Google play issue: Violation of Permissions policy - android

For months I've been trying to publish an app with READ_CALL_LOG permission to no avail.
App is a contact management app including scheduled meetings, calendar and other events.
I only need to be able to get incoming call number, but since it's not allowed, I've implemented full InCallService that launches activity to display calling window with common answer/hang up buttons and few that redirect to our main app.
I've updated "App content" section "Sensitive app permissions" with checked "Default phone handler", provided instructions for review.
Latest version of the app is deployed in internal track. But I also have older rejected versions in beta, alpha and production tracks
App itself on first launch asks permissions to become a default Call App, otherwise won't even start.
And yet, no matter how much I try, I keep getting "App rejected" in Play store "Policy status" section. Going to see further details I get:
Issue: Violation of Permissions policy After reviewing your app, we
found that it doesn’t qualify to use the requested permissions for the
following reason(s): Requested permissions do not match core
functionality of the app You declared Default Phone handler (and any
other core functionality usage while default handler) as the core
functionality of your app. However, after review, we found that your
app does not match the declared use case(s). Learn more about
permitted uses and exceptions. Please either: • Make changes to your
app so that it meets the requirements of the declared core
functionality or, • Select a use case that matches your app’s
functionality
With "Eligibility issue" below:
Sensitive permission Your app does not qualify for use of the
requested permissions. Permission requests should make sense to users.
You may only request permissions that are necessary to implement
critical current features or services in your application. You may not
use permissions that give access to user or device data for
undisclosed, unimplemented, or disallowed features or purposes.
To my understanding if I declare the intent of using app as a default phone call handler and make that explicitly clear to the user I should be able to publish this app? Being able to detect call number is a core functionality for the app.
I've tried reaching out to support multiple times, but they just write, that they'll contact me via email to never be heard from again.
Any suggestions on what could be improved?

Related

Android App rejected due to Violation of Permissions policy

I am not sure how to proceed.
I have submitted an app that has a feature which allows user to 'Send Invites' via SMS (from within the app) which requires that I include the following permission:
<uses-permission android:name="android.permission.SEND_SMS" />
A day after I submitted my app I received the following rejection notice:
Publishing status: Rejected
After review, your app has been rejected and wasn't published due to a policy violation.
If you submitted an update, the previous version of your app is still available on Google Play.
Issue: Violation of Permissions policy
After reviewing your app, we found that it doesn’t qualify to use the requested permissions
for the following reason(s):
• Requested permissions do not match core functionality of the app
You declared Default SMS handler (and any other core functionality usage while
default handler) as the core functionality of your app. However, after review,
we found that your app does not match the declared use case(s). Learn more
about permitted uses and exceptions.
Please either:
• Make changes to your app so that it meets the requirements of the declared core functionality or,
• Select a use case that matches your app’s functionality
Can anyone assist me on how to move forward?! Does this mean I need to remove the feature that lets users 'Send Invites' to their friends?
Any assistance is appreciated!
Have a look at this: https://developer.android.com/guide/topics/permissions/default-handlers
Basically, to allow an app to use the SEND_SMS permission, it has to act as the default handler for SMS functionality for the whole device - it has to replace the basic SMS app, and provide all the functionality you'd expect. Some exceptions are listed here, and you can use the permissions without needing to be the default handler if one of those cases applies to you.
These permissions are a privacy and security concern, which is why their use is restricted and limited to a few specific situations, or apps where the user expects it to have that level of access (like an actual SMS app).
For most applications, the typical way of doing things like this is with an Intent - have a look around for some tutorials on this (I haven't actually done it so I can't make any recommendations!) and maybe look into the SmsManager class too (again, never used it, might be helpful or might be completely unsuitable!)

App update rejected, stating that my app Sush, com.toto.sush, does not qualify for use of READ_SMS, SEND_SMS, READ_CALL_LOG

