Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Android Google Privacy Security

Google To Put a Muzzle on Android Apps Accessing Location Data in the Background (zdnet.com) 41

Google has announced this week plans to crack down on Android apps that abuse the OS permissions system and request access to user geo-location data when the app is not in use. From a report: Starting with May, the OS maker plans to show warnings in the Play Store backend to all Android app developers about the need to update their apps. Going forward, Android apps will have to request access to location data based on the way they need this information. Google plans to review each app on a case-by-case basis and remove apps from the Play Store if they request access to location data and that's not immediately used inside the app. Google plans to review its own apps as well, the company said in a blog post this week. The goal of this major rule change is to crack down on apps that may be secretly harvesting location data while they are not in use. This type of data is called "background location data" and most app makers often sell it to analytics firms and online advertisers.
This discussion has been archived. No new comments can be posted.

Google To Put a Muzzle on Android Apps Accessing Location Data in the Background

Comments Filter:
  • I wonder how this will impact apps that use the background location permission to run in the background. One app I use, C25K (a running trainer), asks for location so that it doesn't get marked idle and killed if it's running in the background while I do something else like listen to music or YouTube. If I take away Location, Android will kill the app eventually. I don't know if there's a proper/better way for an app to run in a service-type manner but I hope it's addressed before the permission startrs get

    • by fermion ( 181285 )
      They say it is case by case, so if the use is legitimate, it should be ok. On IOS you now get this annoying reminder, which I suppose is good, but it can lead to security fatigue. A lot of just want to collect data,

      My personal annoyance is Dropbox. They want persistent location data in exchange for background updating. I don’t see why they need this, and i suspect that this is the type of thing google will crack down on.

      • "I don’t see why they need this"

        As the parent post described, "so that it doesn't get marked idle and killed if it's running in the background while I do something else like listen to music or YouTube"

        The operating system does not at present offer a way to notify an app whenever a photo is taken, and allow that application to persist long enough to do the backup. Dropbox uses background location or activity tracking (depending on the platform) to provide a way to wake up the app, in much the same way

        • by rgmoore ( 133276 )

          This seems like an argument in favor of something like cron. Apps should be allowed to schedule regular wake-ups for this kind of thing rather than abusing a function that's really intended for something else.

      • by brunes69 ( 86786 )

        I want to know how they will handle apps like Tasker and AutomateIt. iOS simply doesn't have power apps like this. If Google cripples them, it will be a huge step backwards for Android.

    • by DogDude ( 805747 )
      So, you're OK with this running "app" selling your data to other people and companies?
      • I'd prefer not to grant location permissions to an app that doesn't need location data to do its job for me - but lacking an alternative in Android like a cron substitute it's what I'm stuck with. Some apps I simply need to be able to run in the background like the run tracker.

    • by Engdy ( 124179 )
      Does Android kill the app after around a minute in the background? You can try "whitelisting" the app so Android doesn't consider it for battery optimization.
      adb shell dumpsys deviceidle whitelist +com.package.name.of.app
    • by rgmoore ( 133276 )

      A fitness apps is an obvious example of something that has a genuine need to track your location even when it's running in the background, so I would expect Google to allow it. This is to keep apps that might need your location while you're interacting with them from asking for it all the time. For example, my bank has an app that will help me locate the nearest ATM. That's a helpful feature that needs my location, but it only needs it when I'm interacting with the app, not all the time.

      • It will be interesting to see how Firefox is impacted. You can currently turn on a setting to allow use of your location data to improve mozilla's location database (basically the map of wifi access points that makes it faster to determine your location). Will the almighty google judge this setting an invalid use of background access or one that is allowed due to the explicit user consent?

  • It would not be a shock to me if they magically find more justification for their own programs to keep accessing the data any way they see fit compared to a third party.

    • Yep. This is just to give Google an advantage.

    • Of course. If selling user activity is a revenue source, nobody's going to want to give that cash up.

      Candy Crush? We've now got AR, fitness, and social functionality! You get 1000 gems per mile walked.

  • by schwit1 ( 797399 ) on Friday February 21, 2020 @01:15PM (#59751384)

    The Google Play services LocationPersistentService gets restarted every time I stop it.

    • You can't do that to our pledges only we can do that to them.

    • That's the service that provides location services to other apps, rather than having every single app duplicate that functionality. It augments GPS location with Wi-Fi location and cellular tracking to provide accurate tracking under nearly any circumstance.

  • by Anonymous Coward

    Google has previously abused their monopoly power to cut other mapping locations out of the market. They settiled with Skyhook Wireless back in 2015 for $90,000,000 for absolutely grotestque patent and monopoly abuse (https://www.bostonglobe.com/business/2015/05/19/skyhook-got-million-from-google-settlement/0q54ppSx2NqLrpyisw9ZZK/story.html)

  • by jabberw0k ( 62554 ) on Friday February 21, 2020 @01:39PM (#59751506) Homepage Journal
    It's almost like people ought to demand nothing but free and open software, so they can see and decide for themselves what the programs ("app" is just a euphemism for program) on their computers (sometimes euphemistically called "telephones") are doing.
    • by tepples ( 727027 )

      Who would pay to feed and house professional developers of free software intended for home or individual mobile use, as opposed to free software used in the line of business?

