I'm a developer of an Android library which requires QUERY_ALL_PACKAGES permission at app targets Android 11 or higher.
There was a new policy from the Google Play store 2 years ago, they would enforce developers to submit a reason for using QUERY_ALL_PACKAGES permission. But the policy was postponed for 2 years, and now they restarted this policy.
Related Link: https://support.google.com/googleplay/android-developer/answer/10158779
In this document, Google says this policy will block app updates from 12th July 2022, if there is no declaration. But one of my customers got alert mail from Google, their app will be blocked from 4th May 2022 if they don't declare the reason for this permission usage.
My team is not managing the Android app, just managing the library, so we have not received similar mail at all. And also my other customers are not received similar mail yet.
Is there Android developers who have received a similar mail from the Google team? If you are, would you share the due dates of declaration to use the QUERY_ALL_PACKAGES permission mentioned in your mail?
For security reasons you cannot ask for QUERY_ALL_PACKAGES permission. This will allows you to check or you can get all installed app in Phone.
If your app is like cleaner app or have feature like app manager, so for this kind of feature you can add QUERY_ALL_PACKAGES. You will need to show video of that feature which is using QUERY_ALL_PACKAGES or need to give specific reason.
If your app only required to check any specific app installed or not then you can add like below.
//remove QUERY_ALL_PACKAGES permission and add like below
<queries>
<package android:name="com.whatsapp" /> <!-- replace with your packagename --!>
<package android:name="com.whatsapp.w4b" />
</queries>
I need to check whatsapp and business whatsapp installed or not. Same way you can added. And I think there no limit to check like above.
Same mail I also received, Before deadline date you need to give reason or update your app with I explained above.
I hope you understand.
I also received an email about this policy, but the paradox is that I do not need or use that permission, at least explicitly stated in the Manifest
Related
Here is the email I received from Google Play. I added QUERY ALL PACKAGES permission to the manifest file so that all the features would function properly in Android 11 or later. But in reality, I simply require a portion of the permission to implement those functionalities. So, if the "QUERY ALL PACKAGES" permission is withdrawn and another core permission is added in manifest file, do we still need to submit a permission declaration?
DEVELOPER UPDATE
Hello Google Play Developer,
If your app requires the QUERY_ALL_PACKAGES permission, you need to
submit the declaration form in Play Console by July 20. Otherwise, you
will not be able to submit new apps or app updates.
Action required:
If your app does not require use of the QUERY_ALL_PACKAGES permission, you must remove the permission from your app manifest.
If your app requires use of the QUERY_ALL_PACKAGES permission, you’ll need to provide a description and short video of the core
feature in your app that requires this permission. To prepare for the
questions you’ll need to answer, review this Help Center article.
You have until July 20 to submit the declaration or remove the
permission from your app manifest. Apps that fail to meet the policy
requirements or do not submit the declaration form may be removed from
Google Play starting July 20.
Thank you for continuing to partner with us to make Google Play a safe
platform for you and your users.
Thank you,
The Google Play team
Try these solutions if you don't need QUERY_ALL_PACKAGES permission
https://stackoverflow.com/a/73104066/10657559
https://stackoverflow.com/a/72774358/10657559
Updating an app that has sensitive permissions on the Google Play Console
In my case I have submitted declaration form in play console like below
Go to Google Play Console , under Policy area -> App Content -> click Manage button under Sensitive permissions and API
Here lists all sensitive permission used in our app -> click Manage button under corresponding permission
Fill the declaration form
I have submitted this 3 weeks ago and I haven't met with any issues from Google Play Console so far.
I'm trying to release an app on google play console. There one declaration form which is required 19 option core functionality. But the problem is that I have to remove previous all permission.
When app review rejects my app send me auto-generated mail.
After reviewing your app, we found that it doesn’t qualify to use the requested permissions for the following reason(s):
Based on our review, we found your app’s expressed user experience did not match your declared core functionality Default SMS handler (and any other core functionality usage while default handler). Please remove these permissions from your app.
Default handler capability was listed on your declaration form, but your app does not appear to have default handler capability. Please submit a revised declaration form.
What I'm missing?
Please help me out.
Fill-up google docs for permission.
Make sure your permission is given in manifest and give the pop up in user level.
Contact google developers for Details.
See this
Google has blocked some permissions like READ_CALL_LOG, WRITE_CALL_LOG and SMS related permissions. Basically they are saying that if you are trying to send SMS or handle Calls like TrueCaller, submit your application we will take a look at it.
I think they are aiming for quality application that are developed by viable developer companies or individuals. Also, SMS phishing and similar harmful applications are automatically ereased from Play Store.
Also if you have a beta or alpha with permissions you need to remove them too. To be sure remove the apks with harmful permissions from artifact library to be sure.
