Does Android still allow lenders to scrap SMS from phones for scoring?

For years, SMS data sat at the center of digital lending across Africa. If you were building a mobile loan app in Lagos, Llongwe, or Accra between 2016 and 2020, chances are your risk model leaned heavily on what sat inside a borrower’s inbox. Salary alerts, mobile money confirmation, betting transactions, loan reminders from competitors. All of these fed into underwriting.

That model worked in markets where formal credit histories were thin and bureau coverage was limited. SMS offered a real-time financial logbook. For early-stage fintechs, it felt efficient and deeply informative.

That era has effectively ended on Android, at least for apps distributed via the Google Play Store.

The question lenders now ask is simple: does Android still allow loan apps to scrape SMS from users’ phones for credit scoring?

The short answer is no, not in the way many lenders once did. The longer answer requires understanding Google Play policy changes, enforcement patterns in Africa, and how regulators and platforms have responded to abusive practices.

Let’s unpack it properly.

What changed inside Android and Google Play

Android as an operating system technically includes permissions that allow apps to read SMS. However, access to those permissions is governed by Google Play policies for any app distributed through the Play Store.

In October 2018, Google announced that it would restrict access to the SMS and Call Log permission groups. By late 2019 and early 2020, enforcement became firm. Most apps were required to remove these permissions unless they qualified for narrow, approved use cases.

The policy is explicit. Apps that fail to meet policy requirements or lack a proper Permissions Declaration Form may be removed from Google Play. Google further states that apps must be actively registered as the default SMS, Phone, or Assistant handler before prompting users to accept any SMS or Call Log permissions.

That condition effectively disqualifies most loan apps.

A digital lender is not a messaging app. It is not a phone dialer and itt does not function as the user’s default SMS handler. Therefore, it cannot justify broad access to SMS under Google’s permitted exceptions.

Google’s Financial Services policy section reinforces this stance. Personal loan apps are prohibited from accessing sensitive data such as photos, contacts, media files, precise location, and related personal content. The banned permission list includes READ_CONTACTS, READ_EXTERNAL_STORAGE, READ_PHONE_NUMBERS, and ACCESS_FINE_LOCATION, among others. SMS belongs to its own permission group, but the broader rule against sensitive personal data and the specific restrictions on SMS and Call Log usage make the practical effect clear.

Loan apps can no longer pull a borrower’s entire inbox for underwriting.

In April 2023, Google tightened rules further. Reporting at the time highlighted that personal loan apps were banned from accessing external storage, photos, videos, contacts, location, and call logs. The changes were part of a broader response to predatory lending behavior globally. While SMS was not always explicitly listed in every public summary, the combined effect of the SMS and Call Log restrictions and the financial services policy makes large-scale SMS scraping incompatible with Play distribution.

If a loan app today attempts to request READ_SMS without qualifying under a narrow exception, Google will flag it during review or through automated checks. The app risks suspension or removal.

For lenders operating on Android through Google Play, SMS scraping as previously practiced is no longer viable.

Why Google acted

The shift did not happen in isolation. It followed years of mounting complaints about abusive lending practices, particularly in emerging markets.

In several countries, digital lenders accessed not only SMS data but also contact lists, photos, and call logs. Some used that information to pressure borrowers by contacting friends and family. Others mined private messages to detect gambling behavior or salary inflows without clearly communicating that practice to users.

Google faced increasing scrutiny for hosting such apps. As a platform operator, it responded by narrowing what financial apps could access.

Globally, India saw high-profile cases of debt shaming and harassment. Kenya and Nigeria experienced similar public outcry. The tightening of Play Store policies formed part of Google’s broader response to predatory digital lending behavior.

The policy applies globally. A loan app in Nairobi faces the same Play requirements as one in Mumbai or São Paulo.

Recommended read: FAQ on white-label app

What this means for African lenders specifically

The consequences have been concrete across Nigeria, Kenya, and Ghana.

Kenya

Kenya’s Office of the Data Protection Commissioner has investigated dozens of digital lenders for illegally collecting private data. According to the ODPC, loan apps had been harvesting large amounts of customer information, including call logs, SMS logs, phone information, photos, and even Facebook contacts.