I've developed an android app 'Sush'. It is a utility app which caters to 'Flip-to-vibrate' functionality. I developed the first version back in 2017.
Now i've updated my app to support latest android devices, and also updated the target SDK version.
Along with this, i've also added an new core functionality of 'Quick response SMS'.
With this, one can configure an SMS, which can be sent to the incoming calling number upon flipping the phone face-down.
To implement this feature, my app had to seek following permissions READ_SMS, SEND_SMS, READ_CALL_LOG to know the phone number of incoming call, and send a configured SMS accordingly when app is in action.
link to sush's AndroidManifest.xml file
When i drafted my release, and proceeded to publish, my app got rejected, stating that my app is not qualified to use above permissions.
I then appealed this decision.
A person named Arthur from Google Play team replied to my appeal with following,
Thanks for contacting the Google Play team.
I’ve reviewed your appeal request and found that Sush, com.toto.sush,
does not qualify for use of READ_SMS, SEND_SMS, READ_CALL_LOG for the
following reasons:
Requested permissions do not match core functionality of the app. You
declared Default SMS handler, Default Phone handler (and any other
core functionality usage while default handler) as the core
functionality of your app. However, after review, we found that your
app does not match the declared use case(s). You need to ensure that
your app no longer uses READ_SMS, SEND_SMS, READ_CALL_LOG or make
changes to your app's metadata to prominently advertise your app as
Default SMS handler, Default Phone handler (and any other core
functionality usage while default handler) or Select a use case that
matches your app’s functionality; failure to do so could result in the
removal of your app and may impact your developer account.
Permission requests should make sense to users. You may only request
permissions that are necessary to implement critical current features
or services in your application. You may not use permissions that give
access to user or device data for undisclosed, unimplemented, or
disallowed features or purposes. For additional guidance, please
review the Permissions policy and this Play Console Help Center
article.
Please let me know if you have any other questions.
Regards, Arthur
The Google Play Team
Can someone please help me?
If there is a way in which i can implement this feature without using above permissions?
I assume it is not possible.
If that is so, then why my app is not "qualified" to use these permissions.
Appreciate any help.

Google play store removed my app due to sms permission

Here I have an android application its core functionality is forwarding incoming text messages (SMS) to E-Mail Inbox, there it requires RECEIVE_SMS permission. my app is removed from the play store due to the google play policy violation. SMS_permission is mandatory in my application.
I submitted an appeal to google play, their response is given below
...
I’ve reviewed your appeal request and found that your app still violates Google Play Policy. I’ve included details below about the specific issue with your app and what you can do to get your app back on Google Play.
Issue
During review, we found that your app violates the Permissions policy :
You may only request permissions that are necessary to implement critical features or services currently available in your app. You may not use permissions that give access to user or device data for undisclosed, unimplemented, or disallowed features or purposes. SMS and Call Log Permissions are subject to additional restrictions; in order to use these permissions, you must first receive approval from Google Play.
For example, we found that your app contains :
RECEIVE_SMS
...
please tell how can I republish the application in to playstore with those sms permissions
Yes Google removed apps which have READ_SMS permission.
Try to implement using Google API,
You don't need READ_SMS permission anymore after that.
Have a look at this Google code,
https://developers.google.com/identity/sms-retriever/overview
There are quite a few rules regarding privacy around these permissions and sometimes it's hard to understand, but maybe this will help. First of all:
Google Play restricts the use of high risk or sensitive permissions, including the SMS or Call Log permission groups.
Assuming that your app needs some of these permissions in order to work properly, Google says that it needs to be set as the default phone/sms handler. The app has to be registered as the default handler BEFORE the permission is requested and stop using them once the app is not the default handler anymore.
However, this is not the case for your app. You need access to that information, but your app cannot be set as a handler for sms/calls. In this case, an exception can be made for your app, provided that you satisfy two requirements: you have no other way to achieve the same behaviour (checks for your app) and the use case you implement can be found in the list of excepted use cases (see the Exceptions section from the link above). Here is a little bit tricky because there is no use case that clearly matches your app, but I think that you might be able to use Cross-device synchronization or transfer of SMS or calls (make sure that you check the list in detail and select the one that best fits your app).
Now, the final step is here:
If you believe your app meets the policy requirements for acceptable use or is eligible for an exception, you should declare any Call Log or SMS permissions directly through the Play Console.
Details about the process can be found here and if you did all of these, then your request will be sent to the Google Play team, they will review it and decided if your app will be published or not.
P.S. Make sure that you clearly indicate why your app needs those permissions.

Issue: Violation of Permissions policy remove app by google

I'm trying to release an app on google play console. There one declaration form which is required 19 option core functionality. But the problem is that I have to remove previous all permission.
When app review rejects my app send me auto-generated mail.
After reviewing your app, we found that it doesn’t qualify to use the requested permissions for the following reason(s):
Based on our review, we found your app’s expressed user experience did not match your declared core functionality Default SMS handler (and any other core functionality usage while default handler). Please remove these permissions from your app.
Default handler capability was listed on your declaration form, but your app does not appear to have default handler capability. Please submit a revised declaration form.
What I'm missing?
Please help me out.
Fill-up google docs for permission.
Make sure your permission is given in manifest and give the pop up in user level.
Contact google developers for Details.
See this
Google has blocked some permissions like READ_CALL_LOG, WRITE_CALL_LOG and SMS related permissions. Basically they are saying that if you are trying to send SMS or handle Calls like TrueCaller, submit your application we will take a look at it.
I think they are aiming for quality application that are developed by viable developer companies or individuals. Also, SMS phishing and similar harmful applications are automatically ereased from Play Store.
Also if you have a beta or alpha with permissions you need to remove them too. To be sure remove the apks with harmful permissions from artifact library to be sure.

