The post Android 17 ends all-or-nothing access to your contacts appeared first on Malwarebytes.

Some of the apps on your phone want your contacts. Most don’t need them all, but have been happily slurping up the lot for years. Google has decided to do something about that with the next version of Android.

Android 17 (currently in preview) is introducing a new Contact Picker that lets users grant apps access to specific contacts rather than the entire list.

Previously, any app that needed a single phone number had to request READ_CONTACTS. That’s a permission that handed over every name, email, and number. It’s the digital equivalent of handing someone your entire Rolodex because they asked for one business card.

An app that can harvest your entire contact list can map your social network, identify your family members, and potentially hand that data to whoever’s buying. So whenever you click “yes” to “show us all your contacts” it isn’t just your privacy you’re playing with.

From Android 17 onward, apps will need to be more specific about what contact data they access. Phone number? Fine. Email address? Sure. Your cousin’s mailing address? Not unless the app has a reason.

Google’s updated Play policy will require apps to use the Contact Picker or the Android Sharesheet as the main way to access contacts. READ_CONTACTS will be reserved for apps that genuinely can’t function without it. 

Location sharing gets the privacy treatment

Location permissions are also set to become more granular and privacy-friendly in Android 17.

Previously, apps could ask for your precise or general location, and you could allow it just once, any time you’re using the app, or not at all. The new button adds nuance by letting app developers ask for your location in the moment, tied to a specific action, like finding a local cafe.

There will also be a persistent indicator to let you know when an app is using your location, similar to the alerts for camera or microphone access. And you’ll be able to find out which apps are tracking you as well.

Google blocked 8.3 billion bad ads in 2025

The tighter permissions management in Android 17 is a big deal for privacy advocates, because overly broad access is how data brokers build detailed profiles about you.

Those profiles can then be used for aggressive or invasive advertising, including scams.

Mobile protection, anywhere, anytime.

Google timed these privacy announcements alongside its latest Ad Safety report, which says it blocked 8.3 billion policy-violating ads and suspended 24.9 million advertiser accounts in the last year. 

The 8.3 billion figure is up from 2024, when Google blocked 5.1 billion ads. The increase suggests that the problem is getting worse, or that Google is getting better at catching it. Scam ads are a big part of that. In 2024, Google blocked 415 million scam-related ads. In 2025, that number grew to 602 million. 

Lest we forget

We’ll give Google credit for trying to tackle this problem from both ends—limiting data collection and cracking down on the kinds of ads that use that data maliciously. But there’s still a sense that it’s not doing quite enough.

Yes, the Android 17 permission changes are good for users, but granular contact access should have been the default years ago. Apple has been doing it for 18 months in iOS 18, and even that was years too late, in our opinion.

And while Google says it caught over 99% of violations before users ever saw them, 1% of an insanely large number is still insanely large.

The ads that still get through are damaging. In December, we reported on sponsored search results pointing to malicious AI chats that instructed people to install infostealer malware. Why does Google run ads that look like search results? Because its business model is driven by advertising revenue. At least it’s making it easier to hide them now.

So we’ll give a cautious hand clap to Google. It’s moving in the right direction. But stories about how it knowingly giving kids’ data inappropriately to advertisers or misusing health data still give us pause.

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

*** This is a Security Bloggers Network syndicated blog from Malwarebytes authored by Malwarebytes. Read the original post at: https://www.malwarebytes.com/blog/mobile/2026/04/android-17-ends-all-or-nothing-access-to-your-contacts