Google Android 17 Introduces Granular Contact & Location Permissions, Ending All‑or‑Nothing Access
What Happened – Android 17 (currently in preview) adds a Contact Picker that lets users grant apps access to individual contacts instead of the entire address book. The same granularity is applied to location permissions, tying access to specific actions and adding a persistent usage indicator.
Why It Matters for TPRM –
- Reduces the risk of third‑party apps harvesting full contact lists for profiling or resale.
- Limits inadvertent data leakage that can be leveraged in downstream supply‑chain attacks or social engineering.
- Sets a new baseline for mobile privacy that vendors must support to remain compliant with client security policies.
Who Is Affected – Mobile app developers, enterprise MDM/EMM providers, and any organization that relies on Android devices for employee work (tech, finance, healthcare, etc.).
Recommended Actions –
- Review contracts with mobile‑app vendors to ensure they will adopt Android 17’s Contact Picker and location‑granularity requirements.
- Update internal MDM policies to enforce the new permission model once Android 17 ships.
- Conduct a gap analysis of existing apps for over‑broad READ_CONTACTS or location permissions and remediate.
Technical Notes – The change is enforced via updated Google Play policies; apps must use the Contact Picker or Android Sharesheet for contact access, reserving READ_CONTACTS for truly essential use cases. Location permissions now require “in‑the‑moment” consent tied to a specific user action, with a persistent UI indicator. No CVEs or exploits are involved. Source: Malwarebytes Labs