Pokemon GO privacy: Is the game a massive security risk?

At this point, to say Pokemon Go is a breakout success is an understatement. The game went straight to the top of download lists in both app stores, and is now set to have more daily users than Twitter.

But while gleeful Poketrainers wander the streets in search of elusive species, many will be unaware of the security concerns the game has raised among the privacy-conscious.

The controversy started when a Tumblr post by Adam Reeve, who works for a security analytics company, highlighted how the game requires enough permissions to essentially have access to users’ entire Google accounts.

But developer Niantic Labs says the full access request is an error that will soon be fixed, and that “Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address)”.

Related: How to download Pokemon Go for iOS and Android in the UK right now

Players can sign up to the incredibly popular game by either using their Google accounts or through the game’s official website. But as site has been experiencing extensive issues with servers overloading, many users have opted for the Google option.

After installing the game and checking the list of permissions the app requires, which you can do here, Reeve discovered a bewildering rundown which led him to conclude that Pokemon Go on iOS has ‘full access to your Google account’.

The game can do the following by default: Read all your email, Send email as you, Access all your Google drive documents (including deleting them), Look at your search history and your Maps navigation history, Access any private photos you may store in Google Photos, and lots more.

For iOS users, there is no option to change the access at all, leaving iPhone users no choice but to hand over full access to Niantic Labs, which stands to inherit a wealth of information on its rapidly growing global user-base.

Things are slightly different for Android users, who can check the app permissions when installing through the Play Store or by navigating to the app itself through the settings menu on their handset.

Related: Pokemon Go – 7 bizarre places Pokemon have been spotted

^{The game has users exploring real-world maps and uses augmented reality}

Niantic Labs has issued a statement in response to the controversy, wherein it says: “We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account.

“However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.

“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access.

“Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”

Slack security engineer Ari Rubinstein has taken a closer look at the game and has confirmed the software only requests your OpenID and email address from Google – so it doesn’t look like Niantic has been peeking at anyone’s emails.

Whether or not the firm, which started as an internal startup at Google before becoming its own company, could have done so with the permissions it was given before the fix remains to be seen.

Pokemon Go has been making headlines since its release, and not just for its popularity. Players have been led into a variety of bizarre situations, with one user discovering a dead body.

The game also managed to court controversy after armed robbers in Missouri used the game’s geolocation feature to lure 11 players into a trap and rob them at gunpoint.

Watch The Refresh: The latest tech gossip every week

Have you downloaded Pokemon Go? Let us know what you think about the privacy controversy in the comments.