Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's New SMS and Call Permission Policy is Crippling Apps Used by Millions (androidpolice.com)

Posted by msmash on from the closer-look dept.

Ryne Hager, writing for AndroidPolice: Late last year, Google decided it was time to crack down on apps requesting SMS and call log permissions. Ostensibly, exceptions would be granted for categories including backups and automation, but as of now, there are still gaps which cover legitimate use cases. While some popular apps like Tasker have successfully secured exemptions, others like Cerberus have not. Instead, they've decided to strip out those permissions or risk facing the wrath of Google's upcoming January 9th banhammer, killing associated functionality and disappointing millions of long-time users to adhere to the Play Store's new policy.

The Play Console support page for the applicable set of permissions notifies developers that they can submit what is effectively an application for an exemption, categories for which are listed on the same page. (And that list of exceptions has grown since the original announcement.) Nonetheless, a further set of prohibitions are also included in the form itself, which explicitly preclude support for phone security/device location apps like Cerberus.

56 comments

  1. I don't care where it's hosted... by Excelcia · · Score: 2

    I honestly don't care where my apps are hosted. I use F-Droid more than Google Play anyway. I suspect someone wanting to use SMS to trigger a phone location are savvy enough to sort out alternate methods of getting the app.

    Google can pull the ban hammer all they want, but until they also pull the walled garden hammer, people are going to be able to use the fact that it's still an open-ish platform to get the apps they want.

    1. Re:I don't care where it's hosted... by Anonymous Coward · · Score: 1

      Yup. And when some 3rd party app you just "had to have" drains your bitcoin wallet, you'll be first in line hear singing the blues. And we'll laugh, and say go away feeb

    2. Re:I don't care where it's hosted... by Anonymous Coward · · Score: 0

      You're expecting an F-Droid app to do that? You're weird.

    3. Re:I don't care where it's hosted... by Anonymous Coward · · Score: 0

      isn't it more likely that that app from that third party source would be mining bitcoin for someone else

    4. Re:I don't care where it's hosted... by FictionPimp · · Score: 1

      As if the walled garden doesn't have malware. ROFL.

    5. Re:I don't care where it's hosted... by Excelcia · · Score: 1

      Well, if it's a choice between F-Droid and Google Play, F-Droid has had exactly zero cases of malware slipping into its repository. How many has Google had?

      Now, what I would just looooove to know are statistics on what proportion of malware got onto Android phones via Google Play versus side-loading. That would be an interesting statistic to see.

      I trust Google about as far as I trust the NSA to protect my interests. I have a tougher vetting process for Google Play apps that I go through than I do for F-Droid. And for good reason. And so should you.

    6. Re:I don't care where it's hosted... by Anonymous Coward · · Score: 0

      No, because apps on F-Droid are open source and vetted. Note how every single app on F-Droid explicitly states which, if any, anti-features that app has/requires. I trust F-Droid *far* more than I trust Google Play.

      Also this policy change is a good thing. If it breaks your software, then fix your software to not be an insecure piece of crap, "Ryne".

  2. It's not for the users benefit by Anonymous Coward · · Score: 2, Insightful

    Users just need the ability to approve this on a per- app basis, not censorship.

    Even better would be if users can choose to "approve" a permission but with fake data for those apps that try to overreach.

    1. Re:It's not for the users benefit by iamgnat · · Score: 4, Informative

      Users just need the ability to approve this on a per- app basis, not censorship.

      I've been an Android user since about the end of 6 and it has always had that ability on my phones (Nexus 6P and Pixel 3 XL). You have to go out of the way to change the permissions though so it would be nice if it would pop up the list for you to verify the first time you run it after an install or update.

      What pisses me off is the apps that refuse to work at all if they don't have a specific permission even if you don't use the related feature. For example I have a heart monitor that requires microphone permission so you can record notes, but it also allows you to write simple text notes too. If you don't give it permission to use the microphone it refuses to work at all. I've run into plenty of others too, but that's the only one where my answer couldn't simply be to delete the app.

