After showing the door to apps involved in ad-fraud and those which seed malware, Google is now cracking down on Android apps which require permission to access call logs and SMS. Google has notified developers that over the course of the next few weeks, apps whose core functionality does not require SMS and call log permission will be removed from the Android app store repository. Google has revealed that until an app has been reviewed and certified that it requires the aforesaid permissions to justify its primary function, it will be under the scanner and might be removed from the Play Store.
Back in October last year, Google informed developers to update their apps to API level 26 and also tweak the permissions required by them to fall in line with the new guidelines aimed at protecting users. Developers were given 90 days to review their app's permissions and make the necessary changes or justify the necessity using a permission declaration form, after which Google's team will review those apps.
Now that the 90-days span has expired, Google has announced that its team will soon begin removing apps which require call logs and SMS permissions from the Play Store. However, only those apps will be booted off for which the developers are yet to submit a permission declaration form. Google has pointed that its team assesses factors such as user benefit of the permissions, availability of more narrow alternatives, risks presented by the app and the sheer importance of the permissions for helping an app accomplish its core objective. Also, developers should be able to explain why an app requires permission to access such sensitive data.
However, Google has not revealed a specific date when the app eviction process would commence. As for developers whose apps are kicked off in compliance with the new guideline, they will get the opportunity to submit an updated version of their app without the permissions. Alternatively, they can choose to submit a permission declaration form to keep their app listed on the Play Store temporarily until March 9, during which it will be reviewed and receive the final nod if deemed reasonable. Google has also mentioned that rather than relying on permissions, app developers can opt for narrower APIs to accomplish the required task. Take for example the SMS retriever API, which can be used for account verification via SMS without requiring extra app permissions.