The game Pokémon Go is extraordinarily popular, with one extraordinarily unpopular drawback: Its iOS app has demanded full access to all of your Google account information. That means it could have potentially been able to “see and modify nearly all information in your Google Account,” according to Google, short of changing your password or tapping into Google Wallet. This is very bad! And now you can fix it.
The app’s first update, available now in the App Store, remedies some log-in issues and works to minimize crashes, all typical early update stuff. It also, though, according to game developer Niantic’s release notes, “Fixed Google account scope.” That’s a bit of an understatement. Now, instead of potentially tapping into everything you do on Google, it can access only your Google User ID and email address.
For the change to go into effect, you’ll need to download the update, sign out, and sign back in. You should see a new, much more limited permission request screen. If you signed up with a Pokémon Trainer Club account instead, or on Android, proceed with your regularly scheduled Poké Stops.
Niantic had previously characterized the overreach as “erroneous,” and assured people that it had only accessed User IDs and email addresses despite its broader mandate. Today’s patch is a quick fix to a problem that never should have existed in the first place. Even if you trust Niantic with that much sensitive information—and there’s no reason you should—any service that can tap into that kind of wellspring becomes an immediate target for hackers.
So did you update yet? Good. You’ve successfully defended your Google account. Now go find a gym and do the same.