Google's New SMS and Call Permission Policy is Crippling Apps Used by Millions (androidpolice.com) 56
Ryne Hager, writing for AndroidPolice: Late last year, Google decided it was time to crack down on apps requesting SMS and call log permissions. Ostensibly, exceptions would be granted for categories including backups and automation, but as of now, there are still gaps which cover legitimate use cases. While some popular apps like Tasker have successfully secured exemptions, others like Cerberus have not. Instead, they've decided to strip out those permissions or risk facing the wrath of Google's upcoming January 9th banhammer, killing associated functionality and disappointing millions of long-time users to adhere to the Play Store's new policy.
The Play Console support page for the applicable set of permissions notifies developers that they can submit what is effectively an application for an exemption, categories for which are listed on the same page. (And that list of exceptions has grown since the original announcement.) Nonetheless, a further set of prohibitions are also included in the form itself, which explicitly preclude support for phone security/device location apps like Cerberus.
The Play Console support page for the applicable set of permissions notifies developers that they can submit what is effectively an application for an exemption, categories for which are listed on the same page. (And that list of exceptions has grown since the original announcement.) Nonetheless, a further set of prohibitions are also included in the form itself, which explicitly preclude support for phone security/device location apps like Cerberus.
I don't care where it's hosted... (Score:3)
I honestly don't care where my apps are hosted. I use F-Droid [f-droid.org] more than Google Play anyway. I suspect someone wanting to use SMS to trigger a phone location are savvy enough to sort out alternate methods of getting the app.
Google can pull the ban hammer all they want, but until they also pull the walled garden hammer, people are going to be able to use the fact that it's still an open-ish platform to get the apps they want.
Re: (Score:1)
Re: (Score:2)
As if the walled garden doesn't have malware. ROFL.
Re: (Score:2)
Well, if it's a choice between F-Droid and Google Play, F-Droid has had exactly zero cases of malware slipping into its repository. How many has Google had?
Now, what I would just looooove to know are statistics on what proportion of malware got onto Android phones via Google Play versus side-loading. That would be an interesting statistic to see.
I trust Google about as far as I trust the NSA to protect my interests. I have a tougher vetting process for Google Play apps that I go through than I do for F-D
microG (Score:2)
While I am not ready to entirely cut my ties with Google, it is time for some distance.
This month I wiped my Android ROM and loaded microG [microg.org]. This does complicate access to Google services, but I am willing to accept that.
I do have a lifetime Cerberus membership, and I have downloaded their full-featured APK directly, bypassing Google. UBER continues to work without error (and yes, I know UBER is also a privacy nightmare). I have downloaded many other apps from Google Play, most of which work perfectly with t
It's not for the users benefit (Score:2, Insightful)
Users just need the ability to approve this on a per- app basis, not censorship.
Even better would be if users can choose to "approve" a permission but with fake data for those apps that try to overreach.
Re:It's not for the users benefit (Score:5, Informative)
Users just need the ability to approve this on a per- app basis, not censorship.
I've been an Android user since about the end of 6 and it has always had that ability on my phones (Nexus 6P and Pixel 3 XL). You have to go out of the way to change the permissions though so it would be nice if it would pop up the list for you to verify the first time you run it after an install or update.
What pisses me off is the apps that refuse to work at all if they don't have a specific permission even if you don't use the related feature. For example I have a heart monitor that requires microphone permission so you can record notes, but it also allows you to write simple text notes too. If you don't give it permission to use the microphone it refuses to work at all. I've run into plenty of others too, but that's the only one where my answer couldn't simply be to delete the app.
Re: (Score:2)
Another example is Tile, the handy little device that helps you find your keys using your phone, or find your cell phone using your keys. It's a nice little piece of tech that I've liked very much. However, after seeing stories recently how some seemingly trustworthy apps are selling "anonymized" location data which can trivially be reidentified simply by looking where you spend your evenings and where you spend your work hours, I started locking down location data for all my apps. And when I did, wouldn't
LineageOS Privacy Guard (Score:2)
Re: (Score:2)
Yes, just allow me to disable access and just show the app an empty call or sms history when it is requested. The app should be able to function without these things even if the app thinks it "needs" them. For things I trust to actually need them I won't disable access. For apps like a rewards app from a restaurant that thinks it needs my GPS location and call history, it can go pound salt (currently I don't install those but would be nice to have the ability to disable access on a per-app basis).
Re: (Score:2)
Well, if this were Apple, and going through their app store was the only legitimate way I could get an app onto my phone, then I would be upset at the high handedness of it. As it is, Android is still an open platform. People can get apps onto their phone other ways besides Google Play. So, if Google wants to start putting limits on what apps can have what permissions in order to appear in a store they own, go ahead. This particular permission is one that would be sought by apps used by more savvy peopl
Re: (Score:1)
Re: (Score:2)
> Another $50 that they all get modded up to +5
One thousand quatloos that both sides will complain about google no matter what google does.
