No, Pokemon GO isn’t hacking your Google account

While Pokemon GO has slowly begun to take over the world, some players have had a knee-jerk reaction to the Google sign-up process for the game. It was believed that by signing into Pokemon GO via Google on iOS (specifically), you were handing over access to your entire Google account to Niantic.

Essentially, the fear was that anyone that had access to Niantic's servers, whether it be a Niantic employee or hacker, would be able to "see and modify nearly all information in your Google account." Making them able to read and access all your email, Google drive docs, search history, private Google Photos and more.

Niantic has released a response to Engadget over the situation, clearly stating that Pokemon GO only access "basic Google profile information" like your User ID and email address.

We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.

Additionally, Ari Rubinstein, a Slack security dev, tested out the authorization token that Pokemon GO uses to access your information and found that an out-of-date API is causing Google to request users give them "full access" to their accounts. You can read a full report for Rubinstein here.

It turns out that Pokemon GO does not have permission to access things like your email or calendar. It was simply an out of date API, which could have come from Niantic's other mobile game Ingress. Both game use similar features, so the two games could have shared some code – which could account for an out-of-date API or someone forgot to update the code after testing.

TL;DR: Pokemon GO isn't going into your emails and reading them.