      • The same kinds of folks who pay for the development of Libre Office, Gimp, and thousands of other major free software programs?
        • Who would pay to feed and house professional developers of free software intended for home or individual mobile use, as opposed to free software used in the line of business?

          The same kinds of folks who pay for the development of Libre Office, Gimp, and thousands of other major free software programs?

          LibreOffice and GIMP are intended for use in the line of business. Because of this, medium and large businesses that make heavy use of the programs have the money to hire programmers to improve the programs and contribute these improvements upstream. This can't be said quite so practically of programs targeted at individual home users who are not programmers, such as fitness trackers and video games.

      • Comment removed based on user account deletion
      • Let's say Uncle Sam or the EU mandated that it's only lawful to sell smartphones with pure FOSS preinstalled. If the user wants proprietary spyware, he can install it himself.

        The hardware vendors then can choose to support FOSS developers; or they can choose not to sell any phones in that (large, profitable) jurisdiction.

        We're so used to seeing the Law used for evil in the tech world. Let's not forget that it can also be used for good.

        • Let's say Uncle Sam or the EU mandated that it's only lawful to sell smartphones with pure FOSS preinstalled. If the user wants proprietary spyware, he can install it himself.

          Under current law, these smartphones would be unable to connect to a network until the user gives in and installs said "proprietary spyware." This is because the baseband software required to connect to a cellular or Wi-Fi network implements a patented transformation of data. And by the time the patents that cover one generation of the cellular stack (such as GSM or UMTS or LTE or 5G NR) have expired, the carriers have ended service on the stack in favor of a stack two generations newer.

    • While that is good in theory, how much OSS have you
      1. read through all the source code so you know everything that it's doing?
      2. compiled it yourself from that source code?
      3. audited the code for the compiler you used to compile the code in (2)?
      4. compiled that compiler yourself?
      5. done the same for the compiler used to compile the compiler?
      6. etc.

      Unless you do all of the above (including write the code for the first compiler in machine language using a hex editor, not some IDE), at some point you have to trust some

      • Unless you do all of the above (including write the code for the first compiler in machine language using a hex editor, not some IDE), at some point you have to trust someone. Whether it be the person who wrote proprietary code, or the person who claimed to have audited OSS source code, or the person who compiled the OSS code to create a downloadable binary blob, or the person who compiled the compiler used to compile code you yourself audited, or the person who wrote the code for the compiler used to comp
  • It'll be interesting to see if this is enforced on the major device manufactuerers.

    For example, my the "Galaxy Wearable" app that goes with my Samsung Buds headset requires access to GPS at all times, and prompts you to enable it if you prohibit it in settings.

    e.g. absolutely no functionality provided by the location data in or out of the app.

    Will Google delist such a high visibility app because of this?

  • by account_deleted ( 4530225 ) on Friday February 21, 2020 @03:49PM (#59752026)
    Comment removed based on user account deletion
    • Since Google apps will be the only ones that are able to harvest data, they'll no longer face any competition on Android, and advertisers will have to go to them directly. This will increase their profits significantly.

      As the summary says, Google's own apps will face the same scrutiny and the same requirements. Yes, this may mean there's some conflict between the Android security & privacy teams and the app teams. That's not at all unusual.

      (ps: as a LineageOS user, fuck Google, and fuck what they're doing to Android).

      You might be interested to know that the LineageOS team and the Google Android team have a good working relationship. I have regular calls with the LineageOS guys to talk about what we're changing and to work out how to ensure that it doesn't negatively affect them -- and even wh

  • by Solandri ( 704621 ) on Friday February 21, 2020 @04:00PM (#59752078)
    Just give these apps spoofed location data instead [google.com].

    If you block location data, the amount of location data being sold to marketers decreases. The demand for it however does not increase. That makes the market price of any location data that someone is able to harvest go up. meaning that app makers just get a bigger incentive to figure out new creative ways to bypass the blocks and get your location.

    If you instead flood them with spoofed location data, they have no way of knowing what part (or even what fraction) of their dataset is real or spoofed. That degrades the value of the location dataset to marketers. The market price drops, and there's less incentive for app makers to surreptitiously harvest your location data.
    • Just give these apps spoofed location data instead

      That would be a foolish, neverending fight. An arms race between the people trying to identify spoofed data and the people trying to generate plausible-looking spoofed data. Better to just refuse to provide it.

  • Yea, if google stops everyone from collecting it, it just makes it more valuable for when google sells it. the law of supply and demand in action.

  • Google is going about this stuff all wrong. The moment this is implemented we'll hear about dozens of apps that have good legitimate reasons for using this being banned, and meanwhile many malicious apps will still be missed. We've seen this several times already (look at all the call recording and call screening apps that Google killed because they "didn't need access to phone call information" as an example)

    What Google really needs to do is let any app request any permission, but let the users actually de

Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"

Working...