    2. Re:It's not for the users benefit by sanosuke001 · · Score: 1

      Yes, just allow me to disable access and just show the app an empty call or sms history when it is requested. The app should be able to function without these things even if the app thinks it "needs" them. For things I trust to actually need them I won't disable access. For apps like a rewards app from a restaurant that thinks it needs my GPS location and call history, it can go pound salt (currently I don't install those but would be nice to have the ability to disable access on a per-app basis).

      --
      -SaNo
    3. Re: It's not for the users benefit by Anonymous Coward · · Score: 0

      Bingo! Shitty companies know people will click through or hold them at ransom until they do.

      Really the app shouldnâ(TM)t even know you denied permission and instead it gets an empty or null device. Call log.... why it is mysteriously blank! The mic device would output an emotes stream. Itâ(TM)s not that hard to maintain api calls and just not give them data.

    4. Re:It's not for the users benefit by LordKronos · · Score: 1

      Another example is Tile, the handy little device that helps you find your keys using your phone, or find your cell phone using your keys. It's a nice little piece of tech that I've liked very much. However, after seeing stories recently how some seemingly trustworthy apps are selling "anonymized" location data which can trivially be reidentified simply by looking where you spend your evenings and where you spend your work hours, I started locking down location data for all my apps. And when I did, wouldn't you know it...the Tile doesn't function at all anymore without location services. I understand they want location data to enable their crowdsourced location feature, but I don't want that. I just want to find my keys in my house.

    5. Re: It's not for the users benefit by Anonymous Coward · · Score: 0

      I've run Windows for decades. Number of times I've been hit with malware, viruses, etc?

      0.

      Reason Nutella stuck his cloudy dick into Windows 10 and stripped update acceptance choice?

      Because I'm on what was once a tech site.

      And yet as far as Slashdot has fallen, even the most retarded people here are complete outliers.

      Give users options and choices instead of technological jackboots and you'll pay the price in support. No, giving users the ability to continue fucking themselves won't solve Google's problem, because users will happily let any app they think they need have permission to do anything said app asks for.

    6. Re:It's not for the users benefit by Anonymous Coward · · Score: 0

      the Tile doesn't function at all anymore without location services.

      The reason tile does not work is a stupidity of Android permissions.

      In order to have BlueTooth LE (low energy) access you must have location permissions. Look it up if you don't believe me. Why is it done that way I have no idea, but I bumped into it when doing my own BT LE app.

    7. Re:It's not for the users benefit by Anonymous Coward · · Score: 0

      BLE unavoidably grants location permission, because if you have a database of beacons in the environment, an app that can hear them can report when it is near them - which is much finer location than GPS.

  3. Will there be the typical Google reaction here? by Anonymous Coward · · Score: 0

    Many slashdotters bitch and moan how horrible and evil Google is to allow apps to even do such a thing and come to slashdot to complain as loud as they can.

    $100 says those exact same people will soon be complaining how horrible and evil Google is to fix the problem they were complaining about before.

    Another $50 that they all get modded up to +5 just the same as when they argued the opposite.

    1. Re:Will there be the typical Google reaction here? by Excelcia · · Score: 1

      Well, if this were Apple, and going through their app store was the only legitimate way I could get an app onto my phone, then I would be upset at the high handedness of it. As it is, Android is still an open platform. People can get apps onto their phone other ways besides Google Play. So, if Google wants to start putting limits on what apps can have what permissions in order to appear in a store they own, go ahead. This particular permission is one that would be sought by apps used by more savvy people anyway. If Google wants to drive some of their more capable customers to other app repositories and stores, that bothers me none. I am, at the moment, happy with anything Google does to incentivize people to exert the activation energy required to move to more open app repositories.

      If (maybe I should say "when" here) Google moves to make Android a walled garden with a sole-source on Google Play for apps, then you will see me become far more activist. But at the moment, Google is really only shooting themselves in the foot.

      So, by all means, please carry on.

    2. Re:Will there be the typical Google reaction here? by BringsApples · · Score: 0

      That's Slashdot, baby! It's better to bitch about the subject at hand than it is to bitch about bitching. Because if you're bitching about 'bitching on a forum', and you're doing it on that forum, then you may not FEEL like an idiot, but...

