Our App which is being made on unity has been removed from Google Play Store and got these details in email :
Your app is using the Branch IO SDK, which is uploading users Installed
Packages information to https://api.branch.io/v1/applist without a
prominent disclosure. Prior to the collection and transmission, it
must prominently highlight how the user data will be used, describe
the type of data being collected and have the user provide affirmative
consent for such use.
We went through our project and apparently we are not using any branch.io sdk explicitly in our app. We weren't able to find any fix on any forums. How can we find the issue and fix it? Please help.
This was part of a recent change the Google made related to GDPR. You should have gotten a warning email from Google as well as Branch regarding this.
You must remove all versions of your Android App (Active/Inactive/Archived) that have the Android Branch SDK version < 2.11.1.
Once you remove these versions, Google should place your App back onto the Play Store.
Here is a guide on removing older versions of your App: https://branch.app.link/apk-removal-guide.
If you run into any issues, please write into support#branch.io. Thanks.
Related
My app is written on android native code and I got this warning on the play store console
Your app "appName" version code "xxxx" includes SDK com.segment.analytics.android:analytics or an SDK that one of your libraries depends on, which collects personal or sensitive data that includes but may not be limited to Advertising ID, Android ID identifiers. Persistent device identifiers may not be linked to other personal and sensitive user data or resettable device identifiers as described in the User Data policy.
ACTION REQUIRED: Upload a new compliant version AND deactivate the noncompliant version.
But I don't have that library on my project, the only libraries related to firebase that I have are these:
"com.google.firebase:firebase-crashlytics:17.4.0",
"com.google.firebase:firebase-analytics:18.0.2",
"com.google.firebase:firebase-perf:20.0.2",
"com.google.firebase:firebase-core:18.0.0",
"com.google.firebase:firebase-auth:20.0.1",
"com.google.firebase:firebase-messaging:21.0.1",
But I don't know how to solve this, should I update all of them and upload my app again and check if I received this warning again or not to see if it was solved? I need to solve this because I won't be able to upload more app versions in the following months.
Thank you for being so helpful, it's really appreciated.
Some people have asked me if I solved this, and the short answer is yes, I did. Unfortunately, nobody gave me a specific answer about how to solve it, and the problem is that I think I used a bazooka to kill a fly.
The process for solving this was this:
I updated all Firebase dependencies, I was using these:
com.google.firebase:firebase-crashlytics,
com.google.firebase:firebase-analytics,
com.google.firebase:firebase-perf,
com.google.firebase:firebase-core,
com.google.firebase:firebase-auth,
com.google.firebase:firebase-messaging
I update them using firebase-bom version 30.3.2
Also, I updated other google dependencies, I'm not 100% sure that this affected the solution, however, I want to document all just in case you are also using them, and you can consider it out.
com.google.android.gms:play-services-auth:20.2.0,
com.google.android.gms:play-services-auth-api-phone:18.0.1,
com.google.android.gms:play-services-analytics:18.0.1,
com.google.android.gms:play-services-base:18.1.0,
com.google.android.gms:play-services-location:20.0.0,
com.google.android.gms:play-services-maps:18.0.1
After using these versions, I uploaded the new build and did not see the problem again in the Google console for this version and later
Sorry for not being specific in the needed dependency to be updated, I didn't have a chance to test the combinations to discover them.
I have 500k active users. My application has been probably hacked. How do I know that? My production versions are 3.x.y But I can see in Firebase statistics that 1% (about a few thousand) users use version 4.0.0. I have never released app with that version. Probably somebody just changed app version and I assume ad ids. He didn't even remove Firebase analytics so I can see that the hacked app is live. I use standard ProGuard obfuscation but as we can see it didn't help.
The question is how to find the place (site, market,..) from where hacked application is downloaded?
If you are fine to update your app, then I would first change my app to read getInstallerpackageName from PackageManager, and then record it via Firebase analytics.
If the result of this is com.android.vending it was installed from Google Play, otherwise it will be the program that installed your app. If this is another app store then great, you have found it.
If the result is something like a web browser then it is harder as the user got the app from a website. Then your best option is Google searching. The normally easiest way is include your app name and the word "APK". This tends to find most sites serving your app. You could even search for your app name, "APK" and "4.0.0" as many website list the version code on the page.
Please, explain me, what is it?
I have received a message from GP, with this text:
Hello Google Play Developer,
We detected that your app(s) listed at the end of this email are
potentially leaking credentials used to make network requests (HTTP
and FTP).
Please check for cases where you use url-encoded basic access
authentication, for example a URL such as
https://username:password#www.example.com/. We recommend that you
immediately change the credentials and redesign your app to avoid
including them.
Next steps
Sign in to your Developer Console and submit the updated version of your app.
Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.
Exposed developer credentials can allow an attacker to compromise your
systems which puts user data at risk. For other technical questions
about the vulnerability, you can post to Stack Overflow and use the
tag “android-security.”
We’re here to help
If you feel we have sent this warning in error, you can contact our
developer support team.
