In recent years, Google is well on the way to better protect Android against attacks that focus on the privacy of the user. Android 6.0 Marshmallow is Google’s first operating system where a user has the ability to adjust a number of privacy settings; this way Google offers you the possibility to refuse applications to the camera, microphones or the location of your phone. From Android 6.0 it became clear to developers that they were no longer allowed to appropriate permissions. From now on, an app was only allowed to ask the user, after installation, which permissions the app would have access to; that’s why Google risked that there would be many applications that would not work without the user’s consent. In reality, that turns out to be okay.
Google does not stop there, according to an article by Ars Technica. In October, Google already made a number of adjustments to its policy regarding permissions. This change concerns access to the call and SMS history for applications. Previously, all applications could ask for it, that will no longer be the case. According to Ars Technica, Google has now started banning apps that still ask for access to your calling and texting history.
This blockade was created to prevent multiple risks for users, so contact lists with this blockade no longer leak out, access to call and SMS history can also lead to additional costs if an app abuses the existing API. This could be done by setting up a telephone call from a distance, or by sending text messages to paid telephone numbers.
New APIs for temporary access
Google writes on its support page that developers can obtain (temporary) permission, provided that the user has given permission for this. There are currently only three apps that may have access to your calling and texting history at any time; these are your standard calling and texting apps, in addition to the ‘standard’ digital assistant on your phone, such as Google Assistant.
However, Google gives developers of a limited variety of applications the possibility to use the permissions, which only applies if the app needs access to make its core functionality work. Google specifies apps such as backup apps, caller ID/spam detection apps, but apps for smartwatches and automation of tasks on Android also need access from now on.
In addition to a possible API that is being set up for the apps that can now get temporary permission, there are now four intents that can be used to make a specific request to the operating system. For example, there is an OTP and Account Verification intent that will automatically recognize the verification code and fill it in in your application. You can also create an SMS message via an intent, which must still be sent by the user. There are also intents for sharing a message, but also for starting a telephone conversation. For the first three, permission is required from the user to obtain data. With the ‘Dial intent’, no permission is required.