      --
      Politics; n. : A religion whereby man is god.
    3. Re:Will there be the typical Google reaction here? by DickBreath · · Score: 1

      > $100 says those exact same people will soon be complaining . . .
      > Another $50 that they all get modded up to +5

      One thousand quatloos that both sides will complain about google no matter what google does.

      I for one, hate just how much google knows about me . . . . um . . . hey google can you recommend a movie that I might like?

      --

      I'll see your senator, and I'll raise you two judges.
  4. Google is polishing their turd by Anonymous Coward · · Score: 0

    Why aren't these controls in the hands of the end-users? Is it because google has failed to give end-users meaningful choices and forced apps to abide with those choices without unduly throwing in the towel?

    1. Re:Google is polishing their turd by Anonymous Coward · · Score: 0

      Why aren't these controls in the hands of the end-users? Is it because google has failed to give end-users meaningful choices and forced apps to abide with those choices without unduly throwing in the towel?

      Working as designed. AKA it's a feature, not a bug. Android is designed to take control out of the users hands and to give it to 3rd parties for data mining. It's the whole reason the platform exists.

    2. Re:Google is polishing their turd by Luthair · · Score: 1

      They were, the issue is that too many applications are misleading.

    3. Re: Google is polishing their turd by Anonymous Coward · · Score: 0

      I doubt that. And I have never seen google describe what is misleading about any of these applications. I think google keeps its cards close to its vest for a reason they do not wish to disclose hence the smoke and mirrors

    4. Re: Google is polishing their turd by Anonymous Coward · · Score: 0

      ...but but but I thought the whole point of Android was to give control to the users, isnâ(TM)t that why all you tin foilers use it over iOS? Iâ(TM)m all confused now.

    5. Re: Google is polishing their turd by Anonymous Coward · · Score: 0

      Nice, you responded to yourself :p

      Control is still in the hands of users. Deny the permission, and remove the app. If you don't trust the app dev, there's so much they can do without any permissions granted

  5. Mistake #1 by Anonymous Coward · · Score: 0

    Relying on Google for a service you deem critical

    1. Re:Mistake #1 by psm321 · · Score: 1

      replying to undo accidental mod

  6. Security by Luthair · · Score: 4, Insightful

    Given it isn't uncommon (unfortunately) for SMS to be used as a second factor its too unsafe to allow random applications to have access. Its also a common scam for using SMS permission to sign up for high cost services.

    1. Re:Security by bill_mcgonigle · · Score: 1

      Given it isn't uncommon (unfortunately) for SMS to be used as a second factor its too unsafe to allow random applications to have access. Its also a common scam for using SMS permission to sign up for high cost services.

      That's not the argument [almost] anybody is making. They are saying that there are legit, non-scam, non-insecure apps that use SMS and Call Log permissions for useful, beneficial, and productive purposes in a responsible way and Google isn't giving them exceptions or any explanations what their criteria.

      Some people are saying those apps could build Tasker plugins, but if this is all at Google's whim they could pull Tasker's exception at any time. My bet is this is two-staged, and they just gave Tasker a buy for this round because it has the largest number of users. The niche apps are getting whacked first, then they'll be back for Tasker functionality once some of the controversy has blown over.

      Meanwhile, Google's apps and that of its top-tier vendors will have unequal and anti-competitive access to the API's. Google may make the argument that people don't have to use the Play store, and that's precisely what some of these developers are planning (a competitor to Google Play).

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:Security by Anonymous Coward · · Score: 0

      I think it is quite uncommon for two factor SMS to be stolen from the device. It is much easier to do that at scale via SS7/Diameter on the cell network side.

  7. Good ... by Anonymous Coward · · Score: 1

    Google's New SMS and Call Permission Policy is Crippling Apps Used by Millions

    Permissions on apps have become stupid, and far too many apps are written and published by lying assholes.

    It really is time to start treating these permissions as something an app doesn't need, and to prevent these fucking things from slurping your data and sending it off to some marketing asshole to be scraped and sold.

    We passed peak smartphone and peak app quite some time ago, and while I've refused to become beholden to this crap, I see far too many stories about shady apps which request crazy permissions and mostly seem to exist to defraud you.

