Tag Archives: safety

Safer and More Transparent Access to User Location

Posted by Krish Vitaldevara, Director of Product Management Trust & Safety, Google Play

Last year, we made several changes to our platform and policies to increase user trust and safety. We’re proud of the work we’ve done to improve family safety, limit use of sensitive permissions, and catch bad actors before they ever reach the Play Store.

We realize that changes can lead to work for developers. Last year, you told us that you wanted more detailed communications about impactful updates, why we’re making them, and how to take action. You also asked for as much time as possible to make any changes required.

With that feedback in mind, today, we’re previewing Android and Google Play policy changes that will impact how developers access location in the background.

Giving users more control over their location data

Users consistently tell us that they want more control over their location data and that we should take every precaution to prevent misuse. Since the beginning of Android, users have needed to grant explicit permission to any app that wants access to their location data.

In Android 10, people were given additional control to only grant access when the app is in use, which makes location access more intentional. Users clearly appreciated this option as over half of users select “While app is in use.”

Now in Android 11, we’re giving users even more control with the ability to grant a temporary “one-time” permission to sensitive data like location. When users select this option, apps can only access the data until the user moves away from the app, and they must then request permission again for the next access. Please visit the Android 11 developer preview to learn more.

Preventing unnecessary access to background location

Users tell us they also want more protection on earlier versions of Android - as well as more transparency around how apps use this data.

As we took a closer look at background location usage, we found that many of the apps that requested background location didn’t actually need it. In fact, many of these apps could provide the same user experience by only accessing location when the app is visible to the user. We want to make it easier for users to choose when to share their location and they shouldn't be asked for a permission that the app doesn't need.

Later this year, we will be updating Google Play policy to require that developers get approval if they want to access location data in the background. Factors that will be looked at include:

  • Does the feature deliver clear value to the user?
  • Would users expect the app to access their location in the background?
  • Is the feature important to the primary purpose of the app?
  • Can you deliver the same experience without accessing location in the background?

All apps will be evaluated against the same factors, including apps made by Google, and all submissions will be reviewed by people on our team. Let’s take a look at three examples:

An app that sends emergency or safety alerts as part of its core functionality - and clearly communicates why access is needed to the user - would have a strong case to request background location.

A social networking app that allows users to elect to continuously share their location with friends would also have a strong case to access location in the background.

An app with a store locator feature would work just fine by only accessing location when the app is visible to the user. In this scenario, the app would not have a strong case to request background location under the new policy.

When we spoke to developers for feedback, the vast majority understood user concerns over their information falling into the wrong hands and were willing to change their location usage to be safer and more transparent.

Getting approval for background access

We know that when we update our policies, you want to get actionable feedback and have ample time to make changes. Before we implement this policy change, you will be able to submit your use case via the Play Console and receive feedback on whether it will be allowed under the new policy.

We anticipate the following timeline for this policy rollout; however, it is subject to change.

  • April: official Google Play policy update with background location
  • May: developers can request feedback on their use case via the Play Console with an estimated reply time of 2 weeks, depending on volume
  • August 3rd: all new apps submitted to Google Play that access background location will need to be approved
  • November 2nd: all existing apps that request background location will need to be approved or will be removed from Google Play

Review and evaluate your location access

We encourage all developers to review the following best practices for accessing location data in their apps:

  • Review the background location access checklist to identify any potential access in your code. Remember you are also responsible for ensuring all third party SDKs or libraries that you use comply with our policies, including access to background location.
  • Minimize your use of location by using the minimum scope necessary to provide a feature (i.e., coarse instead of fine, foreground instead of background).
  • Review privacy best practices and ensure you have the proper disclosure and privacy policies in place.

We hope you found this policy preview useful in planning your roadmap for the year and we appreciate your efforts to build privacy-friendly apps. Together, we can keep the Android ecosystem safe and secure for everyone.

