iPhone Users: Pokémon GO Can Spy On Your Entire Google Account -- UPDATED

iPhone users of Pokémon GO, beware: the app has access to your entire Google account. That's a major problem for fans of the game. Shockingly, there's no warning about the extensive permissions either. For now, it's unclear if Android owners are affected, though reports of sporadic Google account access have emerged.

To be clear, the app, as it stands, can read and write emails. It can also view your Google Docs, search history and Maps use. And your private photos. It'll also take data that's standard for modern apps, like IP and email addresses. Given the app by necessity has to use location data, Niantic suddenly has access to incredibly private information of millions of individuals across the world.

Keen eyed security pro Adam Reeve warned about the issue last week, noting that he didn't receive any warning about the permissions on download. "Now, I obviously don’t think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness," Reeve wrote. "But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all."

Concerned users can do what Reeve did: revoke accounts and delete the app. They could still enjoy the game, however, and sign up via the website. But that feature is, inexplicably, not currently working. So right now, iPhone users have no option but to either risk their data or kill the app.

Niantic hadn't responded to a request for comment at the time of publication.

Pokémon GO has become an instant hit, attracting more daily users than Twitter in a matter of days. But it's come at a cost, with reports of criminals using the app's Pokéstop beacon, which attempts to connect users, to carry out robberies. Success, it's clear, can be a dangerous thing.

UPDATE: It seems that whilst the permissions granted to Niantic were extensive, it didn't actually take advantage of them. Ari Rubenstein, a savvy programmer posting on Github, noted that even with some tweaking they couldn't force the app to grab emails. Over at Trail of Bits, the security team confirmed the presence of an "Uber" token that could have allowed low-level access to a user's account, but again it wasn't allowing anything malicious.

Nevertheless, Niantic has announced it is updating the app to revoke those permissions. It's full statement read: "We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.

"Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."