Google’s new Play Store policy, following the Google+ data leak, will have significant ramifications for top apps in India across shopping, news, payments, gaming and others. The policy — designed to ensure greater privacy for users— makes accessing a user’s call log, reading an SMS or accessing calendar events tougher for apps. Today, many apps ask for these permissions once they are downloaded, even though these are not required for their core functionality. And users tend to give these permissions, assuming in many cases that the apps would not work well if they didn’t do so. Henceforth, apps can only ask for permissions that are absolutely necessary for their core functionality. A phone app can ask for a contact list and phone call-related permissions, and a messaging app can ask for messaging-related permissions. On the other hand, a shopping app like Flipkart or Amazon, or a travel app like MakeMyTrip cannot ask for call log or contact list permissions. Payments apps cannot take SMS permissions, because it’s not part of their core functionality. In India, this would mean they cannot extract one-time-passwords (OTPs), but they have the option to move to SMS-retriever API (application programming interface) provided by Google to perform the same function. The new policy is aimed at arresting leakage of sensitive call and text data via third-party apps.
The development is of significance for India since it is largely an Android market, compared to the US or Europe. Google, however, is creating certain exceptions. It will allow apps to access calls and text if they can establish that these permissions are core to the functionality of those apps. For instance, a platform like Truecaller could qualify for this exemption since the whole functionality of the platform is based on call logs. Apps will have to submit such requests to Google and the search giant will then review the applications. As of now, all apps have 90 days to be compliant with the new data policy. According to executives in tech startups, the new policy will have an immediate impact over the kind of access many apps would get. Many of the apps in the country ask for access to contacts, SMSs and calendar events that offer unique insights about the user over a period of time. Google said it won’t allow SMS and call log permissions for account verification, content-sharing or invites, contact prioritisation, affinity profiles, or social graphs. The company has, however, created alternative solutions for third-party apps to use these for their services. The SMS-retriever API is one of these. It was reported earlier this week that data had leaked from Google+, the search giant’s social networking platform, but Google chose not to make it public. Following the report, parent firm Alphabet decided to shut Google+.