Due to the huge interest surrounding Pokémon GO, even hackers are using the game's popularity to distribute malicious versions of Pokémon GO that could install DroidJack malware on Android phones, allowing them to compromise user's devices completely.
However, the latest threat is related to the privacy concerns raised about the iOS version of the official Pokémon GO app.
Pokémon GO – A Huge Security Risk
Adam Reeve labeled the game "malware," saying that Pokémon GO is a "huge security risk" as the game, for some reason, grants itself "full account access" to your Google account when you sign into the app via Google on iPhone or iPad.
Yes, you heard that right: Full Account Access.
Any app, according to Google's own support page, that granted Full account access, can:
"See and modify nearly all information in your Google Account (but it can't change your password, delete your account, or pay with Google Wallet on your behalf)."What exactly this means is quite unclear, but Reeve claimed that the Nintendo's Pokémon GO – developed by Niantic – can now:
- Read all your email.
- Send email on your behalf.
- Access your Google Drive documents (including deleting them).
- Look at your search history as well as Maps navigation history.
- Access your private photos stored in Google Photos.
- And a whole lot more.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Pokémon GO doesn't Intend, but has Power to look inside:
Game developer Niantic, who is behind the smash-hit game Pokémon GO, released a statement saying that it never intended for its game to get full access to your Google account and that the app hasn't accessed any user data beyond "basic profile information" such as your User ID and email address.
Niantic also said that the company is actively working on a fix to downgrade the permission.
"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account," Niantic said.
"Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access."Well, agreed that Pokémon GO didn't intend to look inside your Gmail inbox, but there is no doubt that the app was initially granted wildcard access to users Google accounts.
How to Revoke Pokémon GO's Access to Google Account
In the meantime, gamers can revoke Pokémon GO's full account access to their Google account.
Here's how to revoke it:
- Head onto your Google account permission page and look for Pokémon GO.
- Select Pokémon GO Release and click "REMOVE" button to revoke full account access.
- Launch Pokémon GO on your device and confirm it still works.
Another simplest approach is to use a burner Google account. For this, create an all new Google account, with nothing in it, and use this account to sign into Pokémon GO as well as other apps that you may find doubtful.