Google to be strict on SMS/Call log policy
16 January, 2019
As previously announced and directly communicated to developers via email, Google be removing apps from the Google Play Store that ask for SMS or Call Log permission and have not submitted a Permissions Declaration Form. If developers have not submitted a permissions declaration form and their apps are removed, see below for next steps.
Google takes access to sensitive data and permissions very seriously. This is especially true with SMS and Call Log permissions, which were designed to allow users to pick their favorite dialer or messaging app, but have also been used to enable many other experiences that might not require that same level of access. In an effort to improve users' control over their data, last October Google announced that they would be restricting developer access to SMS and Call Log permissions.
The new policy is designed to ensure that apps asking for these permissions need full and ongoing access to the sensitive data in order to accomplish the app's primary use case, and that users will understand why this data would be required for the app to function.
Developers whose apps used these permissions prior to our announcement were notified by email and given 90 days to either remove the permissions, or submit a permissions declaration form to enable further review.
More about app reviews
Google takes this review process seriously and understands that it's a change for many developers. They apply the same criteria to all developers, including dozens of Google apps. Google added to the list of approved use cases over the last few months as they evaluated feedback from developers.
Google’s global teams carefully review each submission. During the review process, they consider the following:
-Likelihood that an average user would understand why this type of app needs full access to the data.
-User benefit of the feature.
-Importance of the permission relative to the core functionality of the app.
-Risks presented by all apps with this use case having access to this sensitive data.
Availability of more narrow alternatives for enabling the feature.
With this change, some uses cases will no longer be allowed. However, many of the apps Google reviewed with one of these permissions can rely on narrower APIs, reducing the scope of access while accomplishing similar functionality. For example, developers using SMS for account verification can alternatively use the SMS Retriever API, and apps that want to share content using SMS can prepopulate a message and trigger the default SMS app to show via intents.
Tens of thousands of developers have already resubmitted their apps to support the new policy or have submitted a form.
Next steps
Over the next few weeks, Google will be removing apps from the Play Store that ask for SMS or Call Log permission and have not submitted a permission declaration form. If any app is removed and developers would like to have it republished, they can do one of the following in the Play Console:
-submit a new version without these permissions, or
-submit a new version of their app that retains the permissions. Doing so will require them to complete a permissions declaration form inside the Play Console (coming soon) and will give them an extension until March 9th to remove the permissions or receive approval for their use case.
Keeping the overall Android ecosystem healthy is very important, and protection of user data is vital to the long term health of all developers.
TAG(s):