Apps with excessive permissions requests are nothing new on Android, and Google has been trying to alleviate the issue by changing its policies numerous times over the years. These efforts have had varying degrees of success, but the company is now starting to crack down on apps that have sweeping permissions over first-party services like Gmail and Google Drive.
Google has sent the following email to some SwiftKey users:
In short, unless Microsoft complies with Google’s new data policy requirements, SwiftKey will lose access to Gmail content. In order to do so, some changes will need to be done in SwiftKey, though we don’t know if this is going to affect any of its ‘core’ predictive features.
How is Google going to get rid of permission begging in Android apps?
Here’s how Google is restricting third-party access to Gmail and Drive:
- Gmail – Any app that requires permissions to read, create, or modify message bodies (including attachments), metadata, or headers; or control mailbox access, email forwarding, or admin settings.
- Drive – Any app that requires permissions to read, modify, or manage the content or metadata of a user’s Drive files, without the user individually granting file-by-file access.
The updated Gmail access requirements went into force in January this year. Apps that have had access to now-restricted data must pass individual screening and receive a Letter of Assessment from Google by the end of December 2019, in order to keep their access to Gmail Restricted Scopes. All other apps must first be verified and obtain the letter prior to being granted access to Restricted Scopes. It is not yet clear what Google’s screening process involves, but the company says that it’s enforcing the new rules to increase user data security.
Aside from cutting off access to certain parts of Gmail and Drive, Google is now advising app developers to reduce permission begging in their apps as a whole:
“Don’t request access to information that you don’t need. Only request access to the minimal, technically feasible scope of access that is necessary to implement existing features or services in your application, and limit access to the minimum amount of data needed. Don’t attempt to “future proof” your access to user data by requesting access to information that might benefit services or features that have not yet been implemented.”
Could the new restrictions have negative consequences?
As more apps that use Restricted Scopes lose access to Gmail and Drive, we are sure to hear more opinions on Google’s latest policy changes. The biggest app that’s currently affected—or will be, unless Microsoft complies with the new rules—seems to be SwiftKey. It is not the only one, however.
We have no information whether the developers behind Sesame Shortcuts have applied for a screening by Google, or whether the app passed, if they did. This is what the the notification says:
Although we don’t know how many Android apps use Restricted Scopes in Gmail and Drive—and to what extent the permissions are warranted—there are legitimate apps that will lose some functionality. Of course, this could be for the common good of the user, but it would be interesting to hear the perspective of smaller developers, which may be willing to comply with Google’s policies, but unable to. The developers of Sesame Shortcuts say that Google’s security audit costs more than they can afford.
The new Google API User Data Policy changes will come into full effect in 2020. By then, developers will have to pass Google’s security audit, or comply by the new rules by losing access to Restricted Scopes in Gmail and Drive.