I've got an app which shows user's contacts inside device and allows him to make a call.
I want to show my user the last calls he has made. I was using READ_CALL_LOG permission (and was reading call log) until Google restricted access to it, then I switched to ContactsProvider to retrieve contacts and sort them by LAST_TIME_CONTACTED but now Google says this column is deprecated and effectively it will have 0 value for new versions of Android OS (see https://developer.android.com/guide/topics/providers/contacts-provider#ObsoleteData)
My app is not a default dialer (only default dialers apps are allowed to access call log) so I was wondering how I can achieve what I want in Google Policy compliant way.
I tought about storing the last contacts selected inside my own database (I know it won't be a full call log, as I will only have access to calls made from my app but that's fine for me), but don't know whether it's compliant with G Policy. I wrote an email to Google, however the person who replied said he can't help me with my question and I have to create new version of my app and ask them for review.
Does anyone know if my idea about saving contacts in my own database is compliant with G policy (please provide links from official sites). From my link (which I've provided above) I can only see that Google says
If your apps are accessing or updating these fields or APIs, use
alternative methods. For example, you can fulfill certain use cases by
using private content providers or other data stored within your app
or backend systems.
However it doesn't convince me to whether my idea is compliant
Thanks for help!
I believe you may store and use any user actions that had happened within your app.
The purpose of the policy (as stated here: https://support.google.com/googleplay/android-developer/answer/9047303?hl=en) is to prevent apps from getting access to the call-log in order to make use of it for purposes other then what users' expect, that's why the emphasis on critical core functionality of the app.
In my experience, different Google reviewers tend to review the same app very differently, and while one may reject a certain use-case based on this policy, another might approve it.
I would suggest phrasing the screen you want to create in a way that will help the reviewer understand that this data was not acquired from the call-log but some app specific actions, so for example instead of title "Call Log" which might confuse some reviewers with the risk of rejecting this update, you should title it "Recent app actions" or something like that.
Related
I have seen that Play Store Developers received a mail to inform users about the usage of their personal data and to state why and how app's make use of certain features (like writing to the external storage/SD Card). I have to admit, I am new to Android Development and helping out here.
In our existing Play Store App we plan to release a new feature to take photos and thus access the camera for this purpose.
I now wanted to ask how the following requirement has to be implemented:
"Post a privacy policy in both the designated field in the Play Developer Console and from within the Play distributed app itself."
Is it some kind of Readme file, we have to upload or (like Apple does) have to provide a website with those information for the Play Store?
(see http://www.iubenda.com/blog/privacy-policy-for-android-app/ first abstract), whereas other sources just talk about active URLs. Basically, a URL is not always available in an application (consider the case where a user got no internet connection)
How does it have to be presented in the App? Simple Toast, when accessing the Camera the first time or rather a new menu item "Privacy Policy" for the user and display the information in a website with formatted HTML, which we could also use for the PlayStore?
For the overal requirements see:
https://play.google.com/about/privacy-security/personal-sensitive/
This question does not ONLY cover the Google PlayStore but also the best practises for embedding a such IN an Android Application.
I would look at how other Google apps do this to see their (Google's) preferred way of handling this. Most Google apps have a privacy policy menu item in the navigation drawer for basic privacy information, and show a full-screen popup where you have to tap "I agree" for more sensitive topics like location history, for example. This seems like a good approach to me, but you'll have to consult with a lawyer regarding privacy laws/requirements within your home country.
For our implementation it was only concerning two aspects:
1) Camera Access
2) Storing data
I think the reason for Google to request a license Post was and still is to
Developers more aware of how they use possible resources
Users more aware of the usage of THEIR resources
Camera Access
We came up with the solution to not include the camera on our own, but instead performing "the Android way of delegating actions to other applications" and let someone else perform this for us. with the MediaStore.ACTION_IMAGE_CAPTURE. Bit unlucky it is that we had to write a FileProvider to support Androids new Sandboxing feature, as we come to step 2 "Storing Data"
Storing Data
We don't use the external storage anymore for this, instead we use the app's personal storage, as the data is tightly coupled to the rest of the application anyway. Of course, we had to ensure the app is still working if:
1. The user wants to delete specific files
2. The user deletes the app's data in settings
That's it: No Privacy Policy required anymore, as we don't use anything that would require certain permissions :-)
I am developing an app that has to access user's contacts to perform certain operation automatically for the user. But how do I prove it to the users that the app isn't doing anything its not intended to do...obviously without showing the actual code, so that he/she is fully satisfied?
The most important thing with trust is likely to be the permissions. Users are more likely to trust your app if the app doesn't require too many permissions. Particularly things like read & send sms but generally the less the better.
You should also consider adding a privacy policy to the Play Store listing. Perhaps make reference to this in the app, by way of dialog or link.