    No thanks, don't need your fucking apps.

  8. Cudos Google by Dorianny · · Score: 4, Interesting

    Sorry but collection of sensitive data for profit, is a much bigger concern than a few legitimate apps being broken. Now, if only we could do something about Google's data-mining

  9. I don't see any reason!... by Anonymous Coward · · Score: 0

    Any good reason why any app would want to see my call logs or sms!

    1. Re:I don't see any reason!... by habig · · Score: 3, Insightful

      How bout an app that uses SMS as a remote control channel for when you lose your phone? This handy app: https://www.androidlost.com/ is about to get neutered. According to the forums, the author is doing all the right things with respect to applying for exemptions, and is going to get whacked anyway. If an app with this one's long history of good work gets blasted, any indie author is toast.

    2. Re: I don't see any reason!... by Anonymous Coward · · Score: 0

      Honestly that doesn't seem like a legitimate app to see these things. While I could see some need to all the SMS to launch a tool like that, it would have zero reasons to see all my sms messages and especially not my call logs.

    3. Re: I don't see any reason!... by Anonymous Coward · · Score: 0

      Sadly this is the only way on Android. There is no way to attach an event to a message without access to call logs and the inbox.

    4. Re: I don't see any reason!... by bill_mcgonigle · · Score: 2

      Sadly this is the only way on Android. There is no way to attach an event to a message without access to call logs and the inbox.

      And what pressure is there for Google to fix its lazy-ass API's when it can just whack indy app developers? Are these people going to go to iPhone? No, most people can't afford one.

      Oh, what's that you say, a third-party app store that has the more useful apps and only charges 5%? Interesting.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:I don't see any reason!... by bill_mcgonigle · · Score: 1

      Any good reason why any app would want to see my call logs or sms!

      Your lack if imagination isn't relevant here. I, for instance, use an app that enters all my calls into a work calendar where I have a background script that organizes them per-client. That gets automated into the billing system.

      Maybe they'll get an exception, who knows ... I doubt it. Google is too lazy to add fine-grained control to its APIs and doesn't care much about uncommon use cases or if it puts a bunch of developers out of business. There are 99.5% more where they came from and growing. And they all hand over 30% of their revenue to Google.

      The incentives are not aligned for Google to do the right thing and care about minorities.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    6. Re: I don't see any reason!... by Anonymous Coward · · Score: 0

      Yeah, this is the real problem: the permissions model. If an app getting access to my contacts meant it could bring up a system dialog for me to select contacts for it to get, that would be lot nicer than the current "all or nothing" approach that Android and iOS permissions appear to be. In practice, this means I just don't use many apps.

    7. Re:I don't see any reason!... by qubezz · · Score: 1

      Nope, only the NSA Kernel SMS backdoor remains

    8. Re: I don't see any reason!... by c6gunner · · Score: 1

      How bout an app that uses SMS as a remote control channel for when you lose your phone?

      Use data instead. Problem solved.

    9. Re: I don't see any reason!... by Anonymous Coward · · Score: 1

      +1 the all or nothing approach is the problem.

      Solutions have been conceived but after years in this game Google has yet to do anything more sensible.

      Anyone have pointers to an alternative OS with any traction that is not Apple or Microsoft or anyone Chinese? I have an older phone handy to play with

  10. Deja vu by sootman · · Score: 2

    Remember when Windows came out, and it had tons of shitty security assumptions and bad default settings in place, and then MS had to spend decades cleaning up that mess? Good times.

    In the early 2000s, Google should have been smart enough to know that "by default, just let anyone do anything" was a bad place to start.

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    1. Re:Deja vu by LostMyAccount · · Score: 1

      That would have involved looking into their own hearts to recognize the depth and depravity of greed in the technology industry.

    2. Re:Deja vu by DickBreath · · Score: 1

      Just because Microsoft in the 90's was trying to be the most evil company ever imagined does not mean they had to let other companies be that evil.

      --

      I'll see your senator, and I'll raise you two judges.
    3. Re:Deja vu by swillden · · Score: 1

      In the early 2000s, Google should have been smart enough to know that "by default, just let anyone do anything" was a bad place to start.

