Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's New SMS and Call Permission Policy is Crippling Apps Used by Millions (androidpolice.com)

Posted by msmash on from the closer-look dept.

Ryne Hager, writing for AndroidPolice: Late last year, Google decided it was time to crack down on apps requesting SMS and call log permissions. Ostensibly, exceptions would be granted for categories including backups and automation, but as of now, there are still gaps which cover legitimate use cases. While some popular apps like Tasker have successfully secured exemptions, others like Cerberus have not. Instead, they've decided to strip out those permissions or risk facing the wrath of Google's upcoming January 9th banhammer, killing associated functionality and disappointing millions of long-time users to adhere to the Play Store's new policy.

The Play Console support page for the applicable set of permissions notifies developers that they can submit what is effectively an application for an exemption, categories for which are listed on the same page. (And that list of exceptions has grown since the original announcement.) Nonetheless, a further set of prohibitions are also included in the form itself, which explicitly preclude support for phone security/device location apps like Cerberus.

32 of 56 comments (clear)

  1. I don't care where it's hosted... by Excelcia · · Score: 2

    I honestly don't care where my apps are hosted. I use F-Droid more than Google Play anyway. I suspect someone wanting to use SMS to trigger a phone location are savvy enough to sort out alternate methods of getting the app.

    Google can pull the ban hammer all they want, but until they also pull the walled garden hammer, people are going to be able to use the fact that it's still an open-ish platform to get the apps they want.

    1. Re:I don't care where it's hosted... by Anonymous Coward · · Score: 1

      Yup. And when some 3rd party app you just "had to have" drains your bitcoin wallet, you'll be first in line hear singing the blues. And we'll laugh, and say go away feeb

    2. Re:I don't care where it's hosted... by FictionPimp · · Score: 1

      As if the walled garden doesn't have malware. ROFL.

    3. Re:I don't care where it's hosted... by Excelcia · · Score: 1

      Well, if it's a choice between F-Droid and Google Play, F-Droid has had exactly zero cases of malware slipping into its repository. How many has Google had?

      Now, what I would just looooove to know are statistics on what proportion of malware got onto Android phones via Google Play versus side-loading. That would be an interesting statistic to see.

      I trust Google about as far as I trust the NSA to protect my interests. I have a tougher vetting process for Google Play apps that I go through than I do for F-Droid. And for good reason. And so should you.

  2. It's not for the users benefit by Anonymous Coward · · Score: 2, Insightful

    Users just need the ability to approve this on a per- app basis, not censorship.

    Even better would be if users can choose to "approve" a permission but with fake data for those apps that try to overreach.

    1. Re:It's not for the users benefit by iamgnat · · Score: 4, Informative

      Users just need the ability to approve this on a per- app basis, not censorship.

      I've been an Android user since about the end of 6 and it has always had that ability on my phones (Nexus 6P and Pixel 3 XL). You have to go out of the way to change the permissions though so it would be nice if it would pop up the list for you to verify the first time you run it after an install or update.

      What pisses me off is the apps that refuse to work at all if they don't have a specific permission even if you don't use the related feature. For example I have a heart monitor that requires microphone permission so you can record notes, but it also allows you to write simple text notes too. If you don't give it permission to use the microphone it refuses to work at all. I've run into plenty of others too, but that's the only one where my answer couldn't simply be to delete the app.

    2. Re:It's not for the users benefit by sanosuke001 · · Score: 1

      Yes, just allow me to disable access and just show the app an empty call or sms history when it is requested. The app should be able to function without these things even if the app thinks it "needs" them. For things I trust to actually need them I won't disable access. For apps like a rewards app from a restaurant that thinks it needs my GPS location and call history, it can go pound salt (currently I don't install those but would be nice to have the ability to disable access on a per-app basis).

      --
      -SaNo
    3. Re:It's not for the users benefit by LordKronos · · Score: 1

      Another example is Tile, the handy little device that helps you find your keys using your phone, or find your cell phone using your keys. It's a nice little piece of tech that I've liked very much. However, after seeing stories recently how some seemingly trustworthy apps are selling "anonymized" location data which can trivially be reidentified simply by looking where you spend your evenings and where you spend your work hours, I started locking down location data for all my apps. And when I did, wouldn't you know it...the Tile doesn't function at all anymore without location services. I understand they want location data to enable their crowdsourced location feature, but I don't want that. I just want to find my keys in my house.

