Google recently rolled out a policy change that requires apps to be manually verified by the company in order to use legacy SMS and phone call permissions, and has started removing non-compliant apps from the Play Store. Developers whose apps include those permissions have three options; file a declaration with Google that their app needs those permissions for core functionality, submit a request for more time to bring their app into compliance, or remove the permissions from the app immediately. Developers with a declaration have until March 9, and if they haven’t heard back from Google or removed the permissions by then, they may see their app delisted.
Some time ago Google Stated that it was going to be cracking down on SMS and calling permission usage in apps, and has now begun to do just that. There are only a few allowed use cases, meaning that many apps that use those permissions will be forced to remove them, or shutter the app entirely.
Allowed use cases under Google’s policies include an app being the default handler for calls, SMS, or Google Assistant queries, and other use cases can ask for a temporary extension if an alternative to using those permissions cannot be found. This means that, eventually, the SMS and calling permissions used by many apps today will no longer be valid for anything but default call, SMS, and Assistant apps, leaving the question of how other apps that use those permissions for core functions will continue to operate.
Examples of acceptable use cases for temporary extensions include verifying accounts by calling a phone number and checking the device’s call log, apps acting as a call proxy, spam blocking, and companion apps for smart devices, among others. It’s worth noting that carriers and OEMs can use the permissions in these use cases permanently.
A large number of use cases that typically resort to those permissions are now out in the cold. That includes security and anti-virus apps that scan SMS messages, contact management apps, call records, and many more. For some use cases, Google offers up alternatives, using newer APIs and intent calls that link to SMS and Calls without actually accessing that data.
Google is doing this as a security measure. Having access to calls and SMS the way that those older permissions define can be a dangerous proposition, and apps with ill intent can use them to do anything from sending out premium SMS and calls to faking two-factor authentication, or even stealing secured accounts.
The big impact here for users is going to be the loss of a number of use cases associated with those permissions. Additionally, depending on how fast Google handles these requests, you may see your favorite SMS or calling app go under temporarily. Likewise, older apps that have been abandoned by the developer, but are still found to be useful by some, will likely be gone, unless the developer sees they’ve been taken down and decides to go through with procedure as Google defines it.
The company has apparently already received “tens of thousands” of declarations from developers hoping to be allowed to use the permissions, and a great many more are expected. If Google stays on top of the process and is continually scanning for apps that use the permissions, theoretically, this means that there will not be any non-compliant apps in the Play Store by that March 9 deadline.