Everyone’s stoked about Pokémon Go, but if you’re a privacy conscious player on iOS, you might not like the fact that Pokémon Go (and Ingress, for that matter) has complete access to everything in your Google account. Good news though, you can revoke that access.




First of all, if you’re not too deeply invested in the game, or you’re just getting started, now might be a good time to set up a new, fresh Google account just for Pokémon Go if you’d rather play and avoid this whole still-developing fiasco.




Here’s the issue: Pokemon Go takes “full account access” when you sign in with your Google account. This means Niantic, the company behind Pokémon Go, has access to everything in your Google account, including Gmail, Contacts, files stored in Google Drive, and has read/write permissions to all of it—and just about every other bit of data aside from your password. This is a level of access usually reserved for Google’s own apps (for the record, Niantic used to be a Google company, before it was spun off on its own last year.) Here’s how to revoke it:

Head to your Google security page

Select Pokémon Go and then click “Remove” to revoke full access.

Launch the game on your device and confirm it still works.

In my limited tests, the game still seems to work normally, but we’ve seen mixed reports all around with some people not being able to play without it (or, being able to log into the game without it,) so your mileage may vary.

Obviously, there’s nothing saying that Niantic is collecting this data for malicious purposes, or even to sell your data, but considering they don’t explicitly ask you for it on iOS, it’s a little surprising. Android users, however, are explicitly asked to allow this access.


Update: Niantic has released a statement claiming the permissions request was in error. Here’s what they sent over to our friends at Kotaku:

We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.


So, hold tight, sounds like a fix is incoming. Update: The fix is live now.


Google Security | via Adam Reeve and SecuriTAY