Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Google Privacy Android The Internet

Google's New SMS and Call Permission Policy is Crippling Apps Used by Millions (androidpolice.com) 56

Ryne Hager, writing for AndroidPolice: Late last year, Google decided it was time to crack down on apps requesting SMS and call log permissions. Ostensibly, exceptions would be granted for categories including backups and automation, but as of now, there are still gaps which cover legitimate use cases. While some popular apps like Tasker have successfully secured exemptions, others like Cerberus have not. Instead, they've decided to strip out those permissions or risk facing the wrath of Google's upcoming January 9th banhammer, killing associated functionality and disappointing millions of long-time users to adhere to the Play Store's new policy.

The Play Console support page for the applicable set of permissions notifies developers that they can submit what is effectively an application for an exemption, categories for which are listed on the same page. (And that list of exceptions has grown since the original announcement.) Nonetheless, a further set of prohibitions are also included in the form itself, which explicitly preclude support for phone security/device location apps like Cerberus.

This discussion has been archived. No new comments can be posted.

Google's New SMS and Call Permission Policy is Crippling Apps Used by Millions

Comments Filter:
  • I honestly don't care where my apps are hosted. I use F-Droid [f-droid.org] more than Google Play anyway. I suspect someone wanting to use SMS to trigger a phone location are savvy enough to sort out alternate methods of getting the app.

    Google can pull the ban hammer all they want, but until they also pull the walled garden hammer, people are going to be able to use the fact that it's still an open-ish platform to get the apps they want.

    • by Anonymous Coward
      Yup. And when some 3rd party app you just "had to have" drains your bitcoin wallet, you'll be first in line hear singing the blues. And we'll laugh, and say go away feeb
      • As if the walled garden doesn't have malware. ROFL.

      • Well, if it's a choice between F-Droid and Google Play, F-Droid has had exactly zero cases of malware slipping into its repository. How many has Google had?

        Now, what I would just looooove to know are statistics on what proportion of malware got onto Android phones via Google Play versus side-loading. That would be an interesting statistic to see.

        I trust Google about as far as I trust the NSA to protect my interests. I have a tougher vetting process for Google Play apps that I go through than I do for F-D

    • by emil ( 695 )

      While I am not ready to entirely cut my ties with Google, it is time for some distance.

      This month I wiped my Android ROM and loaded microG [microg.org]. This does complicate access to Google services, but I am willing to accept that.

      I do have a lifetime Cerberus membership, and I have downloaded their full-featured APK directly, bypassing Google. UBER continues to work without error (and yes, I know UBER is also a privacy nightmare). I have downloaded many other apps from Google Play, most of which work perfectly with t

  • by Anonymous Coward

    Users just need the ability to approve this on a per- app basis, not censorship.

    Even better would be if users can choose to "approve" a permission but with fake data for those apps that try to overreach.

    • by iamgnat ( 1015755 ) on Tuesday January 08, 2019 @01:42PM (#57925820)

      Users just need the ability to approve this on a per- app basis, not censorship.

      I've been an Android user since about the end of 6 and it has always had that ability on my phones (Nexus 6P and Pixel 3 XL). You have to go out of the way to change the permissions though so it would be nice if it would pop up the list for you to verify the first time you run it after an install or update.

      What pisses me off is the apps that refuse to work at all if they don't have a specific permission even if you don't use the related feature. For example I have a heart monitor that requires microphone permission so you can record notes, but it also allows you to write simple text notes too. If you don't give it permission to use the microphone it refuses to work at all. I've run into plenty of others too, but that's the only one where my answer couldn't simply be to delete the app.

      • Another example is Tile, the handy little device that helps you find your keys using your phone, or find your cell phone using your keys. It's a nice little piece of tech that I've liked very much. However, after seeing stories recently how some seemingly trustworthy apps are selling "anonymized" location data which can trivially be reidentified simply by looking where you spend your evenings and where you spend your work hours, I started locking down location data for all my apps. And when I did, wouldn't

      • This might be useful to you, as I believe it returns nonsensical data, rather than throwing an error.
    • Yes, just allow me to disable access and just show the app an empty call or sms history when it is requested. The app should be able to function without these things even if the app thinks it "needs" them. For things I trust to actually need them I won't disable access. For apps like a rewards app from a restaurant that thinks it needs my GPS location and call history, it can go pound salt (currently I don't install those but would be nice to have the ability to disable access on a per-app basis).

