Google Play Mandates Contact Picker and Precise‑Location Button for Android Apps, Tightening Privacy Controls
What Happened – Google Play announced new policy requirements that force Android apps to use the Contact Picker (or similar privacy‑focused alternatives) for accessing user contacts and to employ a dedicated “location button” for one‑time precise‑location requests. The changes take effect for apps targeting Android 17 (API level 34) and above, with pre‑review checks beginning Oct 27, 2026.
Why It Matters for TPRM –
- Vendors that distribute Android apps via Google Play must modify code and submit declarations, creating a compliance deadline that could affect release schedules.
- Failure to adopt the new mechanisms may result in app rejection, service disruption, or reputational damage for third‑party developers and their enterprise customers.
Who Is Affected – Mobile app developers, SaaS providers delivering Android clients, enterprises that rely on in‑house or third‑party Android applications, and any organization that integrates Google Play‑distributed software.
Recommended Actions –
- Review all Android applications under your vendor portfolio for READ_CONTACTS usage and persistent precise‑location requests.
- Update code to implement the Contact Picker or Sharesheet and add the
onlyForLocationButtonmanifest flag where appropriate. - Submit Play Developer Declarations for any app that truly needs ongoing contact or always‑on location access.
- Adjust internal release timelines to accommodate Google’s pre‑review checks starting Oct 27.
Technical Notes – The policy does not introduce new CVEs; it enforces privacy‑by‑design APIs (Contact Picker, Sharesheet) and a manifest flag (onlyForLocationButton) for one‑time precise location. Apps that cannot function without READ_CONTACTS or continuous precise location must provide a justification via the Play Console. Source: Help Net Security