Facebook warns devs: Google's Android SMS limits hitting passwordless sign-in tool

Facebook urges developers to remove SMS permissions from Android apps that rely on its Account Kit for passwordless sign-in.
Written by Liam Tung, Contributing Writer

Facebook has warned developers using its passwordless tool for their Android apps to make changes to comply with Google's new restrictions on collecting call log and SMS information. 

The new restrictions on apps collecting call log and SMS were announced in October and came into effect on Wednesday. 

They are aimed at stopping app developers from tricking users into unnecessarily giving access to these highly-sensitive permissions. 

The rules largely limit access to the default phone calling app, the default SMS app and the default app for Assistant. But Google only allows it after developers submit a 'permissions declaration form' for review by Google Play.  

There are some exceptions, such as backup and restore functionality, enterprise archive and device management, caller spam blocking, and for companion smartwatch and car apps. These too need to be approved by Google Play. 

A potential problem for developers using Facebook's Account Kit SDK, which enables passwordless sign-in, is that Google's list of invalid uses for SMS specifies 'account verification'. 

Developers use Account Kit so that users can log into their app with just a phone number or email address, instead of password, and also side-stepped the Facebook Login social login. 

Google has been quite strict with compliance. As noted by Android Police, the Android maker has knocked back some developer requests for SMS permissions, forcing them to remove the permissions and break functionality, or risk punishment on Google Play.  

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Facebook's warning to developers didn't give them much time to prepare for Google's new rules. Just a day ahead of Google's deadline for filing permission declaration request forms, Facebook warned developers that Google's restrictions apply to the RECEIVE_SMS permission, which Account Kit relies on in Android "in some cases".      

According to Facebook, developers have two choices: remove the permission, which does impact Account Kit functionality, or file a permissions declaration form by January 9.

"If your app uses this optional permission, you can remove the RECEIVE_SMS permission from your app's manifest to comply with the new policy and ensure that Account Kit keeps functioning as expected. However, the verification code received via SMS will stop being populated automatically," wrote Facebook software engineer Calvin Mak.

Mak notes that developers have until March 9, 2019 to bring their apps into compliance with Google's rules. Facebook also plans to update its Account Kit SDK to help developers comply with Google's rules.   

"Facebook is dedicated to serving its developer community, and given this new policy, the next version of the Account Kit SDK will no longer use the RECEIVE_SMS permission," wrote Mak. 

Previous and related coverage

Google restricts which Android apps can request Call Log and SMS permissions

Only apps selected as the device's default app for making calls or sending text messages will be able to access call logs and SMS data from now on.

Windows 10: Microsoft's plan to kill passwords moves on with new test build

Now Microsoft brings its password-less sign-in to all Windows Insider testers.

Apple killing off web passwords? Safari trials WebAuthn logins on macOS

Safari could join Firefox, Chrome, and Edge support for Web Authentication.

Windows 10 moves closer to killing off passwords with Edge WebAuthn logins

Windows Hello biometric login could soon be the key to all your favorite websites.

Microsoft: This Azure password-banning tool will help kill off bad 'P@$$w0rd' habits TechRepublic

Admins can now significantly reduce the risk of accounts being compromised by password-spraying attacks.

Safari tests USB security key support to help fix our password problems CNET

Apple's browser is catching up to Firefox, Chrome and Edge with better sign-on technology.

Editorial standards