  • Security (Score:5, Insightful)

    by Luthair ( 847766 ) on Tuesday January 08, 2019 @01:26PM (#57925668)
    Given it isn't uncommon (unfortunately) for SMS to be used as a second factor its too unsafe to allow random applications to have access. Its also a common scam for using SMS permission to sign up for high cost services.
    • Given it isn't uncommon (unfortunately) for SMS to be used as a second factor its too unsafe to allow random applications to have access. Its also a common scam for using SMS permission to sign up for high cost services.

      That's not the argument [almost] anybody is making. They are saying that there are legit, non-scam, non-insecure apps that use SMS and Call Log permissions for useful, beneficial, and productive purposes in a responsible way and Google isn't giving them exceptions or any explanations what t

  • by Anonymous Coward

    Google's New SMS and Call Permission Policy is Crippling Apps Used by Millions

    Permissions on apps have become stupid, and far too many apps are written and published by lying assholes.

    It really is time to start treating these permissions as something an app doesn't need, and to prevent these fucking things from slurping your data and sending it off to some marketing asshole to be scraped and sold.

    We passed peak smartphone and peak app quite some time ago, and while I've refused to become beholden to this cr

  • Cudos Google (Score:5, Interesting)

    by Dorianny ( 1847922 ) on Tuesday January 08, 2019 @01:41PM (#57925802) Journal
    Sorry but collection of sensitive data for profit, is a much bigger concern than a few legitimate apps being broken. Now, if only we could do something about Google's data-mining
  • by sootman ( 158191 ) on Tuesday January 08, 2019 @02:09PM (#57926050) Homepage Journal

    Remember when Windows came out, and it had tons of shitty security assumptions and bad default settings in place, and then MS had to spend decades cleaning up that mess? Good times.

    In the early 2000s, Google should have been smart enough to know that "by default, just let anyone do anything" was a bad place to start.

    • That would have involved looking into their own hearts to recognize the depth and depravity of greed in the technology industry.

      • Just because Microsoft in the 90's was trying to be the most evil company ever imagined does not mean they had to let other companies be that evil.
    • In the early 2000s, Google should have been smart enough to know that "by default, just let anyone do anything" was a bad place to start.

      That's not where they started, at all (and Google wasn't involved until 2005). They started with a much tighter security model than Windows had. Every app sandboxed and running as its own UID to make sure that apps couldn't look at each others' files (unless they chose to make them world-readable), and every app having to declare the permissions it would use and requiring users to approve those permissions before installing. The original Android security model was tighter than the Windows security model is

  • Then they never abide by it, and in fact do things that seem far more sinister than what they're claiming to prevent others from doing:

    https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/

  • Google could put the permissions an app wants in a clear place in the app store so that I could consider the information BEFORE I tried to install the dang thing. As it is, you have to install it, go "Nope", then un-install it and find another app that does the same thing so that you can repeat the process.

  • SMS Retriever API (Score:5, Interesting)

    by Todd Knarr ( 15451 ) on Tuesday January 08, 2019 @04:38PM (#57927080) Homepage

    So why can't Cerberus use the SMS Retriever API for their functionality? For what they're doing they don't need to see every SMS message or call log entry on the device, they just need to see and respond to the single SMS message sent by their servers which is exactly what the Retriever API is designed for. It requires a loop, it'd be nice if there was a way for an app to register a permanent retriever so that loop wasn't necessary, but it shouldn't require a half-decent Android developer more than a day or two to code up the functionality needed. All these devs are doing is throwing a hissy fit instead of acknowledging why Google found these restrictions necessary and working within them (or working with Google to implement just the functionality needed). I suddenly feel a need to research any app or company complaining about this to see exactly why they're so upset about losing access to a data stream that it doesn't seem they should care about in the first place.

  • Between Google's various experiments with locking down storage (e.g. I have an older tablet where epub readers cannot read epub files saved to the local storage) and crap like this, it feels amazingly like my time period with Windows Phone.

    I wonder if they're going to remove all the third-party SMS apps like Textra (but of course the built-in messenger and Hangouts will work). Location? That should only be accessible to Google-branded apps.

    It's going to be like Apple in terms of being locked down, but witho

The opossum is a very sophisticated animal. It doesn't even get up until 5 or 6 PM.

Working...