Google Play starts manually whitelisting SMS and phone apps

Google is implementing major new Play Store rules for how Android's "SMS" and "Call Log" permissions are used. New Play Store rules will only allow certain types of apps to request phone call logs and SMS permissions, and any apps that don't fit into Google's predetermined use cases will be removed from the Play Store. The policy was first announced in October, and the policy kicks in and the ban hammer starts falling on non-compliant apps this week.

In that October blog post, Google laid out its vision for SMS and phone permissions for Google Play apps, saying, "Only an app that has been selected as a user's default app for making calls or text messages will be able to access call logs and SMS, respectively." That statement also comes with a host of exceptions, some of which were added after communicating with members of the developer community, but the end result is still that SMS and phone permissions will be heavily policed on the Play Store.

Google says the decision to police these permissions was made to protect user privacy. SMS and phone permissions can give an app access to a user's contacts and everyone they've ever called, in addition to allowing the app to contact premium phone numbers that can charge money directly to the user's cellular bill. Despite the power of these permissions, a surprising number of apps ask for SMS or phone access because they have other, more benign use cases. So to clean up the Play Store, Google's current plan seems to be to (1) build more limited, replacement APIs for these benign use cases that don't offer access to so much user data and (2) kick everyone off the Play Store who is still using the wide-ranging SMS and phone permissions for these more limited use cases.

Google set up a help page that covers the new rules and offers workarounds for some use cases. A recent addition to Android is a scoped API for SMS-based user verification, which will allow an app to ping a phone with an SMS and automatically fill in the code, all without using the powerful SMS permission. There are also intents for cases like starting an SMS message, sharing content to an SMS, and starting a phone call, which all work by handing off most of the work to the dedicated SMS app.

Google's help page also lays out use cases that have been granted a "temporary exception" to use the SMS and phone permissions. Besides actual phone and SMS apps, Google allows backup and restore apps, enterprise and device management apps, caller ID and spam blocking apps, "companion" hardware apps (for instance, smartwatch or fitness tracker apps), cross-device synchronization apps, SMS-based financial transaction apps, budget apps (for tracking SMS spending), task automation apps, and proxy call apps.

Manual whitelisting of apps by a living human

Google's enforcement of this new policy is a mix of automation and, surprisingly, human review. When developers upload an app to Google Play, they do so through the Google Play Developer console, which can automatically tell a lot about the makeup of the app. Part of this is knowing what permissions each app requests, and anything that asks for SMS or Call Log permissions is flagged for human approval. Developers then need to fill out a "Google Play Permissions Declaration Form" and explain exactly why they need the SMS or Call Log permission, at which point a real human will supposedly review the form and approve or deny the permission usage. Basically, SMS and phone apps will all need to be manually whitelisted from now on.

This kind of enforcement is definitely a new front in Google's attempts to police the Android ecosystem. Previously, we would have expected a change to the way Android permissions work at the OS level, but instead—probably thanks to the nuance Google is looking for—this move is happening purely through Play Store policies. Of course, this means the rules only apply to apps in the Play Store and not pre-installed apps or apps downloaded outside of the Play Store. By our count, this is the second time Google has used Play Store rules to implement a major Android ecosystem change. Alongside the launch of Android 9 Pie late last year, the Play Store implemented minimum OS version requirements on app developers, forcing them to adapt to newer Android APIs with more privacy and security restrictions.

Doing actual human review on the Play Store seems very "un-Googley," and I would guess this system won't last forever. Google specifically calls the permission exceptions "temporary," which suggests the company is working on more scoped APIs that cover more of the SMS and phone permission use cases that it currently has granted exceptions for.