Posted by Paul Bankhead, Director, Product Management, Google Play
TLDR; As previously announced and directly communicated to developers via email, we’ll be removing apps from the Google Play Store that ask for SMS or Call Log permission and have not submitted a Permissions Declaration Form. If you have not submitted a permissions declaration form and your app is removed, see below for next steps.
We take access to sensitive data and permissions very seriously. This is especially true with SMS and Call Log permissions, which were designed to allow users to pick their favorite dialer or messaging app, but have also been used to enable many other experiences that might not require that same level of access. In an effort to improve users’ control over their data, last October we announced we would be restricting developer access to SMS and Call Log permissions.
Our new policy is designed to ensure that apps asking for these permissions need full and ongoing access to the sensitive data in order to accomplish the app’s primary use case, and that users will understand why this data would be required for the app to function.
Developers whose apps used these permissions prior to our announcement were notified by email and given 90 days to either remove the permissions, or submit a permissions declaration form to enable further review.
More about app reviews
We take this review process seriously and understand it’s a change for many developers. We apply the same criteria to all developers, including dozens of Google apps. We added to the list of approved use cases over the last few months as we evaluated feedback from developers.
Our global teams carefully review each submission. During the review process, we consider the following:
Likelihood that an average user would understand why this type of app needs full access to the data.
User benefit of the feature.
Importance of the permission relative to the core functionality of the app.
Risks presented by all apps with this use case having access to this sensitive data.
Availability of more narrow alternatives for enabling the feature.
With this change, some uses cases will no longer be allowed. However, many of the apps we reviewed with one of these permissions can rely on narrower APIs, reducing the scope of access while accomplishing similar functionality. For example, developers using SMS for account verification can alternatively use the SMS Retriever API, and apps that want to share content using SMS can prepopulate a message and trigger the default SMS app to show via intents.
Tens of thousands of developers have already resubmitted their apps to support the new policy or have submitted a form. Thank you! Developers who submitted a form received a compliance extension until March 9th.
Over the next few weeks, we will be removing apps from the Play Store that ask for SMS or Call Log permission and have not submitted a permission declaration form. If your app is removed and you would like to have it republished, you can do one of the following in the Play Console:
submit a new version without these permissions, or
submit a new version of your app that retains the permissions. Doing so will require you to complete a permissions declaration form inside the Play Console (coming soon) and will give you an extension until March 9th to remove the permissions or receive approval for your use case.
Keeping our overall Android ecosystem healthy is very important, and protection of user data is vital to the long term health of all developers. We know these changes have required significant work from you and we appreciate your efforts to create innovative experiences while protecting user’s privacy.