I have received an warning from Google Play:
Reason for warning: Violation of Usage of Android Advertising ID
policy and section 4.8 of the Developer Distribution Agreement
I have been checking and app should be sending the Android Advertising ID. It has to be a library because I am not doing it.
I use crashlytics and OneSignal and both could be the problem. But I have found in the documentation of OneSignal that the SDK get it:
https://documentation.onesignal.com/docs/handling-personal-data#section-personal-information-sent-as-data-tags
Some data is automatically collected by the OneSignal SDK. For example, on mobile devices this typically include's the device's advertising id, purchases they have made in your app, the timezone setting of the device, and location data (if your app has location permission).
I am trying to disable the SDK continue collecting the advertising identifier but I don't find how to do it. In addition, the list of collected data is not clear because Advertising identifier does not appear:
https://documentation.onesignal.com/docs/data-collected-by-the-onesignal-sdk
I would need to know how to configure OneSignal SDK for not collecting anymore the Advertising identifier.
Thanks.
Google has started emailing apps that use Advertising Id and do not have a privacy policy to tell them they must add a privacy policy.
You can address this by adding a privacy policy to your Play Store listing and in your app. If you do not already have a privacy policy, there are tools available to create one such as http://www.docracy.com/mobileprivacy (free) or https://www.iubenda.com/en/ ($27/yr)
After speaking a little bit more with JonF, he spoke with OneSignal developers and they said that it is possible to avoid sending the Advertising ID changing some lines in the SDK:
Most of the tracking for Android can be removed from registerUserTask
in
https://github.com/OneSignal/OneSignal-Android-SDK/blob/3a4d4353b1d803852e3b9986b828c9b823801ce5/OneSignalSDK/onesignal/src/main/java/com/onesignal/OneSignal.java#L1180-L1182
The problem is that it is not possible to keep the library integrated with gradle, but at least it is a solution.
I have been thinking to implement the change with Reflection but I don't have much time now for it, it could be another way.
Related
I have an android app which is using Firebase as the backend. The app is in production and looking at the firebase analytics report, I found that the Latest Release Version contains some unidentified version number. When I checked the engagement screen names, I found all the screens used in this latest release version doesn't belong to my app.
So the question is:
How is it possible for some other unidentified app to send events to my Firebase account.
How to find which app is sending those events.
Is some malicious app posing as my app? If yes, then how to block such access.
Any thoughts?
How is it possible for some other unidentified app to send events to my Firebase account.
All Firebase products expose APIs that can be invoked by anyone with an internet connection. The SDK isn't required.
How to find which app is sending those events.
That's probably not going to be possible for you. If you suspect abusive behavior, you can report that to Firebase support.
Is some malicious app posing as my app?
It's not possible to know for sure, but it is possible that something is invoking the APIs directly, or there is some app out there that's not configured properly.
If yes, then how to block such access.
You can't block it, but as I said, you can report it to Firebase support.
According to this page, every application submitted to the Play Store must not have the capability to collect both persistent device identifier and Advertising ID. Failure to comply will result in application removal from the Play Store.
Now, I have an application that is collecting persistent device identifier for security purposes, but I still want to use Firebase Crashlytics, as I added the SDK, I noticed that the SDK collects Advertising ID, but I can't find the code that initiate the collection.
So, my question is will the Firebase Crashlytics SDK collect Advertising ID automatically on library inclusion to the app?
If it does, is there any way to disable the collection of Advertising ID?
This question already has answers here:
Is my app or its dependencies violating the Android Advertising Id policy?
(19 answers)
Closed 4 years ago.
I received this email a few weeks ago:
Issue: Violation of Usage of Android Advertising ID policy and section
4.8 of the Developer Distribution Agreement
Google Play requires developers to provide a valid privacy policy when
the app requests or handles sensitive user or device information.
We’ve identified that your app collects and transmits the Android
advertising identifier, which is subject to a privacy policy
requirement. If your app collects the Android advertising ID, you must
provide a valid privacy policy in both the designated field in the
Play Console, and from within the app.
But the problem is that I have no access to the source code of the affected app because my laptop was stolen a few months ago and I did not back up the code for that app. So I have a few questions I need to ask.
Can I update the policy in the console alone without updating the app?
Can I just disable the AdMob ads completely without updating the app and will it get accepted?
If the above is not possible then Is there a way to recover my app's source code from the google play console or APK files ?
What else can I do to solve this problem?
