Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 18, 2026 · 6 min read

Google Just Told Android Apps to Stop Reading Your Entire Contact List

A new Google Play policy forces apps to use a privacy focused Contact Picker instead of bulk access to your contacts. Location tracking gets tighter restrictions too.

A person holding an Android phone with a translucent privacy shield over the contact list

What Is Changing

On April 15, 2026, Google announced a sweeping policy update for the Google Play Store that fundamentally changes how Android apps can access your contacts and location. Instead of letting apps vacuum up your entire contact list, Google now requires them to use a tool called Contact Picker that lets you share only the specific people you choose.

The same update restricts how apps request your precise location. A new "location button" gives apps one time access to where you are without granting persistent tracking permission. Both changes roll out alongside Android 17 and apply to every app on the Play Store.

Why Your Contact List Is a Privacy Problem

When you grant an app the READ_CONTACTS permission on Android, you are not just sharing names and phone numbers. The app gets every email address, physical address, birthday, employer, and note stored for every person in your contact list. If your contacts have profile photos synced from Google accounts, the app gets those too.

Most apps that request this permission do not need all of it. A messaging app that wants to find which of your friends are also using the service does not need your dentist's email address. A ride sharing app that lets you share your ETA with a contact does not need your grandmother's birthday. Yet until now, Android gave apps an all or nothing choice: full contact list access or none at all.

The data harvested through contact permissions has fueled some of the largest privacy scandals in recent years. Facebook's "People You May Know" feature, which surfaced connections people never intended to share, relied heavily on contact list uploads from its mobile app.

How Contact Picker Works

The Android Contact Picker is a system level interface that sits between apps and your data. When an app needs a contact, instead of reading your entire list in the background, it triggers a picker dialog controlled by Android itself. You see your contacts, you tap the one you want to share, and the app receives only that contact's information.

Google's new policy requires all applicable apps to use Contact Picker or similar privacy focused alternatives like Sharesheet as the primary way to access contacts. Apps targeting Android 17 or later that use sharing or inviting features must transition to Contact Picker and remove the READ_CONTACTS permission entirely.

Apps that genuinely need ongoing access to the full contact list, like phone dialers, contact management tools, or backup utilities, can still request it. But they must submit a Play Developer Declaration explaining why bulk access is necessary. Google will review these declarations before granting the permission.

Location Tracking Gets Tighter Too

The same policy update introduces a streamlined "location button" for apps that need your precise location temporarily. Finding a nearby store, tagging a photo with GPS coordinates, or checking local weather no longer requires persistent location access. The location button grants a one time reading and nothing more.

Developers targeting Android 17 must add the onlyForLocationButton flag in their manifest if their app only needs temporary precise location. Apps that need constant location tracking, like navigation or fitness trackers, must submit a separate declaration justifying the need.

Google also removed geofencing as an approved use case for foreground services, pushing developers toward the dedicated Geofence API instead. This prevents apps from running background location tracking under the guise of geofencing.

The Timeline

Developers have at least 30 days from April 15, 2026 to update their apps. But the full enforcement rollout stretches into late 2026:

  • May 15, 2026: Earliest enforcement date for the new contact and location policies.
  • October 2026: Play policy insights in Android Studio will flag apps that need changes.
  • October 27, 2026: Pre review checks in Play Console will block non compliant apps before submission.

The gap between announcement and enforcement is standard for Google Play policy changes, but it means millions of apps will continue having bulk contact and location access for months.

What This Means for You

If you use Android, this is one of the most meaningful privacy improvements Google has made in years. The shift from bulk contact access to Contact Picker means apps can no longer silently harvest every email address and phone number on your device under the cover of a single permission prompt.

You can start taking action now:

  • Audit your contact permissions: Go to Settings > Privacy > Permission Manager > Contacts to see which apps currently have full access.
  • Revoke unnecessary access: Any app that does not need your complete contact list should lose that permission immediately.
  • Check location permissions too: Under Permission Manager > Location, switch apps from "Allow all the time" to "Ask every time" where possible.
  • Update to Android 17 when it becomes available to benefit from the new permission model.

The pattern is clear: both Apple on iOS and Google on Android are slowly tightening the permissions model to limit what apps can silently access. Each step makes mass data collection harder, but the default settings still favor convenience over privacy.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.