What’s the risk?Pokémon Go requests Full Access to your Google account, which includes everything from access to your emails (read, write, send and delete) to your Google Wallet. While Nintendo has issued a statement saying that they are not harvesting this information, and will change the permissions to the application soon, the simple fact is that the application has unrestricted access to everything in your Google account. And I mean everything! Now, if you use your Google account for business, and decided to play the game with the same Google account, you have potentially exposed everything in your business to Nintendo. While the risk is realistically low that something will happen, the unintentional consequences of unknowingly allowing a third party potential access to your business is quite high. Think of it this way. If you have a brick and mortar business, would you leave the backdoor of the building unlocked and let someone know it was unlocked? Of course not. Well, Pokémon Go does exactly that for cybersecurity. It leverages social media login capabilities of Google+ to create an account and exposes everything in Google+ to them. You have effectively given permissions to a third party for everything you store in Google – from your calendar to text messages.
How to reduce the risk of allowing a third-party to access your account?Unfortunately, you are now aware of the risk and must remove Pokémon Go privileges from Google Security until this can be properly fixed. Until Nintendo patches the application’s permissions, you best bet is to:
- Remove Full Access and avoid playing the game. Simply click on Pokémon Go and Remove access. See below for a screenshot on how to disable this.
- Create a secondary Google account with minimal information in order to play the game.
- If you have an MDM deployment, prohibit employees from loading the game.
- Do not use the “Lore” feature in the game. This has been associated with physical robbery crimes and exposes the user’s information to other Pokémon Go players.