Popular smartphone game Pokemon Go called security risk for iPhones [Updated]

Pokemon Go's loading screen. MUST CREDIT: Screenshot Pokemon Go's loading screen. MUST CREDIT: Screenshot Photo: The Washington Post Photo: The Washington Post Image 1 of / 38 Caption Close Popular smartphone game Pokemon Go called security risk for iPhones [Updated] 1 / 38 Back to Gallery

Pokemon Go, the hot new smartphone game, was released just last week but it's already so popular that it has surpassed the dating app Tinder for user installations, with Twitter in its sights next. The game has players scurrying about in the real world, capturing animated creatures in what is probably the first hit title to rely on augmented reality.

But for iPhone users, Pokemon Go has a serious catch. Adam Reeve, a security expert with RedOwl, discovered that iOS users who choose to log in to the game via their Google accounts give Pokemon Go full access to all their Google data.

READ MORE: Police in Missouri say teens used Pokemon Go to rob victims

As Reeve puts it:

"Let me be clear - Pokemon Go and Niantic can now:

Read all your email



Send email as you



Access all your Google drive documents (including deleting them)



Look at your search history and your Maps navigation history



Access any private photos you may store in Google Photos



And a whole lot more



What's more, given the use of email as an authentication mechanism (think 'Forgot password' links) they now have a pretty good chance of gaining access to your accounts on other sites too."

READ MORE: Whataburger just might be the very best when it comes to Pokemon Go

In other words, if you've got any data generated by a Google product or service, the Pokemon Go app can see it, change it, even send it elsewhere.

This not the way a Google login is typically handled. Usually, apps are given the minimum permissions they need. An app taking full access is highly unusual - particularly since Pokemon Go users are not given a warning about the app requiring it during setup.

This issue only affects Pokemon Go players who have the app on an iOS device - an iPhone, iPad or iPod Touch. The Android version doesn't take this kind of access.

READ MORE: What the heck is 'Pokemon GO'? A short explainer

As Reeve points out, it's unlikely that Niantic, the developer of the game for Nintendo, plans to do anything nefarious. He refers to it as "epic carelessness." But evildoers who might hack into Niantic's systems could, in theory, gain access.

You can see if Pokemon Go has full access to your Google account by checking the apps section of Google's security settings. Reeve recommends that you revoke access to Pokemon Go if it has full access, and delete the app from your iPhone - at least until Niantic updates the game with more reasonable access.

Update: When Reeve wrote his initial post, he noted that you can also log into the game if you have a sign-in with the Pokemon website. However, at the time that site wasn't accepting new accounts. At this writing, it's still up and down. Some folks have successfully created one of these accounts, but others still get this screen:

Reeve also has updated his entry with a FAQ on the issue.

Update 2.0: Ars Technica reports that Niantic says Google will take action to reduce the permissions for Pokemon Go, and the developer will also release an updated version that doesn't require full access. From Niantic:

"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."

Update 7.12.2016: Niantic has released an update to the Pokemon Go app that fixes the Google login issue, 9-t0-5Mac reports.