Is Android finally about to get on top of apps that quietly suck up location data?
Google’s been wrestling with the issue for years but each control it has introduced has turned out to have exceptions that app makers are happy to exploit.
Some apps need location access to work (SatNav, weather apps, carrier services), some need it some of the time (shopping apps, social media), while most of the rest rarely or never need it at all.
And yet, with Android 11 in the works, Google finds itself having to refine location access once again by announcing a lock on how apps access location even when they have general access permission.
The problem is apps that continue to track device location even when they are not being used, otherwise known as background access – something users only acquired some granular control over in Android 10 last year.
Now, to batten down the hatches for good, the search giant has upped the ante – by forcing developers to submit apps to Google for checking to make sure their location access design is legit.
A quick recap…
In Android 6, 7 and 8, app location access was handled by a toggle between on and off, with a separate option to do so using ‘high accuracy’ mode (i.e. using Wi-Fi, Bluetooth, mobile networks in addition to GPS).
Android 9 continued the on/off toggle for app access but turned high accuracy mode into the global default when location access was turned on (turning it ‘off’ disabled everything bar GPS).
In all cases, apps that wanted to access a device’s location had to ask permission, in effect turning the slider to ‘on’ on behalf of the user.
But once turned on, that permission proved tempting to abuse by apps looking to siphon off as much commercially valuable data about device users as possible, whether that was necessary for the app to function as advertised or not.
Frankly, this was a bit of a mess. A 2019 study discovered that apps with location permission could use covert and side channels to quietly share it with other apps that had been denied the same access, all handily enabled by third-party SDKs. Another 2019 study showed just how much can be inferred about people’s lives from simple location data.
In theory, Android 10 tamed this by allowing apps to access location only when they’re being used rather than all the time, curtailing background access.
According to Google, more than half of Android 10 users selected the while app is in use option but it seems some apps have continued to abuse the feature by requesting background access anyway, that is, persuading users to agree to the allow all the time option.
Says Google’s developer blog:
As we took a closer look at background location usage, we found that many of the apps that requested background location didn’t actually need it.
Google’s new approach in Android 11 is to assess background access as part of the app approval process.
This policy will apply for all new apps from 3 August 2020, with the same control applied to existing apps on the Play store by 2 November, Google said. In short, apps wanting background access will have to justify it.
The probable downside in this new policy is simply that users will find themselves having to cope with more permission requests.
With an Android 11 device, users will gain the ability to grant temporary access permissions while the app is being used, which will have to be re-granted. Normally, that should only happen when the app is closed and then re-opened, but under some conditions, it might occur more often.
Apple’s iOS 13 has had this ability for six months. Another example of how, at least in relation to user privacy, Google is still running to catch up.
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.