The whole app permissions on smartphone is a complex blackbox. What an app on your phone can do and can’t – you just can’t draw a line between them.

Rough developers exploited the loophole on earlier iterations of Android. A typical endless runner game might upload your entire SMS history in background and you could not suspect anything.

Granular permission control made its way in Android under the hood of ‘App Ops’ in Android 4.3 Jelly Bean, albeit it was hidden from regular user UI. The modern runtime permission in Android, which we are familiar with, was introduced later with Android 6 Marshmallow.

app_ops_jellybean
App Ops in Android 4.3 (Image source: XDA)

Similar restrictions can be imposed manually by users with root access, but a native implementation makes it more feasible. The ‘App Ops’ feature still exists in Android, but without any graphical user interface.

android_appops
App Ops binary in MIUI 10, based on Android 7 Nougat

Instead of that, Android offers install time permission requests on devices running 5.1.1 Lollipop (API level 22) or lower, or the app’s API level is 22 or lower on any Android version. For devices running Android 6.0 Marshmallow (API level 23) or higher and apps targeting the same API level, there is runtime permission selection after a user opens the app for the first time.

android_runtime_permission
Runtime permission

With all those precautionary methods, some fundamental sensitive informations can still be abused via call log and SMS related permissions. Google started a massive crackdown since October 2018 by hardening the Google Play Developer Policy to protect them.

Targeting app developers, a relevant article on Google’s Help Center states the following:

You should only access Call Log or SMS permissions when your app falls within permitted uses and only to enable your app’s core functionality.

Core functionality is defined as the main purpose of the app. It’s the feature most prominently documented and promoted in the app’s description; no other feature is more central to the app’s functionality.

If this feature isn’t provided, the app is “broken” or rendered unusable (i.e., app is deprived of its primary functionality and will not perform as a user would expect).

As a collateral damage, many useful apps such as automation tools or call recorders were affected. An entry was submitted in Google Issue Tracker for whitelisting those apps.

google_call_log_sms_issue_tracker

Google later updated their exception list, and it did whitelist some of those apps.

google_call_log_sms_exception

On the other hand, the crackdown (not a part of Project Strobe, but somehow related) actually forces spooky apps to stop collecting sensitive personal data. Facebook, one of the biggest player in this data collection game, seems to be affected as well.

google_project_strobe

In 2018’s March, several incidents (example: here, here) revealed that Facebook was collecting call logs and text messages from Android phones without user consent.

Facebook did provide official statements (example: here, here) against those allegations.

This specific feature allows people to opt in to giving Facebook access to their call and text messaging logs in Facebook Lite and Messenger on Android devices. We use this information to do things like make better suggestions for people to call in Messenger and rank contact lists in Messenger and Facebook Lite.

Now, a quick look inside latest alpha builds of Facebook and Facebook Messenger Android apps confirms that the apps no longer ask for SMS and call log access, respectively.

We have compared the list of permissions declared in the app manifests and differentiated against older stable or beta builds (thanks APKMirror for hosting them). Facebook (package name: com.facebook.katana) has dropped the ‘READ_SMS‘ permission while Facebook Messenger (package name: com.facebook.orca) has dropped ‘READ_CALL_LOG‘.

Facebook pushes numerous builds via various closed and open release channels, thus pinpointing the exact version and time period for the change is difficult. Jane Manchun Wong AKA @wongmjane, a famous reverse engineer, hinted about the changes during the past week.

While we have not fiddled with a bunch of SMALI snippets, the absence of permissions should be safe to assume that the relevant internal codes don’t exist anymore.

Well, that’s a start!

xkcd_facebook
Image source: xkcd #300

PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.

Kingshuk De
896 Posts

I came from a mixed background of Statistics and Computer Science. My research domains included embedded computer systems, mobile computing and delay tolerant networks in post-disaster scenarios. Apart from tinkering with gadgets or building hackintosh, I like to hop on various subreddits and forums like MyDigitalLife and XDA.

Next article View Article

[Updated] Instagram crashing on all Android phones, but there are workarounds

Here's the crux of the article in video form: New updates are being added at the bottom of this story……. Original story from (June 5, 2018) follows: We're...
Jul 10, 2023 6 Min Read