Kenyan regulators have taken enforcement seriously. The ODPC fined lenders for accessing phonebooks without consent, issuing penalties totaling millions of Kenyan shillings in 2023. The regulator has also warned that scraping SMS without a clear, lawful purpose violates Kenya’s Data Protection Act.

At the same time, the Central Bank of Kenya introduced a Digital Credit Provider licensing framework. Licensed lenders must meet conduct and data protection standards. Between Google’s platform rules and Kenya’s domestic regulation, SMS scraping sits on very shaky ground.

A Kenyan loan app on Google Play must now satisfy both Play policy and Kenyan law. The overlap leaves little room for inbox mining as a scoring tool.

Nigeria

Nigeria followed a parallel path. The Federal Competition and Consumer Protection Commission instructed Google to remove loan apps that breached consumer protection and data rules. By mid-2023, dozens of Nigerian loan apps were delisted from Google Play for operating without regulatory approval and for violating customer privacy.

While the FCCPC’s public focus often highlighted misuse of contacts and photos for debt shaming, the underlying principle applies equally to SMS. If a lender collects personal data beyond what is lawful or clearly consented to, regulators intervene.

Nigeria’s 2023 Data Protection Act strengthened enforcement powers around personal data misuse. The Digital Lending Guidelines require lenders to comply with data protection obligations and maintain transparency in how they collect and process customer information.

Any Nigerian fintech distributing via Google Play must align with Play’s permission rules and Nigerian data law. That alignment makes large-scale SMS scraping legally and commercially risky.

Ghana

Ghana’s enforcement has been slower, but public concern is growing. Local media have described predatory loan apps as digital loan sharks, pointing to cases where apps harvested private data and used it to intimidate borrowers. Commentators warn that extracting and misusing personal data such as SMS or contacts may breach Ghana’s Data Protection Act and potentially criminal statutes.

Even without a comprehensive digital lending licensing regime equivalent to Kenya’s, Google Play policy still governs app distribution in Ghana. A Ghanaian loan app that wants visibility on Play must follow the same SMS restrictions.

In practice, whether enforcement pressure comes from Accra or from Mountain View, SMS scraping for scoring is no longer compatible with staying live on the Play Store.

The legal and privacy dimension

The deeper shift here is not only technical. It is regulatory and reputational. Across Africa, data protection frameworks are maturing. Kenya has an active data protection authority. Nigeria now operates under a new Data Protection Act. Ghana’s Data Protection Act imposes consent and purpose limitation requirements.

Under these regimes, collecting personal data requires a lawful basis. Even where users tap “Allow,” regulators may scrutinize whether consent was informed and proportionate. If an app quietly reads a user’s entire SMS history to infer income patterns, regulators can question whether that data collection aligns with the stated purpose and whether it is excessive.

The era when digital lenders could justify broad data grabs on the basis of innovation is closing. Authorities increasingly expect clear data minimization and transparency.

Google’s Play Store policies reinforce this direction by acting as a gatekeeper. Even if a local regulator has not yet issued a fine, Google can remove the app for policy violations.

For lenders, that dual pressure changes product design decisions.

So is any SMS use still possible?

There are narrow exceptions, but they do not support traditional SMS scraping models.

An app can access SMS if it is registered as the default SMS handler. A loan app rarely qualifies for that role in a genuine way. Forcing users to switch their default messaging app simply to obtain a loan would likely attract regulatory attention and user backlash.

Google also offers the SMS Retriever API, which allows apps to capture one-time passcodes without requesting full SMS read permissions. This API supports authentication use cases. It does not grant access to the entire inbox and cannot power underwriting models that rely on historical transaction messages.

Some risk models still consider SMS metadata such as frequency of messaging, but they must do so within policy limits and without accessing message content. Even then, lenders must be careful about user expectations and consent.

In practical terms, the rich inbox-level scraping that characterized early African digital lending is no longer viable through Google Play distribution.

How lenders are adapting

African fintechs have not stopped lending. They have adjusted their data strategies.

