Our 2024111700 release tried to improve Bluetooth privacy by disabling the Bluetooth contact sharing toggle by default. We thought it’d also address an Android security bug reported on our forum where Android shares contacts even with the toggle disabled for one of two workflows.

Unfortunately, that didn’t address the upstream Android security bug at all and the person who reported it let us know 2 days ago. Disabling sharing by default extended the impact of the Android bug. When it was on by default, turning off the toggle in the other UI flow did work.

We’ve rolled back our change, fixed the upstream Android security bug and reimplemented changing contact sharing to disabled by default in a more robust way. New OS release coming out today with it. Sorry we screwed this one up and made it temporarily worse rather than better.

This has been an Android security bug for a long time and our failure to fix it led to gaining a proper understanding of the upstream bug and properly fixing it. The regression we caused making it temporarily worse has only been in Stable for 8 days and now it’ll be fully fixed.

No way to avoid the upstream bug giving hands-free calling devices contacts beyond not triggering pairing from outside Settings or other edge cases. New form caused by us disabling sharing by default can be worked around toggling it on and off. Whole issue will be fixed today.

It’s quite bad that Bluetooth devices can scrape contacts from Android devices by presenting themselves as a hands-free calling device and having users pair from outside Settings such as via the quick tile. That’s why we tried to fix it too hastily. Thankfully fixed properly now.