Regards,
The Google Play Team
I don't understand what a problem with my app, please help me. What should I change in my app?
I was including Appodeal library in my free and premium app. I got this warning recently, I removed Appodeal and no longer have the warning in Google Play. Even though I wasn't using ads in Premium, I was including the Appodeal library in the binary as they are different flavors of the same Android Studio project. Looks like their problem. I had removed Appodeal from my free app a couple days ago for a different reason (https://medium.com/#greenrobotllc/response-to-1-star-review-problem-ads-auto-opening-app-store-on-lolcats-android-f1c7b7991caa#.milc5rcvs). A day or so after the free update to Google, I got this exact email about the premium version which I hadn't updated.
So check your 3rd party libraries.
Andy, Pablo and others wonderful people, who have visited this topic.
The problem was solved recently.
All you need to do - just update Appodeal SDK to the last one (ver. 1.14.15).
You can find it in our docs
Also you can download Android SDK here (Native Android).
Regards,
Andrew
Appodeal Support Team.
I can confirm that If you are using the Appodeal SDK you will get this alert as developer. I have contacted Appodeal support and this is their answer:
Ivan Prokopenko: Hi Pablo! we found the problem. It was problem with network, we contacted with support of network. We'll update SDK in next future, it will solve the problem. but don't worry, it's not critical
mytarget SDK has the same problem like Appodeal SDK. We have contacted mytarget support too and this is their answer:
Hello Yan, Thank you for reaching out.
No credentials and any personal data was involved, so no problem with
leaking any data with our SDK. But to prevent the Google Play to
display the warning yesterday we updated our SDK - latest version is
4.5.1. Here is the change log - "Changed format of internal constant, because of which Google Play could display warning».
So for your next update you can update our SDK. You can download
latest version there -
https://bintray.com/mytarget/maven/mytarget-sdk/view#files/com/my/target/mytarget-sdk
Please let me know if you have any questions.
So check your 3rd party libraries.
My app is now in the alpha status and I would like to distribute it to a few people (QA, alpha testers...) without making the app public. I know, that google play offers a private channel to distribute apps in alpha/beta state to some people, but according to the website it takes a few hours until the application is available. However, I would like to have it available for users as soon as a new build is ready and uploaded. I thought about setting up a private android repository (e.q f-droid), but unfortunately I could not find anything in the documentation about securing the android repository - I want it to be protected somehow (key, password...).
Another possibility would be to set up a web-server and host the different build versions on that server. Then the testers have to navigate to that site and download the appropriate build version. However, from the usability point of view it isn't that nice - user have to download the version manually and install it afterwards. Also for the QA guys it would be nicer, if it is easier to switch between different android builds.
How would you solve this problem? Is there already any software out there, that is suitable for that task?
Any help is really appreciated.
I know Google says it can take a few hours, in my experience, it happens very quickly, a few minutes at most. I don't know if there are times when it takes longer.
I thought about setting up a private android repository (e.q f-droid), but unfortunately I could not find anything in the documentation about securing the android repository - I want it to be protected somehow (key, password...).
While perhaps not in the docs, F-Droid does support HTTP Authentication on its repositories. For example, if using Apache you can add a relevant .htpasswd and .htaccess file in the webroot. This will result in the webserver sending back a 401 and asking the client to authenticate. F-Droid responds by prompting with a username/password dialog.
I would suggest using Crashlytics. Crashlytics is now integrated in Fabric.
Crashlytics allows you to distrubute beta versions of your app. Testers only have to install the install the Crashlytics app, and enable installing apps from different sources. You specify which users can test the app by emailadress.
The app allows testers to switch between any version of your app, and install any possible other apps they are invited for.
You can also integrate Crashlytics in your app. If you do you get notified of errors that occured complete with stacktraces, and additional information about the device. This makes bugfixing easier.
If I set in the Manifest.xml and try to install the .apk with ecclipse, the install fails with a missing library error showing logcat. Thats ok for me as developer.
But how will be the behaviour in Google Play?
Simply writing a failure to logcat is not useful for normal users. Useful would be if an appropriate error dialog would appear, informing the user about the error, why and how to fix it (In this case, ideally a link to the missing app in Google Play, so the user can install the missing app easily)
Does anyone know, how exactly the error is handled, if a user try to install the .apk via android market (or other market places)?
Is there a way to costumise that handling?
But how will be the behaviour in Google Play?
The app will not show up in the Google Play Store, if the device does not have the firmware library you require. Hence, the user will not have an opportunity to install it.
This is covered in the Filters on Google Play section of the docs.
Based on the uses-library documentation you can use reflection to determine if a particular class is available. I haven't done this myself but here is a blog spot in which reflection is used to determine if the device support's live wallpapers Using Reflection to test if an Android device is using 'Live Wallpapers'.
It must not be very hard to adapt it for other libraries.
Also, from API 7 there is a android:required value for tag that allows the application to be installed from Google Play even if the library is not present in the user's device.
Hope this helps...