I have published simple card-game in android play store. I had used crashalytics to taken care of crashes. However, as many of you must have experienced Google Play notifications about "Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement". In that email it was written that
you may opt-out of this requirement by removing any requests for sensitive permissions or user data.
I have already removed Firebase analytics and Crashalytics libraries from my app. For now my app has only permission to android.permission.ACCESS_NETWORK_STATE. Is it "sensitive" permission? What are these 'sensitive' permissions which I can avoid for future development? Just another quick question, is there better alternative to crashalytics which will not violate any of these policies?
ACCESS_NETWORK_STATE category level is NORMAL which might indicate that it's not a sensitive permission like CAMERA is.
https://developer.android.com/reference/android/Manifest.permission.html#ACCESS_NETWORK_STATE
Related
Hi Developers at Ministerio de Telecomunicaciones Ecuador,
Per last email, your app FirmaEC (ec.gob.firmadigital.firmaec_app) has been rejected from Google Play for not resolving the previously communicated policy issue (copied below for your reference). To resolve this issue and get your app changes published on Google Play, please address the issues highlighted in the earlier email and resubmit the app.
Publishing Status
App Status: Rejected
Your app has been rejected and wasn't published due to the policy issue(s) listed below. If you submitted an update, the previous version of your app is still available on Google Play.
Issue found: Permission use is not directly related to your app's core purpose.
We found that your app is not compliant with how REQUEST_INSTALL_PACKAGES permission is allowed to be used. Specifically, the use of the permission is not directly related to the core purpose of the app.
Issue details
We found an issue in the following area(s):
SPLIT_BUNDLE 15
Additionally, follow these steps to bring your app into compliance:
Please remove the use of REQUEST_INSTALL_PACKAGES permission from your app.
About the Request Install Packages Permission
The REQUEST_INSTALL_PACKAGES permission allows an application to request the installation of app packages. To use this permission, your app’s core functionality must include:
Sending or receiving app packages, AND
Enabling user-initiated installation of app packages.
Permitted functionalities include any of the following:
Web browsing or search
Communication services that support attachments
File sharing, transfer or management
Enterprise device management
Backup and restore
Device migration / phone transfer
The REQUEST_INSTALL_PACKAGES permission may not be used to perform self updates, modifications, or the bundling of other APKs in the asset file unless for device management purposes. All updates or installing of packages must abide by Google Play’s Device and Network Abuse policy and must be initiated and driven by the user.
For more help addressing this issue, read more in our Help Center.
Action required: Submit an updated app for review
Here's what to do to help get your app on Google Play:
Make sure to read the applicable policies or requirements listed below:
Request Install Packages Permission
Make appropriate changes to your app (if possible), and be sure to address the issue described above. You may also want to check your app's store listing for compliance, if applicable.
Double check that your app is compliant with all other Developer Program Policies.
If you made changes to your app bundle, store listing, or APK, please sign in to your Play Console and submit the update(s).
Contact support
If you've reviewed the policy and feel our decision may have been in error, please reach out to our policy support team. We'll get back to you within 2 business days.
try:
App is not compliant with how REQUEST_INSTALL_PACKAGES permission is allowed
I prepared an app to be distributed on Google Play. The app doesn't have any kind of login system and I don't store users' data. Camera and Microphone are disabled and I don't even get anything from that.
I only attached AdMobFree plugin to the app. I've noticed that I need a privacy policy the same, because my AndroidManifest.xml uses
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
Play Console said that I need a mandatory Privacy Policy so I generated this one http://codegz.altervista.org/QuotesWorld_privacyPolicy.html
Is that enough?
What could I do to avoid this situation?
Thanks in advice.
EDIT:
I use SocialSharing plugin to share some app data. Is that the problem?
If you use AdMob to show banners ads throughout your app, you need to disclose so in your generated Privacy Policy. Advertising SDKs can collect certain personal information from users, including information to run behavioral advertising.
You can see the requirements from AdMob in AdSense program requirements page here:
Your Privacy Policy should let users know that:
You use AdMob for advertising purposes
These third parties (AdMob) collect some information about the users' habits and/or devices, and
The Privacy Policies of these third parties (AdMob) are available for review through a link you provide in your own Privacy Policy.
As an example, see the Privacy Policy page of FrogMind.
