(Credit: Pretty Vectors/Shutterstock)

The iOS App Store and Google Play Store have security systems in place designed to prevent rule-breaking apps from appearing in their catalogs, but these systems need to be partially automated to keep up with the sheer volume. That automation can't catch everything, so Google and Apple must periodically update their store policies to widen the net.

This week, Google has begun removing Android apps from its Play Store if they ask for SMS, contact details or call log data that they don't actually need. While this has been a handy way for an app to retrieve codes generated by a two-factor authentication system, these data permissions have also been frequently abused to harvest personal info and sell it illegally.

SEE: How to beef up your Chrome and Firefox security in 2019

(SMS-based two-factor authentication is not very secure anyway, since messages can fail to arrive and are relatively easily to intercept, compared to app-based authentication.)

Google gave advance warning in October that this change was coming to its Play Store. At the time, the store's product management director Paul Bankhead said, "Only an app that has been selected as a user's default app for making calls or text messages will be able to access call logs and SMS, respectively."

In the new announcement, Bankhead adds, "Our new policy is designed to ensure that apps asking for these permissions need full and ongoing access to the sensitive data in order to accomplish the app's primary use case, and that users will understand why this data would be required for the app to function."

FOLLOW Download.com on Twitter for all the latest app news.

Many developers explain on the Play Store why they ask for a given permission, but it hasn't been a hard-and-fast rule. Bankhead's phrasing indicates that any app that's gone through the new procedures to permit access to SMS and call logs must now publicly detail the reasoning for that data request -- and to a degree that Google, not the developer, finds sufficient.

While Google is in the Play Store neighborhood, maybe it can also do something about uninformative app updates, especially those that only say "Information not provided by developer." If an app is on your device, you arguably have a right to know what's changed, or at least a right to know why no update information is being provided.


  • The Google Play Store has begun removing Android apps that violate privacy policies regarding SMS text messages, contacts, and call logs, due to some bad actors harvesting this data purely to sell it.
  • Android developers who have a legit need for these data permissions can fill out a permissions declaration form, which Google will review to decide whether you should get that level of access.

Read more

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.