Permissions policy that will limit which apps are allowed to request Call Log and SMS permissions

Today I got a mail like this, according to this I’m not able to use RECEIVE_SMS READ_SMS anymore in my app. In my app I’m using auto read OTP. Is there any solution for this?
Hello Google Play Developer,
In October, we announced updates to our Permissions policy that will
limit which apps are allowed to request Call Log and SMS permissions.
This policy will impact one or more of your apps.
Only an app that has been selected as a user's default app for making
calls or text messages, or whose core functionality is approved for
one of the exception use cases, will be able to request access to Call
Log or SMS permissions.
Action required
Below, we've listed apps from your catalog which do not meet the
requirements for permission requests. Please remove any disallowed or
unused permissions from your app's manifest (specified below), migrate
to an alternative implementation (e.g. SMS Retriever API for most
cases of OTP verification), or evaluate if your app qualifies for an
exception.
Next steps
Read through the Permissions policy and the Play Console Help Center
article, which describes intended uses, exceptions, invalid uses, and
alternative implementation options for usage of Call Log or SMS
permissions.
Update your app or submit a Permissions Declaration Form.
Option 1) If your app does not require access to Call Log or SMS
permissions: Make appropriate changes to your app by removing the
specified permissions from your app's manifest or migrating to an
available alternative implementation by January 9, 2019.
Option 2) If your app is a default handler or you believe your app
qualifies for an exception: Please submit a request via the
Permissions Declaration Form. You do not need to have implemented APK
changes in order to submit a form. Declaration Forms received by
January 9, 2019 may be eligible for additional time to make changes to
bring their app(s) into compliance. If you have recently submitted a
Permissions Declaration Form, we are in the process of reviewing your
information and will respond to your application.
Make sure that your app is otherwise compliant with all other
Developer Program Policies to prevent your app from being removed.
Alternatively, you can choose to unpublish the app.
Our Developer Program Policies are designed to provide a safe and
secure experience for our users while also giving developers the tools
they need to succeed. That is why we will remove apps that violate our
policies. In cases of repeated or serious violations of our policies,
we may also terminate your developer account and any related developer
accounts.
We appreciate your willingness to partner with us as we make these
improvements to better protect users.
Affected apps
Affected apps and permissions are listed below, up to 20; if you have
additional apps, please ensure that they are also compliant with the
Permissions policy.
this one is also a solution.. without submitting form we have another solution .. for this we need to genarate app id..
SMS Retriever Api
This is really new headache for developers
While updating my app to play store with new version code i can't found to fill permission declaration form.
I'm not using SMS and call log permissions any more but still i can't able to update my app.
How I solve this problem hope it helps some one
First check if you have any alpha,beta or any other active testing tracks.
If you have then go to artifact library and see how many active artifacts you have.
Go through permissions of each of them if you find the sms or call log permission in any of them then that means you found the problem.
Deactivated the track if you can.
If you can't able to deactivate them create an APK with those permission and upload it to the track which contain APK with those permission previously in the artifact library.
Then you will see the permission declaration form fill that form choose no when it asked did your app follow Google play store permission policy then roll out your application.
Then do same for all the active tracks without permission and this time you can choose Yes in declaration form and choose the option for which you use those permission previously I'm using for OTP verification so I choose that one.
After updating these all tracks you need to promote your app to production one by one with increasing order of version code at last only one active artifact track, only production and now you can update in that track only.
Hope it help some one.......
If your app not using those permissions and the third-party library using some kind of those permission use below code for avoiding those permissions. it may affect those library smooth functioning
<uses-permission
android:name="android.permission.RECEIVE_SMS"
tools:node="remove" />
<uses-permission
android:name="android.permission.READ_SMS"
tools:node="remove" />
<uses-permission
android:name="android.permission.SEND_SMS"
tools:node="remove" />
or else you can use alternate methods in the answers, example
SMS Retriever Api
Its not like that you are thinking about. Go to this link
and fill up and submit the from. If you app's default function is to show SMS inbox or just OTP account verification, then they will not remove your app.
Google is no more allowing more apps with SMS permission due to security and privacy issue. So if you need Phone No verification then
Firebase Auth is the best option. It's almost free
Limit:Verification code SMS messages 50 messages/IP address/minute, 500 messages/IP address/hour
https://firebase.google.com/docs/auth/android/phone-auth
According to google "You may only request permissions that are necessary to implement critical current features or services in your application. You may not use permissions that give access to user or device data for undisclosed, unimplemented, or disallowed features or purposes".
Click Here To Read Official Google Permission Doc
If your app need to read sms for SMS-based user verification / OTP verification please use SMS Retriever API which does not needed any sms permission and your app can still read SMS for OTP verification.

Categories

Resources