This is Andrea from iubenda.com. We have a partnership with altervista, your provider, and you can get a privacy policy included with your account. Here an article in Italian from their website: https://blog.altervista.org/it/pubblica-gratis-la-cookie-policy-sul-tuo-sito/
As of Android apps, they're required to disclose how they're using device permissions. If you want to learn more about the topic, here's a full guide: https://www.iubenda.com/blog/privacy-policy-for-android-app/
I have an Android app that is currently in testing, with only a small handful of testers who are my family members.
I have been uploading APK's to my app's Alpha channel in the Google Play Store. This has been working fine for months. However, today, when I went to upload a new release to the Alpha channel, I got the following error:
The apk has permissions that require a privacy policy set for the app,
e.g: android.permission.GET_ACCOUNTS.
I do use the GET_ACCOUNTS permission, and do not have a privacy policy yet (since my only testers are family members), but I have been using that permission for a long time, have never had a privacy policy, and have not had a problem uploading my APK until now. I was able to upload it without a privacy policy as recently as April 9th, 2017.
Questions:
1) Why did this just start happening now?
2) Do I really need a privacy policy when my app is only in Alpha? It will be a while before my app is released to the public, and I need time to get it right.
Answers:
1) Why did this just start happening now?
Your question is related to several other posts from a couple of weeks ago. That's (15th of March, 17) when Google introduced new rules regarding the requesting of sensitive permissions. GET_ACCOUNTS is one of these sensitive permissions that trigger a privacy policy requirement from Google's side:
For apps that request access to sensitive permissions or data (as defined in the user data policies): You must link to a privacy policy on your app's store listing page and within your app. Make sure your privacy policy is available on an active URL, applies to your app, and specifically covers user privacy.
If you need more information:
Google documentation
How to fix Google Play Developer policy violation (iubenda)
2) Do I really need a privacy policy when my app is only in Alpha? It
will be a while before my app is released to the public, and I need
time to get it right.
Apparently Google chose to make these limitations as early as in the beta phase, probably choosing not to distinguish between those phases to get the developer accustomed early.
In any case, I applaud your determination to get the privacy policy right (and that can only be done towards the end of its development).
So why don't you just submit an initial version stating that the finished version will be available once the data collection practices are fully clear to you?
p.s. if you're up for using a tool for the creation of privacy policies, the company I work for and linked to in the above article (iubenda), does exactly that. :)
Google is now asking for a Privacy Policy for all Android apps that are requesting sensitive permissions from users.
Get accounts is a sensitive permission. Other permissions that will trigger the requirement of a Privacy Policy are: record audio, read phone state, camera, read contacts.
The deadline for adding a Privacy Policy to your app was March 15, 2017. Here's the email that Google sent out to developers:
As we mentioned in our article on this, you can fix this by either:
Adding a Privacy Policy to your Android app.
Login to your Google Play Developer Console > Select "All Applications" > Select your app > Click "Store Listing" > Paste the URL of your Privacy Policy at the "Privacy Policy" field.
Or stop requesting sensitive permissions from users.
Policy issue: Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. Your app requests sensitive permissions (e.g. camera, microphone, accounts, contacts, or phone) or user data, but does not include a valid privacy policy.
this was change in google play policy they also issued notice for same, as i got mail regarding same to update privacy policy before 15th March 2017
here are the change privacy policy of play store
https://play.google.com/about/privacy-security/personal-sensitive/
as per i know last time on 15th April i uploaded app on Beta it's showing warning only but allowed me to upload
Today i received an email from Google Play Team. How can I find which library or SDK is violating the conditions of the Google Play? Here is the content of mail:
This is a notification that your application, is currently in
violation of our developer terms. REASON FOR WARNING: Violation of the
Personal and Confidential Information provision of the Developer
Distribution Agreement:
(Dangerous Products): Apps that collect information (such as the
user's location or behavior) without the user's knowledge (spyware) …
are prohibited on Google Play. (Personal and Confidential
Information): We don't allow unauthorized publishing or disclosure of
people's private and confidential information, such as credit card
numbers, government identification numbers, driver's and other license
numbers, non-public contacts, or any other information that is not
publicly accessible. We have determined that one or more Ad SDKs or
libraries used in the above app facilitates the transmission of the
list of installed apps on the user’s device to a server without
conspicuous disclosure to the user that this is happening. This
violates the above policy provision. Please evaluate any third party
libraries for compliance and/or consult your Ad SDK provider(s) for
further information if necessary.