I for one, hate just how much google knows about me . . . . um . . . hey google can you recommend a movie that I might like?
Re: (Score:2)
Re: (Score:2)
Security (Score:5, Insightful)
Re: (Score:2)
Given it isn't uncommon (unfortunately) for SMS to be used as a second factor its too unsafe to allow random applications to have access. Its also a common scam for using SMS permission to sign up for high cost services.
That's not the argument [almost] anybody is making. They are saying that there are legit, non-scam, non-insecure apps that use SMS and Call Log permissions for useful, beneficial, and productive purposes in a responsible way and Google isn't giving them exceptions or any explanations what t
Good ... (Score:1)
Permissions on apps have become stupid, and far too many apps are written and published by lying assholes.
It really is time to start treating these permissions as something an app doesn't need, and to prevent these fucking things from slurping your data and sending it off to some marketing asshole to be scraped and sold.
We passed peak smartphone and peak app quite some time ago, and while I've refused to become beholden to this cr
Cudos Google (Score:5, Interesting)
Re:I don't see any reason!... (Score:4, Insightful)
Re: (Score:3)
Sadly this is the only way on Android. There is no way to attach an event to a message without access to call logs and the inbox.
And what pressure is there for Google to fix its lazy-ass API's when it can just whack indy app developers? Are these people going to go to iPhone? No, most people can't afford one.
Oh, what's that you say, a third-party app store that has the more useful apps and only charges 5%? Interesting.
Re: I don't see any reason!... (Score:1)
+1 the all or nothing approach is the problem.
Solutions have been conceived but after years in this game Google has yet to do anything more sensible.
Anyone have pointers to an alternative OS with any traction that is not Apple or Microsoft or anyone Chinese? I have an older phone handy to play with
Re: (Score:2)
Re: I don't see any reason!... (Score:2)
How bout an app that uses SMS as a remote control channel for when you lose your phone?
Use data instead. Problem solved.
Re: (Score:2)
Any good reason why any app would want to see my call logs or sms!
Your lack if imagination isn't relevant here. I, for instance, use an app that enters all my calls into a work calendar where I have a background script that organizes them per-client. That gets automated into the billing system.
Maybe they'll get an exception, who knows ... I doubt it. Google is too lazy to add fine-grained control to its APIs and doesn't care much about uncommon use cases or if it puts a bunch of developers out of busine
Deja vu (Score:3)
Remember when Windows came out, and it had tons of shitty security assumptions and bad default settings in place, and then MS had to spend decades cleaning up that mess? Good times.
In the early 2000s, Google should have been smart enough to know that "by default, just let anyone do anything" was a bad place to start.
Re: (Score:2)
That would have involved looking into their own hearts to recognize the depth and depravity of greed in the technology industry.
Re: (Score:2)
Re: (Score:2)
In the early 2000s, Google should have been smart enough to know that "by default, just let anyone do anything" was a bad place to start.
That's not where they started, at all (and Google wasn't involved until 2005). They started with a much tighter security model than Windows had. Every app sandboxed and running as its own UID to make sure that apps couldn't look at each others' files (unless they chose to make them world-readable), and every app having to declare the permissions it would use and requiring users to approve those permissions before installing. The original Android security model was tighter than the Windows security model is
TFW Orwellian Companies make good-sounding policy (Score:1)
Then they never abide by it, and in fact do things that seem far more sinister than what they're claiming to prevent others from doing:
https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/
Another option... (Score:2)
Google could put the permissions an app wants in a clear place in the app store so that I could consider the information BEFORE I tried to install the dang thing. As it is, you have to install it, go "Nope", then un-install it and find another app that does the same thing so that you can repeat the process.
SMS Retriever API (Score:5, Interesting)
So why can't Cerberus use the SMS Retriever API for their functionality? For what they're doing they don't need to see every SMS message or call log entry on the device, they just need to see and respond to the single SMS message sent by their servers which is exactly what the Retriever API is designed for. It requires a loop, it'd be nice if there was a way for an app to register a permanent retriever so that loop wasn't necessary, but it shouldn't require a half-decent Android developer more than a day or two to code up the functionality needed. All these devs are doing is throwing a hissy fit instead of acknowledging why Google found these restrictions necessary and working within them (or working with Google to implement just the functionality needed). I suddenly feel a need to research any app or company complaining about this to see exactly why they're so upset about losing access to a data stream that it doesn't seem they should care about in the first place.
Welcome to Windows Phone! (Score:2)
I wonder if they're going to remove all the third-party SMS apps like Textra (but of course the built-in messenger and Hangouts will work). Location? That should only be accessible to Google-branded apps.
It's going to be like Apple in terms of being locked down, but witho