokémon GO is a "huge security risk" as the game, for some reason, grants itself "full account access" to your Google account when you sign into the app via Google on iPhone or iPad.

Yes, you heard that right: Full Account Access.

Any app, according to Google's own support page, that granted Full account access, can:
"See and modify nearly all information in your Google Account (but it can't change your password, delete your account, or pay with Google Wallet on your behalf)."
What exactly this means is quite unclear, but Reeve claimed that the Nintendo's Pokémon GO – developed by Niantic – can now:
  • Read all your email.
  • Send email on your behalf.
  • Access your Google Drive documents (including deleting them).
  • Look at your search history as well as Maps navigation history.
  • Access your private photos stored in Google Photos.
  • And a whole lot more.
Although Reeve, who reported the issue on his Tumblr blog, said this issue appears to mostly affect iOS users, some Android users are reporting that their devices are also being affected.

Pokémon GO doesn't Intend, but has Power to look inside:

Game developer Niantic, who is behind the smash-hit game Pokémon GO, released a statement saying that it never intended for its game to get full access to your Google account and that the app hasn't accessed any user data beyond "basic profile information" such as your User ID and email address.

Niantic also said that the company is actively working on a fix to downgrade the permission.

"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account," Niantic said.
"Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access."
Well, agreed that Pokémon GO didn't intend to look inside your Gmail inbox, but there is no doubt that the app was initially granted wildcard access to users Google accounts.

How to Revoke Pokémon GO's Access to Google Account

In the meantime, gamers can revoke Pokémon GO's full account access to their Google account.

Here's how to revoke it:
  1. Head onto your Google account permission page and look for Pokémon GO.
  2. Select Pokémon GO Release and click "REMOVE" button to revoke full account access.
  3. Launch Pokémon GO on your device and confirm it still works.
This will immediately revoke the Pokémon GO app's access to your Google account, but the downside is that users may lose their game data.

Another simplest approach is to use a burner Google account. For this, create an all new Google account, with nothing in it, and use this account to sign into Pokémon GO as well as other apps that you may find doubtful.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.