Google's New SMS and Call Permission Policy is Crippling Apps Used by Millions

Ryne Hager, writing for AndroidPolice: Late last year, Google decided it was time to crack down on apps requesting SMS and call log permissions. Ostensibly, exceptions would be granted for categories including backups and automation, but as of now, there are still gaps which cover legitimate use cases. While some popular apps like Tasker have successfully secured exemptions, others like Cerberus have not. Instead, they've decided to strip out those permissions or risk facing the wrath of Google's upcoming January 9th banhammer, killing associated functionality and disappointing millions of long-time users to adhere to the Play Store's new policy.

The Play Console support page for the applicable set of permissions notifies developers that they can submit what is effectively an application for an exemption, categories for which are listed on the same page. (And that list of exceptions has grown since the original announcement.) Nonetheless, a further set of prohibitions are also included in the form itself, which explicitly preclude support for phone security/device location apps like Cerberus.

I don't care where it's hosted...

[Excelcia]

I honestly don't care where my apps are hosted. I use F-Droid more than Google Play anyway. I suspect someone wanting to use SMS to trigger a phone location are savvy enough to sort out alternate methods of getting the app.

Google can pull the ban hammer all they want, but until they also pull the walled garden hammer, people are going to be able to use the fact that it's still an open-ish platform to get the apps they want.

It's not for the users benefit

Users just need the ability to approve this on a per- app basis, not censorship.

Even better would be if users can choose to "approve" a permission but with fake data for those apps that try to overreach.

Re:It's not for the users benefit

[iamgnat]

Users just need the ability to approve this on a per- app basis, not censorship.

I've been an Android user since about the end of 6 and it has always had that ability on my phones (Nexus 6P and Pixel 3 XL). You have to go out of the way to change the permissions though so it would be nice if it would pop up the list for you to verify the first time you run it after an install or update.

What pisses me off is the apps that refuse to work at all if they don't have a specific permission even if you don't use the related feature. For example I have a heart monitor that requires microphone permission so you can record notes, but it also allows you to write simple text notes too. If you don't give it permission to use the microphone it refuses to work at all. I've run into plenty of others too, but that's the only one where my answer couldn't simply be to delete the app.

Security

[Luthair]

Given it isn't uncommon (unfortunately) for SMS to be used as a second factor its too unsafe to allow random applications to have access. Its also a common scam for using SMS permission to sign up for high cost services.

Cudos Google

[Dorianny]

Sorry but collection of sensitive data for profit, is a much bigger concern than a few legitimate apps being broken. Now, if only we could do something about Google's data-mining

Deja vu

[sootman]

Remember when Windows came out, and it had tons of shitty security assumptions and bad default settings in place, and then MS had to spend decades cleaning up that mess? Good times.

In the early 2000s, Google should have been smart enough to know that "by default, just let anyone do anything" was a bad place to start.

Re:I don't see any reason!...

[habig]

How bout an app that uses SMS as a remote control channel for when you lose your phone? This handy app: https://www.androidlost.com/ is about to get neutered. According to the forums, the author is doing all the right things with respect to applying for exemptions, and is going to get whacked anyway. If an app with this one's long history of good work gets blasted, any indie author is toast.

Re: I don't see any reason!...

[bill_mcgonigle]

Sadly this is the only way on Android. There is no way to attach an event to a message without access to call logs and the inbox.

And what pressure is there for Google to fix its lazy-ass API's when it can just whack indy app developers? Are these people going to go to iPhone? No, most people can't afford one.

Oh, what's that you say, a third-party app store that has the more useful apps and only charges 5%? Interesting.

SMS Retriever API

[Todd+Knarr]

So why can't Cerberus use the SMS Retriever API for their functionality? For what they're doing they don't need to see every SMS message or call log entry on the device, they just need to see and respond to the single SMS message sent by their servers which is exactly what the Retriever API is designed for. It requires a loop, it'd be nice if there was a way for an app to register a permanent retriever so that loop wasn't necessary, but it shouldn't require a half-decent Android developer more than a day or two to code up the functionality needed. All these devs are doing is throwing a hissy fit instead of acknowledging why Google found these restrictions necessary and working within them (or working with Google to implement just the functionality needed). I suddenly feel a need to research any app or company complaining about this to see exactly why they're so upset about losing access to a data stream that it doesn't seem they should care about in the first place.