While I am updating an app on Play store. I am getting following error according to the new policy of Google:
I have also checked all the options that are available, but again and again, Google rejects my application.
I am new to Android.
Issue: Violation of Permissions policy
After reviewing your app, we found that it doesn’t qualify to use the requested permissions for the following reason(s):
Based on our review, we found your app’s expressed user experience did not match your declared core functionality {SMS-based financial transactions (e.g., 5 digit messages), and related activity including OTP account verification for financial transactions and fraud detection}. Please remove these permissions from your app.
This is my manifest containing permissions I have declared
SMS permission is no more allowed to read OTP as android is going to give this feature to users out of the box.
You have to register as a messaging app to get SMS and CALL_LOG permissions.
So recently, Google changed its policies, read it at XDA
Same thing happened with my app, It got removed from play store, for using SMS features.
You need to remove those permissions from Android Manifest and if you need to send a message to someone, you need to use Intents to form a message and fill out the messaging app and user has to manually send the message.
Or if you are trying to access SMS permission for automatic OTP, there are other ways to do it.
As it turns out, you need to fill a form. Read this article from Google and refer to this answer on StackOverFlow
Do not update your minSdkVersion in this release. You need to rollout removal of permissions for all of your users.
Try deactivating previous versions of your apk on play console. If you updated minSdkVersion of your app and did not deactivate older apks, older devices are still served the apk with permissions.
This worked for me!
Today I got a mail like this, according to this I’m not able to use RECEIVE_SMS READ_SMS anymore in my app. In my app I’m using auto read OTP. Is there any solution for this?
Hello Google Play Developer,
In October, we announced updates to our Permissions policy that will
limit which apps are allowed to request Call Log and SMS permissions.
This policy will impact one or more of your apps.
Only an app that has been selected as a user's default app for making
calls or text messages, or whose core functionality is approved for
one of the exception use cases, will be able to request access to Call
Log or SMS permissions.
Action required
Below, we've listed apps from your catalog which do not meet the
requirements for permission requests. Please remove any disallowed or
unused permissions from your app's manifest (specified below), migrate
to an alternative implementation (e.g. SMS Retriever API for most
cases of OTP verification), or evaluate if your app qualifies for an
exception.
Next steps
Read through the Permissions policy and the Play Console Help Center
article, which describes intended uses, exceptions, invalid uses, and
alternative implementation options for usage of Call Log or SMS
permissions.
Update your app or submit a Permissions Declaration Form.
Option 1) If your app does not require access to Call Log or SMS
permissions: Make appropriate changes to your app by removing the
specified permissions from your app's manifest or migrating to an
available alternative implementation by January 9, 2019.
Option 2) If your app is a default handler or you believe your app
qualifies for an exception: Please submit a request via the
Permissions Declaration Form. You do not need to have implemented APK
changes in order to submit a form. Declaration Forms received by
January 9, 2019 may be eligible for additional time to make changes to
bring their app(s) into compliance. If you have recently submitted a
Permissions Declaration Form, we are in the process of reviewing your
information and will respond to your application.
Make sure that your app is otherwise compliant with all other
Developer Program Policies to prevent your app from being removed.
Alternatively, you can choose to unpublish the app.
Our Developer Program Policies are designed to provide a safe and
secure experience for our users while also giving developers the tools
they need to succeed. That is why we will remove apps that violate our
policies. In cases of repeated or serious violations of our policies,
we may also terminate your developer account and any related developer
accounts.
We appreciate your willingness to partner with us as we make these
improvements to better protect users.
Affected apps
Affected apps and permissions are listed below, up to 20; if you have
additional apps, please ensure that they are also compliant with the
Permissions policy.
this one is also a solution.. without submitting form we have another solution .. for this we need to genarate app id..
SMS Retriever Api
This is really new headache for developers
While updating my app to play store with new version code i can't found to fill permission declaration form.
I'm not using SMS and call log permissions any more but still i can't able to update my app.
How I solve this problem hope it helps some one
First check if you have any alpha,beta or any other active testing tracks.
If you have then go to artifact library and see how many active artifacts you have.
Go through permissions of each of them if you find the sms or call log permission in any of them then that means you found the problem.
Deactivated the track if you can.
If you can't able to deactivate them create an APK with those permission and upload it to the track which contain APK with those permission previously in the artifact library.
Then you will see the permission declaration form fill that form choose no when it asked did your app follow Google play store permission policy then roll out your application.
Then do same for all the active tracks without permission and this time you can choose Yes in declaration form and choose the option for which you use those permission previously I'm using for OTP verification so I choose that one.
After updating these all tracks you need to promote your app to production one by one with increasing order of version code at last only one active artifact track, only production and now you can update in that track only.
Hope it help some one.......
