Privacy by Default: How Android 17 Changes App Permissions
Android 17 introduces a major shift in how your phone protects personal data: privacy is now the default, not an optional extra buried in settings. Three new protections switch on automatically for apps targeting API level 37: a contacts picker feature, a local network access gate, and an SMS one-time password delay. You do not need to toggle anything, and in many cases you will not even see a permission prompt. Instead, Android quietly restricts what apps can see and do in the background. This is deliberate. Most people never fine-tune app permissions, so Google is changing the baseline rules instead. Apps have to adapt to tighter app permissions defaults, using system pickers or more limited permissions instead of broad, always-on access. For everyday users, that means less silent tracking, fewer surprises about what an app can read, and better protection even if you never touch the privacy menu.
Contacts Picker: No More Full Address Book Access by Default
Previously, granting an app contacts permission meant handing over your entire address book: every name, phone number, email, birthday, and note, all in one go. With Android 17, that model is effectively retired for updated apps. Instead of broad READ_CONTACTS access, apps are steered to a system-level contacts picker feature, similar to the existing photo picker. When an app needs a contact, it calls the picker and you choose exactly which contact or contacts to share. Access is session-based and temporary: once you finish that interaction, the app’s access ends. Apps can also request only specific fields, like just a phone number without an email, reducing unnecessary data exposure. The picker works across work profiles and private spaces too, letting you select contacts from different profiles without revealing the full lists. The end result is simple: a to-do app or ride-hailing service no longer gets your entire contact list just because you tapped “allow” once.
Local Network Access: Stopping Silent Scans of Your Home Devices
Until Android 17, almost any app on your phone could quietly explore your local network. Games, shopping apps, or long-forgotten utilities could scan devices connected to your router, probe nearby access points, and use this information for network fingerprinting—a powerful tracking method that does not need internet access or ad IDs. Android 17 closes this gap with a new runtime permission called ACCESS_LOCAL_NETWORK. Apps targeting API level 37 must now explicitly request local network access before they can discover or connect to devices on your LAN. Many will instead use a system-provided device picker, which lets you select a printer, smart light, or media box without giving the app broad, persistent visibility into everything on your network. Only apps with a genuine need for ongoing LAN communication—such as home automation or media server clients—should show a prompt. The quiet background scanners simply stop working, and most users will never see a warning or dialog while benefiting from stronger local network access protections.
SMS OTP Delay and the Bigger Shift Toward Built-In Security
SMS OTP security gets a boost in Android 17 through a new three-hour delay on app access to one-time passwords. Previously, any app with SMS read permission could immediately intercept verification codes as they arrived, potentially sidestepping two-factor protection. Now, for apps targeting API level 37, messages containing OTPs are programmatically out of reach for three hours—long after most codes have expired. Your default SMS app, assistant apps, verified companion apps, and services using official SMS Retriever or SMS User Consent APIs are exempt, so everyday logins remain smooth. Alongside Certificate Transparency being enforced by default for HTTPS connections, these changes underline a clear trend: Android is moving from privacy-by-choice to privacy-by-default. Instead of relying on users to detect risky behavior, the system cuts off common abuse paths automatically. As apps update to target the new API level, more of your contacts, local network data, and SMS codes are shielded without you lifting a finger.