In response to the Google+ privacy bug, the company announced Project Strobe to limit third-party access to user data. On Android, only default clients can request SMS or Call Log permissions, with Google today sharing that it will soon begin removing Play Store apps found in violation.
For the most part, Google wants to limit the SMS and Call Log permissions on Android to messaging and dialing apps, respectively. This allows users to continue using third-party clients, but limits other uses and prevents data leaks.
Our new policy is designed to ensure that apps asking for these permissions need full and ongoing access to the sensitive data in order to accomplish the app’s primary use case, and that users will understand why this data would be required for the app to function.
Since October, Google has been contacting Android developers via email and giving them 90 days to make their apps compliant, or request an exception. A compliance extension gives developers until March 9th to work on updates.
The company today shared some progress on compliance efforts, including how in recent months it expanded the list of approved use cases following developer feedback. “Tens of thousands of developers” have either updated apps to follow the new policy or requested an extension. Google also notes that its own apps are subject to the same criteria, with the review process for an exception examining:
- Likelihood that an average user would understand why this type of app needs full access to the data.
- User benefit of the feature.
- Importance of the permission relative to the core functionality of the app.
- Risks presented by all apps with this use case having access to this sensitive data.
- Availability of more narrow alternatives for enabling the feature.
While some use cases are no longer allowed, Google notes that “many of the apps [it] reviewed with one of these permissions can rely on narrower APIs” to achieve similar functionality.
For example, developers using SMS for account verification can alternatively use the SMS Retriever API, and apps that want to share content using SMS can prepopulate a message and trigger the default SMS app to show via intents.
Meanwhile, Android apps found in violation that have not requested extensions will be removed from the Play Store “over the next few weeks.”