Original Post by: Jason Fitzpatrick | How-To Geek | Published on: 07/11/2016
To say Pokémon GO is wildly popular would be a vast understatement. To say the app’s use of your Google Account is wildly insecure would also be a vast understatement. You should revoke its access to your account now. (But don’t worry, there’s a way to keep playing.)
What’s the Big Deal?
Pokémon GO is insanely popular. It’s free-to-play mobile game, developed by Niantic on Nintendo’s behalf, and is available for both iOS and Android. In the first few days since it was released, it has been downloaded millions upon millions of times, skyrocketed up the mobile app charts, and given investors such a confidence boost in Nintendo that Nintendo stock surged 7.5 billion dollars and the company saw the biggest single day surge in stock value that it’s seen since 1983.
So what’s the problem? The game plays it pretty fast and loose with the security of your Google account.
The game allows you to create either a Pokémon account (a third party account designed expressly for Pokémon GO and other Pokémon stuff) or to use your Google account. Almost everyone is opting to use their Google account because the Pokémon account system is getting slammed with too much traffic.
That shouldn’t be a big deal, right? Tons of websites allow you to use your Google account for credentials instead of creating a separate login. But here’s the problem: unlike other apps and websites that only grab permissions for a few things, Pokémon GO is given full access to your Google account–and it takes it without even asking you.
Yes, you read that right: Full. Access. As a result, the app has access to absolutely everything in your Google account. It can read your email, send email from your address, see your contacts, grab your files and photos from Google Drive, you name it. It’s such an absurd thing that when Adam Reeve first wrote about it, we couldn’t believe it. In fact, we were so incredulous we immediately checked our own account and promptly started having people around the How-To Geek office check their accounts too. If you want to check your own account, log into your Google account and visit this URL to check your permissions https://security.google.com/settings/security/permissions?pli=1
So far this problem appears to mostly affect iOS devices. Although there are reports floating around about some Android devices being affected too, we were unable to replicate it on any of our Android devices–but it’s almost definitely happening to some phones. We were able to replicate it consistently on iOS.
So Niantic secretly thieving all your data on purpose? We think it’s unlikely. It’s probably just a simple (albeit very very stupid) oversight on their behalf rather than something nefarious. After all, Pokémon GO unseated the top two iOS freemium games in a matter of days. Using just the iOS charts as an indicator combined with estimated income of the two unseated games (Mobile Strike and Game of War), we can safely assume the game is pulling down millions of dollars a day. Who needs to be a criminal when people throw bricks of money at your head?
Jest aside, let’s take a look at what you should do immediately and what you should do to keep playing the game if you can’t stand to be away from it.
How to Revoke Pokémon GO’s Access to Your Google Account
As we noted in the previous section, you can easily and immediately check the status of app and service permissions on your Google account. Uninstalling the game will not revoke the access granted to the game. You must login to the Google account permissions page and look for the entry “Pokemon Go Release”. Click on it for a detailed view and then click the giant “REMOVE” button.
Note that when we tested this on our Android devices, we didn’t see the Pokemon Go Release option show up at all. As far as we know, if you see this, you are unaffected by the problem.
Clicking Remove will immediately revoke the app’s access to your Google account. Unsurprisingly, this also means the app will stop working (although some users on Twitter have reported the ability to continue playing after the revocation–if that’s you, congratulations, you are lucky). In our tests, the app either crashes the next time you open it, or demands you log in again. In some cases, you may even have to reinstall the app to get it to stop crashing–but it’s better than Niantic having access to your entire account.
This leads us to our final trick: playing without compromising your primary Gooogle account.
Want to Keep Playing Anyway? Use a Burner Google Account
Okay, we get it. You want to keep playing, but are (rightfully) dubious about handing over your account. Here’s a little workaround: create another free Google account, with nothing in it, and use that to sign into Pokémon GO.
We have to admit we feel a bit silly for not doing this in the first place, but this is the first time we’ve really been burned by bad permissions in a game. To create a burner account, just log out of your regular Google account on your computer and then visit www.gmail.com to sign up for an account like email@example.com. Use that account to log into Pokémon GO and you’re golden. No matter how bad the account permissions remain, you can continue to play the rather addictive game without any privacy concerns.
You will, however, have to start over from scratch, and you’ll lose all your Pokémon. But that’s a small price to pay. Alternatively, you can wait and hope Niantic releases an update fixing this problem–but so far, they’ve made no statement either way.
Reference Article: http://www.howtogeek.com/262402/pokemon-go-is-painfully-insecure-revoke-its-access-to-your-google-account/