Apps with excessive permissions requests are nothing new on Android, and Google has been trying to alleviate the issue by changing its policies numerous times over the years. These efforts have had varying degrees of success, but the company is now starting to crack down on apps that have sweeping permissions over first-party services like Gmail and Google Drive.
The first big app that will get hit with the new restrictions is Microsoft's SwiftKey keyboard, which has a powerful text prediction engine that can tap into your email correspondence to deliver predictions tailored to you. To achieve this, however, the app requires permissions to perform the following actions: "View, manage, and permanently delete your mail in Gmail", "Create, update, and delete labels", and Compose and send new email." All of those fall under the updated "Restricted Scopes" guidelines that forbid apps from gaining complete access to Google User Data.
Google has sent the following email to some SwiftKey users:
Although you don't need to do anything, we wanted to let you know that the following apps may no longer be able to access some data in your Google Account, including your Gmail content. If these apps are unable to meet the deadline to comply with our updated data policy requirements, they'll lose access to your Account starting July 15th, 2019.
We are making this change as part of ongoing efforts to make sure your data is protected and private.
You can always view, manage and remove apps you've given access to your account by visiting your Google Account.
The Google Accounts team
In short, unless Microsoft complies with Google's new data policy requirements, SwiftKey will lose access to Gmail content. In order to do so, some changes will need to be done in SwiftKey, though we don't know if this is going to affect any of its 'core' predictive features.
How is Google going to get rid of permission begging in Android apps?
In layman's terms Restricted Scopes are sets of restrictions that don't allow third-party apps to gain full access over your Gmail and Google Drive. If an app absolutely needs deeper access, the developers must conform with Google's updated API User Data Policy
, and the app has to pass a screening by Google.
Here's how Google is restricting third-party access to Gmail and Drive:
- Gmail – Any app that requires permissions to read, create, or modify message bodies (including attachments), metadata, or headers; or control mailbox access, email forwarding, or admin settings.
- Drive – Any app that requires permissions to read, modify, or manage the content or metadata of a user’s Drive files, without the user individually granting file-by-file access.
The updated Gmail access requirements went into force in January this year. Apps that have had access to now-restricted data must pass individual screening and receive a Letter of Assessment from Google by the end of December 2019, in order to keep their access to Gmail Restricted Scopes. All other apps must first be verified and obtain the letter prior to being granted access to Restricted Scopes. It is not yet clear what Google's screening process involves, but the company says that it's enforcing the new rules to increase user data security.
Aside from cutting off access to certain parts of Gmail and Drive, Google is now advising app developers to reduce permission begging in their apps as a whole:
"Don't request access to information that you don't need. Only request access to the minimal, technically feasible scope of access that is necessary to implement existing features or services in your application, and limit access to the minimum amount of data needed. Don't attempt to "future proof" your access to user data by requesting access to information that might benefit services or features that have not yet been implemented."
Could the new restrictions have negative consequences?
As more apps that use Restricted Scopes lose access to Gmail and Drive, we are sure to hear more opinions on Google's latest policy changes. The biggest app that's currently affected—or will be, unless Microsoft complies with the new rules—seems to be SwiftKey. It is not the only one, however.
is a nifty Nova Launcher add-on that allows you to very quickly and conveniently launch apps, surface data, and perform web searches with a single tap from your home screen. You could also use Sesame's universal search to jump to Gmail labels and specific Google Drive files and folders, but a notification was recently pushed to users, informing them that this functionality is being removed.
We have no information whether the developers behind Sesame Shortcuts have applied for a screening by Google, or whether the app passed, if they did. This is what the the notification says:
Although we don't know how many Android apps use Restricted Scopes in Gmail and Drive—and to what extent the permissions are warranted—there are legitimate apps that will lose some functionality. Of course, this could be for the common good of the user, but it would be interesting to hear the perspective of smaller developers, which may be willing to comply with Google's policies, but unable to. The developers of Sesame Shortcuts say that Google's security audit costs more than they can afford.
The new Google API User Data Policy changes will come into full effect in 2020. By then, developers will have to pass Google's security audit, or comply by the new rules by losing access to Restricted Scopes in Gmail and Drive.