You might want to think twice before you log back into Pokémon Go.
If you’ve spent any time with the app, you already know that you either have to log in with a Google account or a Pokémon Trainer Club account. Considering the Trainer Club is not currently accepting new applicants, chances are you went with your Google account. Here’s where things get dicey.
DON’T MISS: Pokémon Go wishlist: 6 features that we want to see added to the game
Adam Reeve, an architect for security analytics platform RedOwl, pointed out on his blog last week that apps which utilize accounts from other platforms typically disclose what kind of access they are being granted before you log in. Pokémon Go doesn’t, so Adam logged into his Google account on his computer to see what exactly he’d authorized the game to do with his account.
Here’s what he found (and what I found when I checked myself):
Pokémon Go: Has full access to your Google Account
Full access?! What exactly does that entail? What “full access” means is that Pokémon Go and Niantic Labs (the developer) have the ability to read your email, send email from your account, access and delete your Google Drive documents, look at your search history, access your private photos and more.
And, as Reeve points out, most of the “Forgot your password?” forms will be sent to your email address, so if someone at the company was so determined, they could get into your Twitter, Facebook, bank account — the list goes on.
To be clear, no one is suggesting that Pokémon Go is the greatest digital caper in modern history (although that would be pretty impressive), but it’s completely unnecessary for the company to have access to anything but the most basic data from your Google account when you sign in.
Based on the feedback that Reeve has gotten over the past several days, only iOS users are having to contend with this issue, as Android users aren’t seeing any access from the app listed on their Google accounts. Strangely, not even all iOS users have been affected, but if you’re one of the many who have, it might be worth revoking the app’s privileges until Niantic explains itself.