Google is manually reviewing Android apps that request access to a smartphone’s phone or texting features. The move fulfils a promise to restrict how apps can access these functions on Android phones.
In the announcement last October, the company explained that it would restrict which apps could ask for access to SMS data and phone functions, including call logs.
Under the new rules, only apps selected as the default text or phone app will be allowed access to that data. Google will grant exceptions, but only when an app needs to ask for those permissions for specific activities that are part of its core functionality. These include backing up and restoring user data, spam protection, synchronizing between devices or transferring calls, and task automation.
For an app to request this access at all, it must first be approved by a Google employee. To get that approval, developers must fill out a declaration form. Google’s teams will consider several factors when approving an app, including the benefit to the user, and whether users will understand why the app needs full access to this data.
They will also consider whether there are alternative ways for the app to achieve its goals. On its help page, Google lists other ways for apps to access the phone and SMS functions on a phone, but they require user intervention.
The Dial Intent APIs enable an app to open the phone app and specify a number to call, but the user has to manually hit the dial button. Similarly, SMS Intent initiates an SMS message for the user to send.
If an app wants to use SMS for two-factor authentication (2FA), its developer can use the SMS Retriever API. This listens for a code sent via SMS message from the app provider’s back-end server to the user’s phone. When the API sees the message arrive, it can automatically route it to the app so that the user doesn’t have to enter it manually.
Apps that get access to the call or SMS functions in the Android operating system unlock a treasure trove of data. They are able to download extensive metadata about calls that users have made and SMS messages that they have sent.
Clearly wise to the privacy implications, Google has completed the new access rules with an update on its permissions page. It is being far more explicit about how default apps could use phone and SMS data on the page, which it fleshed out with extra rules last year:
You may never sell this data. The transfer, sharing, or licensed use of this data must only be for providing critical core features or services within the app, and its use may not be extended for any other purpose (e.g. improving other apps or services, advertising, or marketing purposes). You may not use alternative methods (including other permissions, APIs, or third-party sources) to derive data attributed to the above permissions.
Google says that over the coming weeks, it “will be removing apps from the Play Store that ask for SMS or Call Log permission and have not submitted a permission declaration form.”
I wonder whether Facebook’s Android app, which has accessed phone and text logs on Android phones with users’ permission, will make it through?