Companies have been given 90 days’ time to comply with the directive from Google. The move is part of an update to developer policies of Google Play Store, Google’s marketplace for apps, for which it has been getting flak from rivals such as Apple for having too lax privacy policies.
In the Google ecosystem, all apps are required to seek users’ permission to access personal data and input devices like call logs, SMS, microphone and camera. Certain apps bundle this permission in one— a concern for some users that say app companies do not transparently display permissions sought and what they do with that data.
For some companies getting access to, say, SMS inbox is for convenience - auto fetching OTP in the app when it comes in as SMS - while for others it is crucial to their core service.
“We use sms inbox for user verification and fraud detection,” said Akshay Mehrotra, co-founder and chief executive officer at Early Salary, an online instant loan service. The firm also pulls data from a customer’s SMS inbox, such as their debit and credit card spending via messages from their bank, to build a credit profile in order to give them loans.
Mehrotra says the company had explicitly sought permission from Google to access customer SMSes when it started out. “We have sought feedback from Google and are awaiting their response,” he added.