Today my app was removed from Google Play with the following explanation:
"Your app is using the Branch IO SDK, which is uploading users Installed Packages information to https://api.branch.io/v1/applist without a prominent disclosure. Prior to the collection and transmission, it must prominently highlight how the user data will be used, describe the type of data being collected and have the user provide affirmative consent for such use.
Make sure your app is compliant with the User Data policy and all other Developer Program Policies. Additional enforcement could occur if there are further policy violations."
We do not directly use the Branch IO SDK in our app.
We are thinking that maybe a 3rd party library that we have integrated uses it. We looked over the dependencies used by our 3rd party libraries and we did not find any hint to Branch IO SDK.
Since I don’t know what is being sent to branch.io, I have no idea what I should add to the Privacy Policy or how to solve this issue.
Any idea about the root cause would be appreciated. Thank you!
You can run the following command to get a list of every single dependency, and their dependencies in your app:
./gradlew app:dependencies
If your main app module is called something different than "app", then replace that part.
You can also pipe it all into a file, so it'll be easier to look/search through:
./gradlew app:dependencies > ~/dependencies.txt
That should give you an idea of what is using Branch IO.
If it doesn't help, then you can try to drag-and-drop your APK file into Android Studio, which will automatically decompile the app and show it in a nice window. In there you can see through all classes and their package names and see if any of them match Branch IO.
Related
I have seen others post about this issue but in regards to expo/react. I am getting this error when trying to upload an appbundle built with flutter. I have tried upgrading all of my dependencies with no luck
Your app <> version code 27 includes SDK com.segment.analytics.android:analytics, 4.9.4 or an SDK that one of your libraries depends on, which collects personal or sensitive data that includes but may not be limited to Advertising ID, Android ID identifiers. Persistent device identifiers may not be linked to other personal and sensitive user data or resettable device identifiers as described in the User Data policy.
The error above just went away. Updating the packages must have fixed the issue, just not after the first try, there may have been some cached versions.
I'm following this https://cloud.google.com/community/tutorials/building-android-apk-with-cloud-build-gradle-docker-image to build Android APKs via Cloud build
Already have image (with digest): gcr.io/cloud-builders/docker
Unable to find image 'gcr.io/fullstackgcp/gradle:latest' locally
/usr/bin/docker: Error response from daemon: pull access denied for gcr.io/fullstackgcp/gradle, repository does not exist or may require 'docker login'.
See '/usr/bin/docker run --help'.
Did anyone experience this as well?
This account had been suspended for billing issues (likely because people were all referring to that image, instead of hosting it themselves); I've already reported that. Meanwhile I've created another one fully working example (without making the same mistake to share the builder image): cloudbuild-android, which is just as good, if not a tad better.
Full disclosure: I've wrote that builder, because of the problem with the image.
I also had this error. Digging deeper I figured that you first need to prepare a Docker image that will build your Android app and upload that image to Google Cloud Registry. To do that I used: Cloud Builders Community:
Checkout their repository
Go to cloud-builders-community/android/
Trigger CloudBuild to build & upload a docker for you (specify the Android SDK version you need):
gcloud builds submit --config=cloudbuild.yaml --substitutions=_ANDROID_VERSION=28
At this point you should be able to use gcr.io/$PROJECT_ID/android:28 instead of gcr.io/fullstackgcp/gradle in the cloudbuild definition provided in the tutorial.
However I decided not to risk and hit the next error, so I used this one (provided by Cloud Builders Community again). They do have a step for caching the gradle build so you would also need a tar docker:
Go to cloud-builders-community/tar/ and run:
gcloud builds submit --config=cloudbuild.yaml
After all of this is done you can build your app by running the following in the app folder:
gcloud builds submit --config=cloudbuild.yaml --substitutions=_ARTIFACT_BUCKET=<your_bucket>,_CACHE_BUCKET=<your_bucket>
The trigger you have already created as part of the tutorial will also work. You just need to add the two variables above: _ARTIFACT_BUCKET and _CACHE_BUCKET
This is my first time submitting an app to the Google Play store, so I'm not very experienced with the process at all. After struggling for a bit to get it to build correctly, I was finally able to upload an app bundle and send it in for review. A few minutes later I got an email saying my app was "vulnerable to Intent Redirection" and recommended the following article for support: https://support.google.com/faqs/answer/9267555. The problem is I don't understand much of what the article is saying! As far as I know, I haven't messed with anything like this. I've only downloaded the base NDK and SDK stuff from Unity Hub, and I haven't changed any of the code in Android Studio at all. I asked Google for support, and they said:
"We’ve identified that your app is using the AliPay SDK or library, which facilitates the transmission of phone number information without meeting the prominent disclosure guidelines. If necessary, you can consult your SDK provider(s) for further information or please upgrade AliPay SDK version to 15.5.5 or higher."
