Other issues in this category (21)
Throw the baby out with the bathwater?
Monday, April 1, 2019
You have probably heard the idiomatic expression "Don't throw the baby out with the bathwater". Today, with the most recent innovation from Google, this phrase has become more relevant than ever before.
So, I received this message today and was stunned as soon as I read it: In short: if your application uses READ_CALL_LOG, WRITE_CALL_LOG, PROCESS_OUTGOING_CALLS, READ_SMS, SEND_SMS, WRITE_SMS, RECEIVE_SMS, RECEIVE_WAP_PUSH, or RECEIVE_MMS and is not the default app for SMS and calls, it won't be able to use these permissions.
There is also this part of the message I don't quite understand: migrate to an alternative implementation (e.g., SMS Retriever API for most cases of OTP verification). Is there a way to access SMS data without requesting those permissions? If there is, I know nothing about it.
And here is why I'm so worried: our company has been using an Android app to send instructions to our employees via SMS. And now, since that is no longer allowed, how can we make the application retrieve SMS data associated with a specific phone number?
Hello Google Play Developer,
In October, we announced updates to our Permissions policy that will limit which apps are allowed to request Call Log and SMS permissions. This policy will impact one or more of your apps.
Only an app that has been selected as a user's default app for making calls or text messages, or whose core functionality is approved for one of the exception use cases, will be able to request access to Call Log or SMS permissions.
Below, we've listed apps from your catalog which do not meet the requirements for permission requests. Please remove any disallowed or unused permissions from your app's manifest (specified below), migrate to an alternative implementation (e.g. SMS Retriever API for most cases of OTP verification), or evaluate if your app qualifies for an exception.
Read through the Permissions policy and the Play Console Help Center article, which describes intended uses, exceptions, invalid uses, and alternative implementation options for usage of Call Log or SMS permissions.
Update your app or submit a Permissions Declaration Form.
Option 1) If your app does not require access to Call Log or SMS permissions: Make appropriate changes to your app by removing the specified permissions from your app's manifest or migrating to an available alternative implementation by January 9, 2019.
Option 2) If your app is a default handler or you believe your app qualifies for an exception: Please submit a request via the Permissions Declaration Form. You do not need to have implemented APK changes in order to submit a form. Declaration Forms received by January 9, 2019 may be eligible for additional time to make changes to bring their app(s) into compliance. If you have recently submitted a Permissions Declaration Form, we are in the process of reviewing your information and will respond to your application.
Make sure that your app is otherwise compliant with all other Developer Program Policies to prevent your app from being removed.
Alternatively, you can choose to unpublish the app.
Our Developer Program Policies are designed to provide a safe and secure experience for our users while also giving developers the tools they need to succeed. That is why we will remove apps that violate our policies. In cases of repeated or serious violations of our policies, we may also terminate your developer account and any related developer accounts.
We appreciate your willingness to partner with us as we make these improvements to better protect users.
Affected apps and permissions are listed below, up to 20; if you have additional apps, please ensure that they are also compliant with the Permissions policy.
So, what has actually happened?
The changes in Google's permission policy affect all anti-viruses under Android 8 and later and make their SMS functionality inaccessible to users. The Android copyright holder now gives the go-ahead only to applications that process SMS information as part of their principal functionality.
And we repeat once again: Doctor Web is not the only party that has been affected by the policy update. Similar components are no longer available in other Android security applications.
Google assured everyone that the applications that really needed the permissions would remain in the software catalogue—if their developers can prove that an exception can be made for their app. And we tried to fight!
Exceptions to Call Log and SMS Default Handler restrictions
The objective of the above restrictions is to protect user privacy. We may grant limited exceptions to the default handler requirement in cases when an app is not the default handler, but abides by all of the above requirements and clearly and transparently provides a highly compelling or critical feature where there is currently no alternative method to provide the feature. Such features will be evaluated against any potential privacy or security impact on users.
Now Android device owners will have more control over their data: they will be able to select which portion of their information will be accessible to applications. Under its Project Strobe initiative, Google updated its permission policy for Google Play software developers: now the call log and SMS permissions are only accessible to the phone and message applications that the user has selected as default call and messaging apps.
Apparently security software is not important anymore. As a result:
Doctor Web is notifying users about Dr.Web Security Space Life’s sudden removal from Google Play.
It has been negotiating with Google for all the application features to remain available to users. However, currently Dr.Web Security Space Life is not available on Google Play.
And Google is not the only company employing restrictions of this kind.
Apple demanded that the developer remove features facilitating control over applications and blocking access in Safari.
In an article on Kaspersky's blog, the company said Apple only objected to its Safe Kids app after the iPhone maker launched Screen Time for iOS 12. The new feature allegedly had functions similar to Kaspersky's parental control program.
All in all, such policy updates are introduced under the pretext that user data must be protected from malicious programs stealing SMS data. But why not allow anti-viruses to do their job? We can't understand the logic behind such decisions.
The Anti-virus Times recommends
Dr.Web never leaves users to face security issues on their own and does its best to keep users protected.
Users of Dr.Web Security Space Life licenses can contact our support service. Provide your license order number and the associated email address in the support query. In response, you will receive the application apk-file. Information about other life license usage options will be made available later.