If your app has to use contacts try and minimise anything else it uses. Also, perhaps let the users select which contacts are used?
As a final solution you could try showing the user a sample of the data you're using.
Lastly your marketing could specifically tell users of your intentions and reasons.
Hope it helps
I have a few questions regarding android market(Google play). How can I list my published application by accessing from my google account? What I have done so far is using my application package name as a query string to search my application and display all information which I used android market api to do it. Is there another better way to display all my published or installed applications by accessing from my google accounts?
My second question is about detecting number of downloading and installations of my published application. I have found only google analytics so far(for free) which I need to embedded some codes to monitoring my application. Is it possible for me to access those information from android market publish page . I have found that publish page contains information that I need.
Edited: For second question, I would like to obtain statistical information without adding any new code to my application. Is it possible to provide only google account to grant the permission to get those information?
My application is published. If I am using google analytics to monitoring my application do I need to start my counting from zero?
Sorry for my English and my little knowledge about this.
Thanks in advance..
Edited: .. I have found an application, called "analytics" that is what exactly I want to do. But I still cannot figure it out how it works..
The only place you will find this kind of information is on your Developer page. That said, if I were wanting to do what you are, I would put up an app on App Engine that either parsed my Dev page on request, or on a schedule. I mention App Engine as personal preference here, you could obviously use anywhere you can host scripts on.
You can then do what you like with the data you have collected, and your app can request this from your site. Assuming you have no qualms with publicising these numbers, you wouldn't need to scare users by authenticating, and would just need a plain html request.
Edit:
In your language of choice, you would need to request your developer page (the one that lists apps and their install count) and would also need to authenticate as yourself to get it. It's for this reason I would use your own hosting if you can. I can't be more specific than this, as I don't know what language you're most likely to be using. It should be trivial to find out how to do an html request and step through the page in whatever language it is though. App Engine pages are written in Java or Python and deployed to the server, while other obvious options are PHP or Perl. On my own server I would most likely use Perl as it's ideal for ripping up html with regexps.
I'm creating an Android application for a fantasy league as part of a college project. It's a paid application, and requires each download to be associated with only one team.
I'm confused as to how best go about it. If a user goes to settings and clears the data from there, all files, settings and databases would be deleted rendering a locally stored indicator for "The app has already run before and hence user is registered" as pointless.
Another option that had come to my mind was to store the IMEI no on a remote database (with SHA1 encryption to protect the data) but the problem with this is that, if a user loses or changes his phone, his further participation would be impossible. Additionally, users understandably don't like to share IMEI numbers and it's acceptable.
The best solution in my mind was to restrict usage of the app to the Google account that was used to download the application. With this, even a change of handsets would allow further participation of the user. However, I've not been able to find a way to obtain the Android Market account (only require E-mail) which resulted in the download.
So, my question is, how do I best go about with the problem that I face? Is there a way to get the Android Market username? Or is there a worthy alternative?
The server-side option is what you want, you can get a unique id from each phone and use that as your identifier.
As Google stores your purchases of Android apps, I was wondering if they are somehow offering a webservice that can be used to check if a certain app has been purchased. To me this seems the most secure way of distinguishing free and paid users from within my app.
It would not only defeat piracy, but would also allow for managing a database of legally registered users, by a one-time check through this service.
What are your solutions to this matter?
Google provides a library for you. See here.
Note that this has been compromised in unprotected apps, so you should use something like ProGuard. The link above contains more information.
Finally, keep in mind that the Android Market is not the only app market for Android out there. Amazon has their own DRM.
At this particular moment there is one way to check.
The Android Market authenticates purchases through Google Checkout, but Google has not implemented the Checkout API to synchronize Market purchases. So calls like that check the status of an order do not work. Maybe Google doesn't want dev's to get a hold of customer emails? Either way, I do not know why it does not exist, it seems to me that if Google simply made this service available we could implement a far more superior security system that would better utilize the methods of obfuscation. As it is at the moment, a hacker can simply look for a specific class like the ILicenceService and hook it.
The only way at the current moment is to download a list of current purchases. You can do this using an authenticated http call. The drawbacks to doing this are pretty large though. First, the list it provides only extends back 31 days (so you've got to make sure you keep everything). Second, you would have to call and parse at least every ten minutes. Actually faster than that, most users want to play their games when they buy them. Third, if your service, or server goes down, that is precious information that is being requested almost instantly by your users.
I don't know how many dev's are currently utilizing this process, I considered it, but am just going to keep complaining to Google for a better method.
You could piggy back off of the LVL. I have just implemented a similar system.
Perform Check via LVL.
On success make a post to your own web server and store whatever details you need, i.e. DeviceID etc.
You could also perform checks to your own server even when the LVL check fails and allow things like trial periods etc.