Important privacy change coming to Android devices
Soon, Android apps that have not been used for a few months will automatically lose the permissions that enable them to access sensitive device features, such as contact lists, SMS messages, and sensors.
In a blog post, Google software engineers Peter Visontay and Bessie Jiang, say: “In order to work, apps often need to request certain permissions, but with dozens of apps on any given device, it can be tough to keep up with the permissions you’ve previously granted, especially if you haven’t used an app for an extended period of time.”
They said in Android 11, they introduced the permission auto-reset feature, which helps protect users’ privacy by automatically resetting an app’s runtime permissions, which display a prompt to the user when requested.
Runtime permissions stop apps from accessing private data without the user’s consent, and give users extra context and visibility into the types of permissions that applications are wanting, or have been granted.
From December this year, Google is expanding this to billions more devices, and permission auto-reset will automatically be enabled on devices with Google Play services that are running Android 6.0 (API level 23) or higher.
In addition, the feature will be enabled by default for apps targeting Android 11 (API level 30) or higher. Users can also enable permission auto-reset manually for apps targeting API levels 23 to 29.
According to the authors of the blog, certain apps and permissions will be automatically exempted from revocation, such as active Device Administrator apps used by enterprises, and permissions that are fixed by enterprise policy.
Developers will also be able to ask the user to prevent the system from resetting their app's permissions, which Google says is useful in cases where users expect the app to work primarily in the background, without necessarily interacting with it.
A game changer
Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, describes this move as a game-changer for all the unwitting Android users who have granted permissions to mobile apps that don’t need them, or even to malicious apps.
“Many millions of non-technical users are tricked to grant dangerous permissions to adware apps or even installing malicious applications and then grant all existing permissions that may lead to a full compromise of the device,” he explains.
Although Android 10 and 11 have put many novel privacy features in place to protect users from malicious apps, numerous devices are still running obsolete versions of Android that have either basic or no protection at all. “The problem is especially widespread in less developed countries where, however, mobile users use their devices for payments or other sensitive operations.”
Kolochenko says many mobile security experts believe that iOS is more secure by default, particularly considering its vigorous policing of the App Store, application vetting and restrictions to install apps from untrusted sources.
“The new Android feature will foster the race towards stronger data protection and privacy-by-default, hopefully motiving Apple to bring even more advanced privacy features in the near future.”