Update 7/12/16: Niantic Labs has updated Pokemon Go on iOS to version 1.01. "Fixed Google account scope" is among the changes, which indicates that the previous issue with the app's permissions has been addressed. Pokemon Go on iOS now just asks for the username and email address associated with your Google account, which is normal behavior.

iphone pokemon go app permissions request

Original story follows:

Pokemon Go, the Android and iOS game that's exploded in popularity over the last few days, has a big privacy and security loophole that you could walk right through if you sign up with a Google account on an iOS device, ZDNet has learned. (If you didn't use a Google account to create your Pokemon Go account, you should not have to worry about this issue.)

The problem comes in two stages. The first stage is Pokemon Go asking for "full account access," which should ordinarily be reserved for core trusted apps like Gmail or Safari. This level of access gives the app the right to view and even edit your email, calendar, and search history, as well as view the contents of your Google Photos and Google Drive.

gamespot-pokemon-go-screenshot.png

The second stage is where iOS and Android are currently responding to the app's requests for your personal data. In Android, you'll get a notification that the app is requesting these permissions. However, field testing shows that iOS devices do not always show these requests -- meaning that they're being granted in the background, without your input.

Complicating matters is the game's privacy policy, which generously grants its creator the rights to the personally identifiable information that it may have collected through the granting of these app permissions.

Fortunately, these permissions can be blocked in your Google account settings. First, log in to your Google account. Now access the page that lists all app permissions linked to this account.

The apps on this page do not appear to be in any particular order, and you cannot sort them. If you have a long list, you'll need to use your browser's search function:

  • In a Windows desktop browser, Control-F opens the search function.
  • For Mac, press Command-F.
  • If you are using Google Chrome on a mobile device, tap the three dots in the upper right-hand corner and tap Find in Page.
  • In Safari on iOS, tap the Share button that's centered at the bottom of your screen, scroll right, and tap the Find on Page button.

When you have found Pokemon Go on this page, tap it, then the Remove button, and OK to confirm.

pokemon-go-google-app-permission-account-settings.png

You will have to go through this process for each Google account that you've used to create a Pokemon Go account.

Until the game is updated to change the way that it asks for permissions, these permissions will re-enable themselves the next time you open the game on an iOS device. So we recommend not playing this game on iOS (if you can stand it), until the issue is fixed.

More resources

Tom is the senior editor covering Windows at Download.com.