      That's not where they started, at all (and Google wasn't involved until 2005). They started with a much tighter security model than Windows had. Every app sandboxed and running as its own UID to make sure that apps couldn't look at each others' files (unless they chose to make them world-readable), and every app having to declare the permissions it would use and requiring users to approve those permissions before installing. The original Android security model was tighter than the Windows security model is today.

      That the original security model wasn't adequate is now clear, but it's hardly reasonable to expect the early Android engineers to have understood that their radically tighter security model still wasn't going to be good enough.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re: Deja vu by Anonymous Coward · · Score: 0

      Shillllllllllden

  11. TFW Orwellian Companies make good-sounding policy by Hillie · · Score: 1

    Then they never abide by it, and in fact do things that seem far more sinister than what they're claiming to prevent others from doing:

    https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/

    --
    - Alex
  12. Another option... by Shotgun · · Score: 1

    Google could put the permissions an app wants in a clear place in the app store so that I could consider the information BEFORE I tried to install the dang thing. As it is, you have to install it, go "Nope", then un-install it and find another app that does the same thing so that you can repeat the process.

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
    1. Re:Another option... by Anonymous Coward · · Score: 0

      I've never had a Google account, so I don't know what the Google Play Store app looks like, but the Yalp Store app certainly can pull that information from the website. Also going to the website in a browser, I see a "View details" link under the Permissions heading, and clicking that gives a list.

      So at least the information is available, but due to ignorance I can't argue with your "in a clear place".

  13. SMS Retriever API by Todd+Knarr · · Score: 4, Interesting

    So why can't Cerberus use the SMS Retriever API for their functionality? For what they're doing they don't need to see every SMS message or call log entry on the device, they just need to see and respond to the single SMS message sent by their servers which is exactly what the Retriever API is designed for. It requires a loop, it'd be nice if there was a way for an app to register a permanent retriever so that loop wasn't necessary, but it shouldn't require a half-decent Android developer more than a day or two to code up the functionality needed. All these devs are doing is throwing a hissy fit instead of acknowledging why Google found these restrictions necessary and working within them (or working with Google to implement just the functionality needed). I suddenly feel a need to research any app or company complaining about this to see exactly why they're so upset about losing access to a data stream that it doesn't seem they should care about in the first place.

  14. microG by emil · · Score: 1

    While I am not ready to entirely cut my ties with Google, it is time for some distance.

    This month I wiped my Android ROM and loaded microG. This does complicate access to Google services, but I am willing to accept that.

    I do have a lifetime Cerberus membership, and I have downloaded their full-featured APK directly, bypassing Google. UBER continues to work without error (and yes, I know UBER is also a privacy nightmare). I have downloaded many other apps from Google Play, most of which work perfectly with the microG compatibility libraries.

    Knowledgeable people should act by excising spyware when they can. For Google Mobile Services on my daily driver, it was time.

    1. Re:microG by Anonymous Coward · · Score: 0

      I have a lifetime common sense membership. It allows me to watch over and take care of my property by exerting the slightest bit of personal responsibility.

  15. LineageOS Privacy Guard by emil · · Score: 1

    This might be useful to you, as I believe it returns nonsensical data, rather than throwing an error.

  16. Welcome to Windows Phone! by Fencepost · · Score: 1

    Between Google's various experiments with locking down storage (e.g. I have an older tablet where epub readers cannot read epub files saved to the local storage) and crap like this, it feels amazingly like my time period with Windows Phone.

    I wonder if they're going to remove all the third-party SMS apps like Textra (but of course the built-in messenger and Hangouts will work). Location? That should only be accessible to Google-branded apps.

    It's going to be like Apple in terms of being locked down, but without the ability to actually talk to any human beings.

    --
    fencepost
    just a little off
  17. Android already has this option by Anonymous Coward · · Score: 0

    Since Android 6, the ability to send a SMS message is a runtime permission. The App cannot use it without a pop-up requesting that permission being approved by the user.

    Why can't google just allow users to make the decision whether they want a particular app to be allowed to send text messages or not?