Your application will be removed if you do not bring it into
compliance by removing the ads sdk or library from your app, or
updating to a compliant version of the SDK(s) or library(ies) within
30 days of the issuance of this notification. If you have additional
applications in your catalog, please also review them for compliance.
Note that any remaining applications found to be in violation will be
removed from the Google Play Store.
Please also consult the Policy and Best Practices and the Developer
Distribution Agreement as you bring your applications into compliance.
You can also review this Google Play Help Center article for more
information on this warning.
All violations are tracked. Serious or repeated violations of any
nature will result in the termination of your developer account, and
investigation and possible termination of related Google accounts.
The Google Play Team
WOW!
exactly the same mail I received from Google play 2 days back! Word by word same.
Great, So the issue 100% is the permission settings for the Flurry and TapStream SDKs. I just contacted Flurry/Tapstream for this, awaiting a reply from them.
By the way I checked Tap Stream here
You can clearly see they have asked for adding an intent under the application tag
<receiver android:name="com.tapstream.sdk.ReferrerReceiver" android:exported="true" >
<intent-filter>
<action android:name="com.android.vending.INSTALL_REFERRER" />
</intent-filter>
</receiver>
This is used to get the list of apps installed just to record analytics to count the App installs and see how many users are still using the App.
but regarding the Location collecetion [Dangerous content] I still have to figure out.
One possible measure I have thought of doing is adding an EULA before letting user use the app, on the first run. It makes sure that my back is covered. Additionally, you can also add permission for FINE_LOCATION under manifest. Since it is for sure that one/both of the SDKs are using user location.
Good question!
Will update as soon as I receive any updates.
UPDATE
Finally, I received Mail from Tapstream, they are saying that they have made changes according to the Google's Policy change on November 15 2014 hence, asked me to change the SDK version to the lastest one.
Quoted here
Hi there,
Tapstream has updated its Android SDK to comply with a recent Google Play store policy change.
Due to this policy change, a minor component of Tapstream's device identification process can no longer be collected by the Android SDK. This change will not impact your tracking.
To avoid any app approval issues on the Play store, you should deploy this new SDK as soon as possible.
You can find the updated Android SDK here: tapstream.com/developer/android/sdk
The updated SDK is a drop-in replacement; no other changes are required. If you need any assistance, or would like further information, just reply to this email.
I hope that might serve as a solution apparently.
I just received from play store a notice stating that one of my apps did not comply with violation of section 4.3 :
4.3 You agree that if you use the Market to distribute Products, you will protect the privacy and legal rights of users. If the users
provide you with, or your Product accesses or uses, user names,
passwords, or other login information or personal information, you
must make the users aware that the information will be available to
your Product, and you must provide legally adequate privacy notice and
protection for those users. Further, your Product may only use that
information for the limited purposes for which the user has given you
permission to do so. If your Product stores personal or sensitive
information provided by users, it must do so securely and only for as
long as it is needed. But if the user has opted into a separate
agreement with you that allows you or your Product to store or use
personal or sensitive information directly related to your Product
(not including other products or applications) then the terms of that
separate agreement will govern your use of such information. If the
user provides your Product with Google Account information, your
Product may only use that information to access the user's Google
Account when, and for the limited purposes for which, the user has
given you permission to do so.
In the app i have this permissions:
android.permission.INTERNET
android.permission.ACCESS_NETWORK_STATE
android.permission.GET_ACCOUNTS
android.permission.READ_PHONE_STATE
android.permission.SEND_SMS
android.permission.RECEIVE_SMS
So my 2 questions are:
which of this permissions i have to remove to comply with the terms and agreements?
if i remove just this permissions (the lines above), then my app will comply? or are there still other things i need to remove? (I am not an expert)
You need to discuss this with Google.
From the way I read that message, simplying removing permissions will not fix the problem- it isn't the fact that you are using permissions, it is how you are using them.
you must provide legally adequate privacy notice
Do you have a privacy policy URL set for your app in the Play Store?
Further, your Product may only use that information for the limited purposes for which the user has given you permission to do so.
How are you using your user's information? It is possible that a user reported your app for violating his/her privacy.
In any case, we will not be of much help here, as we cannot tell you what caused Google to send you that message.
At first look you should remove
android.permission.GET_ACCOUNTS
android.permission.READ_PHONE_STATE
Also tell us what third party libs you are using?