Android’s SMS & Call Log Restrictions

For several years now, I and a lot of other Android users have used the free, open source app SMS Backup+ to backup call logs and text messages. What made SMS Backup+ such a great app is that not only did it do traditional backups, but it also allowed users to push the call log to Google Calendar and send every SMS to a GMail account, with custom tagging.

But SMS Backup+ is about to become a casualty of Google’s efforts to better protect its users’ privacy–efforts which often seem to also be aimed at further closing what was once a much more open ecosystem than its competitors (and one of the things that attracted many users to Android rather than iOS).

Google has been burned repeatedly by Android malware that is able to access SMS and call logs, and use that to spy on users or exploit that ability to defraud users.

In an effort to better protect users, Google decided to limit which apps can access SMS and Call Log permissions.

Google Play restricts the use of high risk or sensitive permissions, including the SMS or Call Log permission groups.

If your app does not require access to Call Log or SMS permissions, you must remove these permissions from your app’s manifest. Details on policy compliant alternative implementation are also detailed below.

If you believe your app meets the policy requirements for acceptable use or is eligible for an exception, you should declare any Call Log or SMS permissions directly through the Play Console.

Apps that fail to meet policy requirements or submit a Declaration Form may be removed from Google Play.

. . .

For apps requesting access to the SMS or Call Log permissions, the intended and permitted uses include default SMS handling, default phone handling, or Assistant handling capability.

Apps must be actively registered as the default SMS, Phone, or Assistant handler before prompting users to accept any of the above permissions and must immediately stop the use of the permission when they no longer are the default handler.

Notice that backing up SMS or Call Logs, much less pushing SMS message into something like GMail is not on the list of “intended and permitted uses.” I assume Google wants users who wish to maintain backups up SMS messages to use its own Android backup services rather than rely on third party tools. That’s one less security headache for Google, presumably.

The developer of SMS Backup+, Jan Berkel, says he did apply for an exception to the new policy, but was denied,

Hello everyone. I’m sorry about this situation, SMS Backup+ will no longer have access to Gmail, mainly because it’s not an email reading app.

I applied for an exception but it was declined, as expected. Vanilla IMAP might work, but for how long I wonder. And it’s very tricky to set up for a casual user. Unfortunately the Android platform is getting more and more closed.

I’m not sure what to do at this point, either remove the app from the store or release a new version which removes the automatic account setup, since that is broken / will be broken soon.

There are still ways to get backups of SMS and Call Logs and push them to Google Calendar or Gmail, but these will require a lot more technical savvy and effort on the part of users. And even those workarounds may soon be on the Google chopping block.

And with that, a highly useful app that likely had hundreds of thousands of users will disappear and, with it, the functionality that those users found helpful.

Android’s Real Security Problem

Cameron Summerson makes an excellent point about the latest Android vulnerability: Android’s real security problem is the manufacturers,

Currently, manufacturers are doing a terrible job of protecting their users, full stop. While not getting full OS updates (or even point releases) is annoying at best, not getting security updates is unacceptable. It sends a message that can’t be ignored: it says that your phone manufacturer doesn’t care about your data. Your info isn’t important enough for them to protect.

Security updates aren’t huge like full OS updates or even point releases. They’re released monthly by Google, so they’re much smaller and easier to bake into the system—even for third-party manufacturers. Again, there’s no real excuse not to make this a priority.

Carriers also play a significant role in slowing down Android updates. All of these companies that are more than happy to take consumers’ money seem reticent to do beyond the bare minimum to make sure they’re protected on the devices and networks they choose.

As Duo Security notes, the result of this insanity is that “90 percent of Android devices were not on the latest security patch released 26 days prior.”

Shelter for Android–An Android Sandbox App

Shelter is a free, open source app for Android that implements a limited sandbox where you can run other apps.

Run “Big Brother” apps inside the isolated profile so they cannot access your data outside the profile

“Freeze” (disable) background-heavy or seldom-used apps when you don’t need them. This is especially true if you use apps from Chinese companies like Baidu, Alibaba, Tencent.

Clone apps to use two accounts on one device

Time Until | Beautiful Countdown App for Android

Recently I wanted an app that would let me create a widget on one of my home screens to count down the days until a major life event. There are a lot of apps on Android to do this, but since this is a fairly niche featureset, most of them looked like garbage.

Ultimately I ended up settling on Bruno Schalch’s Time Until | Beautiful Countdowns app.

The app is free, but the home screen widget feature requires paying $2.99 for the premium version.

CloudFlare’s Encrypted DNS App for Android and iOS

CloudFlare recently released an app for Android and iOS that makes it easy for users to encrypt their DNS queries using CloudFlare’s DNS resolver.

For once, I’m really not sure what the point is of a security tool like this. One of the criteria for using the app is you need to turn off any VPN you have activated. But I’m not really certain what the use case would be for wanting encrypted DNS but not a VPN.

Personally, I use ProtonMail’s VPN on my phone when I want privacy from the local network operator. There are issues with Proton, but it’s security is more than good enough for anyone not concerned about state actors in their threat model.