26 September 2023

Off track: How Google is cracking down on location-tracking apps

Start the conversation

Ron Amadeo* says Google has announced a new Play Store policy that will force apps to justify requests for background location access.


Alongside the launch of the Android 11 Developer Preview, Google announced a plan to crack down on Android apps that request the user’s location in the background.

Just as we saw with Google’s pushback against apps that use the accessibility APIs for things that aren’t accessibility related, Google will be flexing the power it has over the Play Store and manually reviewing apps that request location data in the background.

Writing about the new policy, Google says, “As we took a closer look at background location usage, we found that many of the apps that requested background location didn’t actually need it.”

“In fact, many of these apps could provide the same user experience by only accessing location when the app is visible to the user.”

The company says that apps on the Play Store will soon be evaluated by humans to see if the apps actually need the background location permissions they are requesting.

Google lays out the following criteria for requesting background location: “Later this year, we will be updating Google Play policy to require that developers get approval if they want to access location data in the background.”

“Factors that will be looked at include:

  • “Does the feature deliver clear value to the user?”
  • “Would users expect the app to access their location in the background?”
  • “Is the feature important to the primary purpose of the app?”
  • “Can you deliver the same experience without accessing location in the background?”

“All apps will be evaluated against the same factors, including apps made by Google, and all submissions will be reviewed by people on our team.”

The blog post also lists a timeline for the new location rules: “We anticipate the following timeline for this policy rollout; however, it is subject to change.”

April: official Google Play policy update with background location.”

May: developers can request feedback on their use case via the Play Console with an estimated reply time of 2 weeks, depending on volume.”

August 3rd: all new apps submitted to Google Play that access background location will need to be approved.”

November 2nd: all existing apps that request background location will need to be approved or will be removed from Google Play.”

Apps will still be able to request your location in the foreground — meaning when they are the currently visible app.

The new policy only applies to apps that request your location when you can’t see them, which could be used to secretly track the user’s location.

All Android apps need to request the “Location” permission in order to see the user’s location, so even without these changes, users could always hit “deny” and not send the app any information.

This move is meant to crack down on apps that request the permission unnecessarily.

In Android 10, Google added a more limited option to the location permission, allowing users to grant an app access to their permission only when it was running in the foreground.

In Android 11, this setting can be limited even further, with a new permission scope that will allow access to location a single time.

Google says even “apps made by Google” will be subject to these new requirements, but many of the background location requirements give a clear pass to features in Google Maps, like continuously sharing your location with a friend.

Google also makes the base operating system, which can constantly track your location in the background through things like Google Play Services.

This data gets stored on the Internet as your “Location History,” and Google has gotten into hot water recently for not making the controls for this feature as clear as they could be.

In response to the reporting on Location History from the Associated Press, Google revamped its Location History controls with clearer descriptions, and in addition to the ability to completely turn it off, the company added auto-delete options to get rid of data after a certain period.

* Ron Amadeo is the Reviews Editor at Ars Technica. He tweets at @RonAmadeo.

This article first appeared at arstechnica.com.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.