If your app not using those permissions and the third-party library using some kind of those permission use below code for avoiding those permissions. it may affect those library smooth functioning
<uses-permission
android:name="android.permission.RECEIVE_SMS"
tools:node="remove" />
<uses-permission
android:name="android.permission.READ_SMS"
tools:node="remove" />
<uses-permission
android:name="android.permission.SEND_SMS"
tools:node="remove" />
or else you can use alternate methods in the answers, example
SMS Retriever Api
Its not like that you are thinking about. Go to this link
and fill up and submit the from. If you app's default function is to show SMS inbox or just OTP account verification, then they will not remove your app.
Google is no more allowing more apps with SMS permission due to security and privacy issue. So if you need Phone No verification then
Firebase Auth is the best option. It's almost free
Limit:Verification code SMS messages 50 messages/IP address/minute, 500 messages/IP address/hour
https://firebase.google.com/docs/auth/android/phone-auth
According to google "You may only request permissions that are necessary to implement critical current features or services in your application. You may not use permissions that give access to user or device data for undisclosed, unimplemented, or disallowed features or purposes".
Click Here To Read Official Google Permission Doc
If your app need to read sms for SMS-based user verification / OTP verification please use SMS Retriever API which does not needed any sms permission and your app can still read SMS for OTP verification.
I have an app, with Push notifications implemented.
I want to understand the reason why we need "GET_ACCOUNTS"(android.permission.GET_ACCOUNTS), while implementing GCM? Some users are raising concerns with this permission. I have used this permission in the manifest as it was given in the official site here.
How safe is this permission? and if I remove this, from my manifest, will the push notifications work?
It uses an existing connection for Google services. For pre-3.0
devices, this requires users to set up their Google account on their
mobile devices. A Google account is not a requirement on devices
running Android 4.0.4 or higher.
SO this is the reason for requirement of the permission
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
to read Google account.
Read more about this GCM Overview
Google account login is no longer needed for GCM to work. So you do not need the android.permission.GET_ACCOUNTS permission.
If you are using GCM API with GoogleCloudMessaging.register), you no longer need to configure Google account on any Android version. But if you are using the deprecated library (GCMRegistrar.register), you still need a Google Account on older versions (before ICS).
More details at https://groups.google.com/forum/#!topic/android-gcm/ecG-RfH-Aso. Another similer thread is Why google Account login is required for GCM to work for devices below 4.0.4 OS?
The GET_ACCOUNTS permission is no longer needed for GCM to work. It used to be required for registration to GCM, but a recent Play Services update stopped using the Google account even on Froyo and Gingerbread. If you are registering to GCM with Play Services (i.e. With GoogleCloudMessaging.register), you no longer need this permission on any Android version. If you are using the deprecated library (GCMRegistrar.register), you still need a Google Account on pre 4.0.4 version, which requires that permission.
Source (posted on android-gcm Google Group by a Google developer) :
Some background:
Froyo and Gingerbread registration is implemented in
GoogleServicesFramework, using the Google account for registration.
This has resulted in a lot of auth errors for people where the account
was not in a good state.
Starting with ICS, GCM doesn't depend or uses the Google account - you
can use it before you add an account or without any accounts.
The "Play Services" update is implementing the new scheme on all
devices - but it seems a small number of devices have problems with
this, we're investigating - but the numbers are far lower than those
with the old scheme.
As everyone else here has said, GET_ACCOUNT is needed for android devices lower than 4.0.4.
If you are like me and have installed a library that automatically adds this permission but you do not need it to, you can tell the AndroidManifest to remove the permission by adding the permission with the tools:node="remove" attribute.
In your AndroidManifest.xml file, make sure the xmlns:tools attribute it defined in your manifest tag and then add the permission with remove set:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
...>
...
<uses-permission android:name="android.permission.GET_ACCOUNTS" tools:node="remove" />
...
</manifest>
Word of warning that this never actually works for me but I know it has worked for others. If you can see what I might be doing wrong or have any more info about it, please comment!
*Edit: There is a bug report open to get this feature working:
https://bugzilla.xamarin.com/show_bug.cgi?id=48153
when you use
compile 'com.google.android.gms:play-services:7.5.0'
add the build.gradle file means GET_ACCOUNT permission added automatically.
forexample if developer have to use only admob in project means only specify this permission in build.gradle file
compile 'com.google.android.gms:play-services-ads:7.5.0'
if have any another clarification see this link https://developers.google.com/android/guides/setup
I don't think this is actually the case. I tested it on a freshly factory reset Gingerbread device with a new Gmail account and I could receive GCM messages just fine without that permission. So the documentation is WRONG.
GET_ACCOUNT is to verify if user synced Google account in mobile, and generate the key value for each user(each Google account). This is required if the device is running a version lower than Android 4.0.4.