Not so long ago in October, 2018 Google has announced a new policy regarding the use of SMS and Call Log access permissions in your Android apps.
“Providing a safe and secure experience for our users. – Android Developers Blog, Google”
“Google is restricting which apps can request Call Log and SMS permissions – XDA Developers”
Which created quite a buzz amongst the Android Developer community, by short it means Google is restricting the access to the user’s SMS and Call logs from our Android apps, which is actually a step forward to protect the user’s privacy and security.
Root cause…
Since the beginning on Android you could gain access directly to read the user’s SMS and Call logs on android upon permission request, and your app didn’t have to be registered as a Phone or SMS handler app to perform this action. Any app could easily ask for permission from user and gain access to SMS functionality and Call logs seamlessly.
After a while,
some apps had actually started to misuse this open access, and violate user’s private data continuously…
As a fellow developer, speaking of this matter it was just a matter of getting the user to permit the one time permission and setting up the broadcast receiver to reading the messages forever even in background, which was a very easy and open access which could have easily misused for any illegal activity. And frankly since this was just a one time permission access thing, the user wouldn’t really be aware of what’s going on in the background. :O
And frankly even for a small feature such as OTP we had to gain access to reading the whole list of SMS data in the phone, which was kind of way too much access in my opinion for such a simple task.
Restricting it up!
So Google has started to crack down on this issue as such..
“Some Android apps ask for permission to access a user’s phone (including call logs) and SMS data. Going forward, Google Play will limit which apps are allowed to ask for these permissions. Only an app that has been selected as a user’s default app for making calls or text messages will be able to access call logs and SMS, respectively.”
Well done Google! now that’s how it’s done. 😀
So frankly what Google is saying as the new policy is that your app will not be given SMS and Call log access permission unless user has selected your app as the default system SMS or Call provider app.
Unless your app’s “core functionality” is related to SMS or Call logs, such as a SMS Sender/Reader or a Call log recording app or something similar of sorts, your app will not be granted access. Otherwise you’re going to have to revert to other API’s Google has provided to access SMS and Call logs for minor functionalities such as OTP verification and so on. 🙂
Now that was back in October, 2018!
Don’t comply? App will be blocked!
Yep they first gave a grace period of 90 days and now they are bringing the rain down upon the apps…
“Reminder SMS/Call Log Policy Changes – Android Developers Blog, Google”
So they have begun cracking down on the apps that are already in the Play Store which does not comply with the new policy of accessing the SMS/Call logs information.
It’s now being striclty mentioned in the Play Store Developer Policy Center: https://play.google.com/about/privacy-security-deception/permissions/
But this doesn’t mean they wouldn’t give any exceptions, in cases like if it is heavily required for the app’s core functionality, as if it’s a sub-functionality that could break the core flow of the app. In which case you will be able to submit a special review for an exception.
So what solution?
This is where you need to take a hard look at your app’s functionality and decide what is core functionality and what’s a side feature.
They have defined this very well in their new updated help document:
“Use of SMS or Call Log permission groups – Play Console Help, Google”
let me put it frankly.
Not Core Functionality but still needed!
This are the instances where it would really not break the core functionality of your app, but it is still required for some other sub-functionality in your app?
Such as for an example, let’s say SMS OTP verification? In that case you could use Google’s alternate API to access SMS OTP retriever API, which doesn’t require SMS access Permission from user. 😀
So they have also given a list of alternate possible APIs you could use to fulfil the requirement without having need the access to SMS/Call logs information.
https://support.google.com/googleplay/android-developer/answer/9047303
Once you have implemented the alternate API use, then you should submit a new version to Play Store without the mentioned permissions.
Core Functionality!
So this is where you need to define the use of your app, is your app an actual SMS Sender/Reader app such as Messenger? or a Call Log keeping app? which then can be defined as a the core functionality of your app. In that case you could continue using the access to the information as long as the user has set your app as the default phone SMS or Call service provider.
But if it is not a default Messenger or Caller app and still needed the access permissions for core functionality then…
“Submit a new version of your app that retains the permissions. Doing so will require you to complete a permissions declaration form inside the Play Console (coming soon) and will give you an extension until March 9th to remove the permissions or receive approval for your use case.”
– Android Developers Blog, Google
If accessing SMS/Call logs is required for a main functionality and you believe it does not violate the policies then you could submit a Declaration Form in Google Play Store, requesting for manual review to exclude your app from removal from Play Store.
They may provide a temporary exception to apps that aren’t Default SMS, Phone, or Assistant handlers when certain scenarios aren’t possible to achieve without such permission access, which is defined in the Exceptions section in “Use of SMS or Call Log permission groups – Play Console Help, Google”
In Conclusion…
Now this actually is going to break a lot of cool features of apps, which may or may not be violating user’s sensitive information. But still it’s a one big step forward for gaining the Android User’s trust and making them feel positive about using your app in long term. 🙂
Again that I’m saying this is going to prevent some really cool apps being pushed to public market via Play Store though. 😐 but a much needed restriction…
ÇøŋfuzëÐ SøurcëÇødë 