Google has announced a further range of security measures designed to limit developer access to user data.
The announcement comes as part of Project Strobe, the same internal initiative which stemmed from the issues which gave rise to the untimely, timely demise of Google+.
This time, Android apps are in the firing line, and Google has confirmed that it is to begin a cull of apps which violate the rules on SMS/Call Log access.
The rule is simple - only default clients should be able to access this sensitive, on-device information. However, many unscrupulous developers have created pipelines to third parties who profit from such insight, and its this that Google is cracking down on.
The company explains: "Our new policy is designed to ensure that apps asking for these permissions need full and ongoing access to the sensitive data in order to accomplish the app's primary use case, and that users will understand why this data would be required for the app to function."
It does allow for genuine use cases, of course. Developers can submit a ‘permissions declaration form' if there is a genuine need for access to this data.
If this seems a trifle sudden, it isn't. In fact, many developers were emailed several months ago to sort this out and were clearly warned that they had 90 days to get their form in, remove the permissions, or face the consequences. Today is simply the day of reckoning for those still in non-compliance.
Google points out that there are alternative APIs that don't require the same permissions, such as the SMS retriever API, which will allow most of the same functionality, without the scope for abuse.
Oh, and if you did submit a form, but haven't heard back yet, don't panic, you've been given an extension to March 9th whilst they wade through them.
If you haven't and your app gets pulled, you either need to resubmit it without permissions, or if you absolutely need them, resubmit it as is, from inside the Play Console, along with the form, and you'll get the March 9th review deadline too. μ