  3. Re:Will there be the typical Google reaction here? by Excelcia · · Score: 1

    Well, if this were Apple, and going through their app store was the only legitimate way I could get an app onto my phone, then I would be upset at the high handedness of it. As it is, Android is still an open platform. People can get apps onto their phone other ways besides Google Play. So, if Google wants to start putting limits on what apps can have what permissions in order to appear in a store they own, go ahead. This particular permission is one that would be sought by apps used by more savvy people anyway. If Google wants to drive some of their more capable customers to other app repositories and stores, that bothers me none. I am, at the moment, happy with anything Google does to incentivize people to exert the activation energy required to move to more open app repositories.

    If (maybe I should say "when" here) Google moves to make Android a walled garden with a sole-source on Google Play for apps, then you will see me become far more activist. But at the moment, Google is really only shooting themselves in the foot.

    So, by all means, please carry on.

  4. Re:Google is polishing their turd by Luthair · · Score: 1

    They were, the issue is that too many applications are misleading.

  5. Security by Luthair · · Score: 4, Insightful

    Given it isn't uncommon (unfortunately) for SMS to be used as a second factor its too unsafe to allow random applications to have access. Its also a common scam for using SMS permission to sign up for high cost services.

    1. Re:Security by bill_mcgonigle · · Score: 1

      Given it isn't uncommon (unfortunately) for SMS to be used as a second factor its too unsafe to allow random applications to have access. Its also a common scam for using SMS permission to sign up for high cost services.

      That's not the argument [almost] anybody is making. They are saying that there are legit, non-scam, non-insecure apps that use SMS and Call Log permissions for useful, beneficial, and productive purposes in a responsible way and Google isn't giving them exceptions or any explanations what their criteria.

      Some people are saying those apps could build Tasker plugins, but if this is all at Google's whim they could pull Tasker's exception at any time. My bet is this is two-staged, and they just gave Tasker a buy for this round because it has the largest number of users. The niche apps are getting whacked first, then they'll be back for Tasker functionality once some of the controversy has blown over.

      Meanwhile, Google's apps and that of its top-tier vendors will have unequal and anti-competitive access to the API's. Google may make the argument that people don't have to use the Play store, and that's precisely what some of these developers are planning (a competitor to Google Play).

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  6. Good ... by Anonymous Coward · · Score: 1

    Google's New SMS and Call Permission Policy is Crippling Apps Used by Millions

    Permissions on apps have become stupid, and far too many apps are written and published by lying assholes.

    It really is time to start treating these permissions as something an app doesn't need, and to prevent these fucking things from slurping your data and sending it off to some marketing asshole to be scraped and sold.

    We passed peak smartphone and peak app quite some time ago, and while I've refused to become beholden to this crap, I see far too many stories about shady apps which request crazy permissions and mostly seem to exist to defraud you.

    No thanks, don't need your fucking apps.

  7. Cudos Google by Dorianny · · Score: 4, Interesting

    Sorry but collection of sensitive data for profit, is a much bigger concern than a few legitimate apps being broken. Now, if only we could do something about Google's data-mining

  8. Deja vu by sootman · · Score: 2

    Remember when Windows came out, and it had tons of shitty security assumptions and bad default settings in place, and then MS had to spend decades cleaning up that mess? Good times.

    In the early 2000s, Google should have been smart enough to know that "by default, just let anyone do anything" was a bad place to start.

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    1. Re:Deja vu by LostMyAccount · · Score: 1

      That would have involved looking into their own hearts to recognize the depth and depravity of greed in the technology industry.

    2. Re:Deja vu by DickBreath · · Score: 1

      Just because Microsoft in the 90's was trying to be the most evil company ever imagined does not mean they had to let other companies be that evil.

      --

      I'll see your senator, and I'll raise you two judges.
    3. Re:Deja vu by swillden · · Score: 1

      In the early 2000s, Google should have been smart enough to know that "by default, just let anyone do anything" was a bad place to start.

      That's not where they started, at all (and Google wasn't involved until 2005). They started with a much tighter security model than Windows had. Every app sandboxed and running as its own UID to make sure that apps couldn't look at each others' files (unless they chose to make them world-readable), and every app having to declare the permissions it would use and requiring users to approve those permissions before installing. The original Android security model was tighter than the Windows security model is today.

      That the original security model wasn't adequate is now clear, but it's hardly reasonable to expect the early Android engineers to have understood that their radically tighter security model still wasn't going to be good enough.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  9. Re:I don't see any reason!... by habig · · Score: 3, Insightful

    How bout an app that uses SMS as a remote control channel for when you lose your phone? This handy app: https://www.androidlost.com/ is about to get neutered. According to the forums, the author is doing all the right things with respect to applying for exemptions, and is going to get whacked anyway. If an app with this one's long history of good work gets blasted, any indie author is toast.

