Infosec Team Rocket: Pokemon GO has been getting a bad rep in the infosec scene for a few days even before today’s Google permissions explosion. The Pokemon GO app requests permissions from a Google account that far exceed what it needs to function. Niantic has already released a statement about their interpretation of the issue. But, let’s ignore what is likely to have happened, and look at what could have happened. An adversary compromised a phone with Pokemon GO loaded on it and captured the OAuth token that granted full access to the Google account. An attacker subverting the system is unlikely because of the level of expertise required in accomplishing the task.”]
Source: http://blog.securitymouse.com/2016/07/quick-pokemongo-threat-modeling.html