Pokémon Go users on iOS have noticed a potentially devastating privacy issue when logging into the app using your Google Account. In what developer Niantic describes as an "error", the app gives itself full access to your Google Account when logging in, without informing you or asking for your permission.
Typically, when apps use Google to sign in, they ask for just a small subset of permissions. An email app, for example, might ask to access contacts and send emails as this would be necessary for the app to work as advertised. There is rarely a need for an app to have full account access, which is what Pokémon Go gives itself on sign in.
Full account access means that, theoretically, Pokémon Go could access your private photos, delete documents from Google Drive, access your search history, modify your account information, send emails and more. There are some things it can't do – like change your password, delete your account, or use Google Wallet – but this doesn't stop 'full access' being a dangerous permission to give an app.
Developer Niantic released a statement moments ago that clarified what Google information Pokémon Go actually accesses. The company states that a "client-side fix" is in the works, although there's no word on when the update will be released. Niantic's full statement is below.
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
However, if you are worried about this privacy issue before the update is released, you can revoke Pokémon Go's account access from this page, and create a Pokémon Trainer Club account to use the app instead (although the site is under heavy load).
Android users don't have to worry: Pokémon Go does have the ability to log in via a Google account, but it doesn't give itself full account access on the platform.