  10. TFW Orwellian Companies make good-sounding policy by Hillie · · Score: 1

    Then they never abide by it, and in fact do things that seem far more sinister than what they're claiming to prevent others from doing:

    https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/

    --
    - Alex
  11. Re:Will there be the typical Google reaction here? by DickBreath · · Score: 1

    > $100 says those exact same people will soon be complaining . . .
    > Another $50 that they all get modded up to +5

    One thousand quatloos that both sides will complain about google no matter what google does.

    I for one, hate just how much google knows about me . . . . um . . . hey google can you recommend a movie that I might like?

    --

    I'll see your senator, and I'll raise you two judges.
  12. Another option... by Shotgun · · Score: 1

    Google could put the permissions an app wants in a clear place in the app store so that I could consider the information BEFORE I tried to install the dang thing. As it is, you have to install it, go "Nope", then un-install it and find another app that does the same thing so that you can repeat the process.

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
  13. Re:Mistake #1 by psm321 · · Score: 1

    replying to undo accidental mod

  14. Re: I don't see any reason!... by bill_mcgonigle · · Score: 2

    Sadly this is the only way on Android. There is no way to attach an event to a message without access to call logs and the inbox.

    And what pressure is there for Google to fix its lazy-ass API's when it can just whack indy app developers? Are these people going to go to iPhone? No, most people can't afford one.

    Oh, what's that you say, a third-party app store that has the more useful apps and only charges 5%? Interesting.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  15. Re:I don't see any reason!... by bill_mcgonigle · · Score: 1

    Any good reason why any app would want to see my call logs or sms!

    Your lack if imagination isn't relevant here. I, for instance, use an app that enters all my calls into a work calendar where I have a background script that organizes them per-client. That gets automated into the billing system.

    Maybe they'll get an exception, who knows ... I doubt it. Google is too lazy to add fine-grained control to its APIs and doesn't care much about uncommon use cases or if it puts a bunch of developers out of business. There are 99.5% more where they came from and growing. And they all hand over 30% of their revenue to Google.

    The incentives are not aligned for Google to do the right thing and care about minorities.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  16. SMS Retriever API by Todd+Knarr · · Score: 4, Interesting

    So why can't Cerberus use the SMS Retriever API for their functionality? For what they're doing they don't need to see every SMS message or call log entry on the device, they just need to see and respond to the single SMS message sent by their servers which is exactly what the Retriever API is designed for. It requires a loop, it'd be nice if there was a way for an app to register a permanent retriever so that loop wasn't necessary, but it shouldn't require a half-decent Android developer more than a day or two to code up the functionality needed. All these devs are doing is throwing a hissy fit instead of acknowledging why Google found these restrictions necessary and working within them (or working with Google to implement just the functionality needed). I suddenly feel a need to research any app or company complaining about this to see exactly why they're so upset about losing access to a data stream that it doesn't seem they should care about in the first place.

  17. microG by emil · · Score: 1

    While I am not ready to entirely cut my ties with Google, it is time for some distance.

    This month I wiped my Android ROM and loaded microG. This does complicate access to Google services, but I am willing to accept that.

    I do have a lifetime Cerberus membership, and I have downloaded their full-featured APK directly, bypassing Google. UBER continues to work without error (and yes, I know UBER is also a privacy nightmare). I have downloaded many other apps from Google Play, most of which work perfectly with the microG compatibility libraries.

    Knowledgeable people should act by excising spyware when they can. For Google Mobile Services on my daily driver, it was time.

  18. LineageOS Privacy Guard by emil · · Score: 1

    This might be useful to you, as I believe it returns nonsensical data, rather than throwing an error.

  19. Welcome to Windows Phone! by Fencepost · · Score: 1

    Between Google's various experiments with locking down storage (e.g. I have an older tablet where epub readers cannot read epub files saved to the local storage) and crap like this, it feels amazingly like my time period with Windows Phone.

    I wonder if they're going to remove all the third-party SMS apps like Textra (but of course the built-in messenger and Hangouts will work). Location? That should only be accessible to Google-branded apps.

    It's going to be like Apple in terms of being locked down, but without the ability to actually talk to any human beings.

    --
    fencepost
    just a little off
  20. Re:I don't see any reason!... by qubezz · · Score: 1

    Nope, only the NSA Kernel SMS backdoor remains

  21. Re: I don't see any reason!... by c6gunner · · Score: 1

    How bout an app that uses SMS as a remote control channel for when you lose your phone?

    Use data instead. Problem solved.

  22. Re: I don't see any reason!... by Anonymous Coward · · Score: 1

    +1 the all or nothing approach is the problem.

    Solutions have been conceived but after years in this game Google has yet to do anything more sensible.

    Anyone have pointers to an alternative OS with any traction that is not Apple or Microsoft or anyone Chinese? I have an older phone handy to play with