Mobile money and transaction histories

Many lenders now rely more heavily on mobile money transaction histories. In South Africa, MTN and JUMO assess loan eligibility using data such as airtime top-ups, bill payments, and mobile wallet transactions through services like MoMo and Qwikloan. These signals offer insight into cash flow behavior without reading private SMS content.

In Kenya, Safaricom’s M-Shwari model uses mobile money activity and repayment history to determine loan limits. The underwriting focuses on structured transaction data rather than private text messages.

Mobile wallet records provide structured, permission-based financial data. They offer a more defensible legal footing and align better with regulatory expectations.

Open banking and formal financial data

Where available, lenders increasingly integrate with banks and credit bureaus through APIs. With user consent, apps can pull account transaction histories, balance data, and repayment records.

Open banking initiatives across various markets support this approach. Instead of inferring income from salary SMS alerts, lenders can verify deposits directly from bank data feeds.

This approach requires stronger infrastructure and partnerships, but it aligns with both Play policy and data protection laws.

Device signals and behavioral analytics

Some lenders use device-level signals and behavioral analytics. They analyze patterns such as app usage habits, geolocation consistency, airtime purchases, and data consumption. Industry discussions often reference mobile usage patterns, call frequency, SMS activity counts, airtime top-ups, and device details as inputs into risk models.

The key distinction is that these models avoid accessing sensitive content. They rely on signals that Android permits apps to collect without breaching SMS and Call Log restrictions, and they operate within declared privacy policies.

Advanced machine learning models can extract meaningful predictive features from these alternative datasets. That requires investment in data science capabilities and strong model governance, but it reduces regulatory exposure tied to intrusive data practices.

Consent-driven onboarding

Loan apps have redesigned onboarding flows. Instead of silently requesting broad permissions, they explain what data they access and why. Some request explicit permission to retrieve transaction histories from telecom or mobile money providers. Others ask users to upload bank statements or grant read-only API access.

Licensed digital lenders in Kenya and Nigeria must clearly detail in their Play Store descriptions which data they access and for what purpose. Regulators expect transparency, and Google requires clear disclosure of sensitive data use.

Aggregated credit scoring APIs

Another development involves third-party credit scoring providers that aggregate data from multiple sources and deliver a score to lenders. In this model, the loan app itself does not scrape device data. It queries an external service that has obtained data through compliant channels.

This separation reduces the compliance burden on individual lenders and centralizes data governance in specialized firms.

Recommended read: Your admin console is now an Android app and on the Google Play Store

The broader global direction

The restrictions seen in Africa do reflect a global trend. Google and Apple have tightened rules on financial apps worldwide. After debt shaming scandals in India, Google introduced stricter requirements for personal loan apps, including documentation and disclosure obligations. The policy shift aimed to reduce predatory behavior and unauthorized data access.

For African lenders operating in multiple markets, this means product design must satisfy global app store standards, not just local norms. A data practice acceptable in one jurisdiction may still violate platform policy.

Android does not operate in isolation from these governance dynamics. Platform policy, domestic regulation, and public scrutiny interact in ways that shape how digital lending progresses.

Where this leaves lenders today

If you are building or operating a loan app on Android in 2026, you should assume the following:

• You cannot rely on scraping users’ entire SMS inbox for credit scoring if you distribute through Google Play.
• You must justify any request for SMS or Call Log permissions under narrow, approved use cases. Most lending apps will not qualify.
• You face regulatory risk in markets such as Nigeria, Kenya, and Ghana if you collect personal data beyond what is lawful and proportionate.
• You need alternative data strategies that align with both platform policy and data protection law.

This shift does not eliminate digital lending opportunities in Africa but forces a more disciplined approach to data collection and model development.

The early wave of inbox-based scoring surfaced from necessity in low-bureau environments. The next phase will rely on structured transaction data, API integrations, and advanced analytics built on data that users knowingly provide.

Android no longer quietly permits SMS scraping for credit scoring. That chapter has closed for apps that want to remain visible on Google Play and compliant with advancing regulation.

For lenders and credit providers, the real work now lies in building risk models that stand up to regulatory scrutiny and platform review while still serving underbanked customers effectively.