What’s under the hood: Security on Google Pay

https://lh4.googleusercontent.com/kqimQE52YHUk85s4_gch87PrS7s5lO0NDSP3WkTLWJh3eJCMSeuEskErQ-sj2UmtRsIoO4gehtH99tYnR1V4f9duF3FRuNEQQ0GLAABwWbLTUOFvi17V0grH__j2cCX5bzJUi-7j
In the last two years, instant bank-to-bank transfers via UPI have become the preferred form of payment for millions of Indians, many adopting digital payments for the first time. At Google Pay, we’ve been very excited to be part of this story, and bringing the convenience of UPI to millions of users, in a simple and secure user experience. 


We launched Google Pay with the best of Google’s security infrastructure, leveraging our experience of 20 years of bringing some of the world’s most helpful technology products to billions of users worldwide. Some of these are: 

  • Enhanced fraud protections with SafetyNet: Beyond the ‘one device - one account’ safeguards offered by UPI, Google Pay is secured with Google Pay advanced fraud models and backed by Google’s authentication platform, ensuring world class protections against fraud attacks and faster identification and suspension of fraudsters.
  • Secure access: The PIN entry screens in Google Pay have been secured against remote desktop attacks since the early days of app’s launch, keeping our users safe, even when widespread scams have affected other digital payments users.
  • Blocking fraudsters from getting on to Google Pay: Our exhaustive risk relations check at the onboarding stage prevents known bad actors from recreating their accounts on the app.
  • Scam protections: Since its launch, Google Pay uses machine learning-based scam prevention models, and also displays explicit ‘scam’ or ‘stranger’ warnings if a user receives a request from someone suspicious or not in their contacts.
             

    • Explicit language and prominent warnings during collect requests: Collect requests as a flow are unique to UPI and thus might be new to several users. For this reason, Google Pay displays very clear and prominent warnings to the user about what it entails at each step.

      Additionally, to help our users fully understand each step on the app, we have now launched notifications and SMS alerts to clarify the direction of flow of money: Google Pay will now send app notifications as well as SMS to inform users each time they receive a collect request to highlight that approving the request will deduct money from the users’ bank accounts. 

      We are mindful that at Google Pay, users are entrusting us with their most sensitive asset - their money. We are conscious of the responsibility that comes with this trust. The above security features, and a lot more ongoing work in this direction, are a small example of how we keep our users safe. 

      As we make this journey together, there are steps that our users can also take to keep their money secure. Just as we learnt to handle cash carefully, the world of digital payments requires care and mindfulness as well, to ensure we keep our money safe. Some of these are:
      • Just as you keep your ATM card PIN private, your UPI PIN needs to be safeguarded in the same way. This code is only for your use, to securely access your UPI-linked bank account, via Google Pay. The same applies to your phone PIN.
      • Google Pay customer care representatives will never ask for your PIN or ask you to authorise a money transfer, while troubleshooting. If anyone contacts you with such a request, always decline.
      • UPI places incredible power in the hands of the user and money can only leave your account if you authorise it. Only approve transfer requests from people you trust, or for transactions that you have initiated. If you don’t remember initiating a transaction, decline.
      • Please pay attention to ‘scam’ and ‘stranger’ warnings that appear on Google Pay, in case an unknown contact requests for a money transfer. Read these signals carefully and only transact with people you trust. 
      • Be alert to the direction of the money flow. Receiving money never requires your UPI PIN, only sending money does. If you need to enter your UPI PIN, you are authorising a payment.
      • If you ever need any kind of support or help, our 24/7 support is available to help, who you can contact safely from within the app. Do not call unverified numbers present on the web. 
        These simple tips, along with Google Pay’s security infrastructure, can ensure that your experience on digital payments stays seamless, and you can leverage its many conveniences to the fullest. This journey is an ongoing one as we continue to learn and evolve the product, and look forward to your feedback to make Google Pay even more helpful in your daily life. 

        Posted by Ambarish Kenghe, Director, Product Management, Google Pay