Please help! Is there an easy fix to this that I'm missing somehow? I don't even know what AliPay is, as I said I'm a total beginner here. In case it's useful info to have, I'm using Unity 2019.2.13f1 on a Macbook Pro running High Sierra 10.13.6.
Well, do what the message says "upgrade AliPay SDK version to 15.5.5 or higher".
Just go to Android Studio and open your build.gradle file then update that lib version. It will be marked with a yellow line, that means that lib has an update. Focus on that line, then do Alt + Click then Enter, now sync and you've done. Upload the new apk.
I am maintaining one existing (very-huge, very-sensitive) Android Application.
The other day, I have received an email from my client that, the Application might be declaring the Permissions that are not actively being used.
For example, they wants me to remove "WRITE_EXTERNAL_STORAGE" permission.
I have removed it and compiled it and run the App. There is NO error at all.
But, just because of that, I don't think I can assume that permission is not actively being used at all.
My question is "Is there anyway I can easily and simply check the permission if it is actively being used ?"
Frankly, I don't want to go through every little detail aspect of that application just to fine out the permission is required or not.
I just don't have time.
My goal is check if the permission is actively being used. If not, remove the permission.
Hope there is an less-time consuming way for that.
Regards
In Android Studio 1.3 & Android Support Library v7:22.2.0, you have solution for it.
Steps:
Update Android Studio to V1.3
Update your Android Support Library to v7:22.2.0
Run Android Lint (Analyse -> Inspect Code), In Lint Error see for Type "Android -> Constant & Resource Type MisMatch", Which shows all methods which requires permission.
Explanation
Android has introduced new annotation #requirespermission.
All SDK methods which requires permission are annotated with #requirespermission.
When we call any sdk method which requires permission without properly checking whether we have permission or not, Android studio will through lint error.
There is a group at Berkeley that wrote a paper about Android permissions. They talk about over-permissions and developed a tool called Stowaway that would analyze your APK for unused permissions. The analysis was based on the app's API calls and their own mapping of the permissions needed for each API call (see the paper for details). The tool throws a flag if there is a permission in the manifest that is not mapped to any of the API calls found in the APK.
For a while, a web-based version of the tool was available at http://www.android-permissions.org/, but it is from the Gingerbread era and was never updated. The page now suggests using PScout.
PScout does a better job than Stowaway at generating the permission maps. However, PScout does not include an APK analyzer, so you will have to manually compare the mappings they provide with API calls made by your app. Unfortunately, if you're interested in maps for versions beyond 5.1.1, you'll have to generate them yourself using the provided PScout code and your own Framework source.
You might also check out the various APK analyzers here to see if they include the functionality you are looking for.
I tried the method suggested by Vasanth but it doesn't work for me. In fact, because my project has flavors and Code Inspection doesn't work for the project with flavors. See https://code.google.com/p/android/issues/detail?id=210073.
But Running Lint from console works. So steps are simple:
Remove permissions from your manifest.
Run Lint for flavor as described here https://stackoverflow.com/a/32708435/1170154.
Open Lint result and find section Correctness > Error MissingPermission: Missing Permissions. It will contain all calls that require permissions.
As of Android Studio 3.3, running Analyze → Inspect Code will inform you of missing permissions under Android → Lint → Correctness → Missing Permissions
I am working on an android project which requires me to build the android's apk file at run time, i am doing so because i need to add a text document. This is like a client server process.
When a user opens a particular ip address, at run time on server side the apk file is built with the text document. The text document contains the users master data which is unique to a single user. At the end, the android app is directly downloaded and installed on mobile phone.
If any one knows the way to do it, please let me know.
You need to do at least several things (I've done similar task in J2ME):
You have to have JDK on server side
ANT tool installed there
Some scripting tool to generate sources (as a last resort your own Java servlet)
So based on user response you should:
using scripting tool generate Java source
generate/collect necessary resources
generate AndroidManifest.xml
run on top of that ANT builder
get APK file and upload it to customer
The easiest way I can see would be to use some software like maven to build your project dynamically. This way, when you receive a request from a user, you start a build with maven and push the output to the request.
There are some nice projects of integration Android - Maven like this.