Overzealous Android apps that needlessly ask for permissions to handset resources such as contact lists and location data are not only obnoxious, but also potential privacy threats.
To address this hot-button issue with Android users Google implemented a strict permission policy designed to curb app developers from needlessly, and sometimes recklessly, accessing personal user data with their apps. On Thursday, Google said its efforts over the past year have paid off.
Among app developers presented with a warning message from Google asking them to curb the number of permission requests in their apps, 60 percent of those removed permissions.
“The breadth of this developer response impacted over 55 billion app installs,” wrote a team of Google developers from the Android Security and Privacy group.
The reduction was voluntary, but did involved Google applying a stick-and-carrot approach to developers. At the heart of the effort is a warning message that Google developers see in the Play Console, the tool used to publish apps and games to Google Play. Google uses an automated process to determine what type of app is being uploaded and gauges how many permissions are being requested relative to similar apps uploaded to Google Play.
“We identify a peer set of apps with similar functionality and compare a developer’s permission requests to that of their peers,” Google wrote. “If a very large percentage of these similar apps are not asking for a permission, and the developer is, we then let the developer know that their permission request is unusual compared to their peers.”
The warning reads in part:
Your app is requesting the following permissions which is used by less than 3% of functionality similar apps… Users prefer apps that request fewer permissions, and requesting unnecessary permissions can affect your app’s visibility on the Play Store…
(see image of full warning below)
Google said it has been experimenting with presenting the warning to developers since late 2017. Last year Google published Reducing Permission Requests in Mobile Apps (PDF), which outlined the problem of “unnecessary or intrusive permission requests by certain apps.”
It explains, “There are a number of reasons why an app may request permissions outside of those needed for its core functionality, such as for analytics, personalization, testing, performance assessment, advertising (especially for free apps), or support for (unused) functionality in libraries that the app includes.”
However, it also cited a number of reports that illuminated instances where rogue apps maliciously used permissions to exfiltrate device data and spy on users surreptitiously.
Google’s antidote was to implement a “novel, algorithmic mechanism intended to discourage mobile-app developers from asking for unnecessary permissions.”
Developers are “incentivized” by what Google calls an automated “nudge” that shows app developers what permissions their competition is requesting. If Google determines the app is asking for too many, it has lower “visibility” in Google Play.
The Google permissions algorithm isn’t entirely based on similar app analysis. It also uses “multiple signals that feed Natural Language Processing and deep learning technology to determine” if an app has the appropriate number of permissions.
The effort dovetails Google’s anti-malware Play Protect services and Google Play’s existing user data policies, which require developers to provide clear notice and control over the collection of data in their apps.
In 2018, Google took similar action to protect Android users by placing strict limits on an app’s ability to request phone Call Logs and SMS permissions.
Meanwhile app permissions continue to be a point of controversy among end-users and developers. Earlier this week Apple took heat over the way it handles permissions tied to cut-and-paste data temporarily stored to an iPhone or iPad’s memory.