The struggle to block spam calls on Android
I have had a rough week as a hobby Android developer.
TL;DR: My app has been rejected from Google Play because it requires the read call log permission, and I’m going crazy trying to get Google to restore it.
In October 2018 Google announced restrictions on several of their permissions, meaning that apps on sale on Google Play would be more restricted in what they could do and what phone data they would have access to.
Google’s goal with these new restrictions is to protect its customers, the users who buy apps from Google Play. Android developers have historically had a lot of freedom to create apps that use the core functionality of the OS, for example to send text messages on behalf of the user and read the user’s contact list.
Because of the openness of the OS, Android apps always have been able to achieve functionality that is impossible to do on an iPhone. At the same time, the openness has given malicious developers the possibility of stealing user data and do other harm to users . The most famous example of this is probably how Facebook stole many users’ contact lists and text messages.
I have for several years developed an Android app for detecting and blocking spam calls and calls from telemarketers, called Telefonterror.no. I also have an app for iOS.
The Android app uses the READ_CALL_LOG permission to be able to detect the incoming phone number. The read call log permission is one of the permissions that are now restricted, and at the moment my app is kicked out of Google Play.
For a developer to be allowed to use the read call log permission, there are two options. The main one is to create a phone app. From Google’s guidelines:
Permitted uses of the SMS & Call Log Permissions
For apps requesting access to the SMS or Call Log permissions, the intended and permitted uses include default SMS handling, default phone handling, or Assistant handling capability. Apps must be actively registered as the default SMS, Phone, or Assistant handler before prompting users to accept any of the above permissions and must immediately stop the use of the permission when they no longer are the default handler.
Google developer guidelines: https://support.google.com/googleplay/android-developer/answer/9047303?hl=en
This is far from the use case of my app, a single purpose app that is running in the background and blocking unwanted calls.
Luckily, there is another option. Google offers some exceptions from the main rule.
Google Play may provide a temporary exception to apps that aren’t Default SMS, Phone, or Assistant handlers when: Use of the permission enables the core app functionality listed below; and There is currently no alternative method to provide the core functionality
Use: Caller ID, spam detection, and/or spam blocking
Eligible permissions: READ_CALL_LOG
This use case is exactly my app! Wohoo!
I uploaded a new version of my app to Google Play Console. This is how you start the application process.
I described how to use my app and submitted the application . Since my app has one single function, which matches one of the allowed use cases listed on Google’s guideline pages, I thought this would be a walk in the park.
The answer from Google came the next day:
Publishing status: Rejected
Whaaaat? Why? I kept reading:
We couldn’t verify the declared core functionality of your app during our review.
I applied again, with a slightly different wording.
I applied again, with a video showing exactly how to use the app.
Now I started changing the app, removing functionality to make certain that the reviewers couldn’t misunderstand what the core functionality of the app was (I mean, it already did just a single thing, so it wasn’t that much to remove).
I applied again.
This time with a different response:
Based on our review, we found your app’s expressed user experience did not match your declared core functionality Caller ID, spam detection, and spam blocking.
What the what?
Now I’m just lost. I have created an app that does nothing else than “Caller ID, spam detection and spam blocking”.
The app is also extremely privacy focused and doesn’t send any data out, not even crash data or usage analytics.
It is exactly the opposite of the kind of app that Google want to combat.