Can I update the policy in the console alone without updating the app?
You can simply update the privacy policy URL from the Google Play Console.
You need to mention clearly that you don't collect any personally identifiable data and also mention about other data which may be collected by 3rd party libraries.
Can I just disable the AdMob ads completely without updating the app and will it get accepted?
You can disable ads from Admob's website. But since the Ad SDK is already packed into your app, doing so will not approve your app.
If the above is not possible then Is there a way to recover my app's source code from the google play console or APK files ?
You cannot fully recover the source code. But if you hadn't used proguard to obfuscate the source code, you might be able to get some part of it by decompiling the APK. You can use a tool called JADX to decompile the APK file.
What else can I do to solve this problem?
Apart from updating app without ads and updating privacy policy URL, you can create another similar app from scratch with same package name and signature. But I guess you don't have access to the Keystore, in that case updating privacy policy is your only option.
Recently, I've been getting a security warning in my Google developer console's Pre-launch report's security tab after uploading the apk. This is the issue:
Sending Device Identifiers
Detected in APK (List of APKs)...
Your app is using device identifiers (IMEI, MAC address, Build Serial, etc.) and sending identifier data to a remote network address.
This issue is commonly (but not only) found in apps using an outdated Advertising SDK.
To stop receiving this warning, try updating or changing any SDKs or code in your app that may be using device identifiers.
Sending device identifiers is not a best practice for most use-cases and if you're using this identifier for advertising purposes, this may be a violation of Google Play policies and can affect your app’s visibility on the Play Store. To get recommendations on how your app can use identifiers, learn about unique identifier best practices.
I'm using the Appsflyer sdk in my project to register user events, tracking installs and uninstalls etc., I'm also using the latest sdks for this. When I remove this sdk, the security issue doesn't show up in the pre-launch report.
When I contacted Appsflyer support team, they mentioned not to use the functions that send IMEI and Android Id data using their API calls, which I didn't include in first place. And also not to include READ_PHONE_STATE permission, which I removed and uploaded to play store again, which resulted in the Security issue.
They also made sure that atleast one device identifier, GAID, Android ID or IMEI, MUST be collected to allow for proper attribution.
In their newer SDK versions, the GAID or Google AID is collected automatically and does not require any specific action on my part.
Is this the reason for the security warning?
Any help is appreciated. Thanks in advance.
I contacted the support team of AppsFlyer and they solved my problem, the solution is basically removing the recollection of IMEI, option that seems to be enabled by default, this is done by placing:
AppsFlyerLib.getInstance().setCollectIMEI(false);
Just above Appsflyer.startTracking call in your OnCreate of the MainActivity (or wherever in the app you've placed the startTracking call)
In my case I was using the segment integration so I placed this just above this line:
Analytics.setSingletonInstance(analyticsBuilder.build());
Hopefully this will help you, otherwise I'd suggest you to contact the support team, they answered me really fast
Today i received an email from Google Play Team. How can I find which library or SDK is violating the conditions of the Google Play? Here is the content of mail:
This is a notification that your application, is currently in
violation of our developer terms. REASON FOR WARNING: Violation of the
Personal and Confidential Information provision of the Developer
Distribution Agreement:
(Dangerous Products): Apps that collect information (such as the
user's location or behavior) without the user's knowledge (spyware) …
are prohibited on Google Play. (Personal and Confidential
Information): We don't allow unauthorized publishing or disclosure of
people's private and confidential information, such as credit card
numbers, government identification numbers, driver's and other license
numbers, non-public contacts, or any other information that is not
publicly accessible. We have determined that one or more Ad SDKs or
libraries used in the above app facilitates the transmission of the
list of installed apps on the user’s device to a server without
conspicuous disclosure to the user that this is happening. This
violates the above policy provision. Please evaluate any third party
libraries for compliance and/or consult your Ad SDK provider(s) for
further information if necessary.
Your application will be removed if you do not bring it into
compliance by removing the ads sdk or library from your app, or
updating to a compliant version of the SDK(s) or library(ies) within
30 days of the issuance of this notification. If you have additional
applications in your catalog, please also review them for compliance.
Note that any remaining applications found to be in violation will be
removed from the Google Play Store.
Please also consult the Policy and Best Practices and the Developer
Distribution Agreement as you bring your applications into compliance.
You can also review this Google Play Help Center article for more
information on this warning.
All violations are tracked. Serious or repeated violations of any
nature will result in the termination of your developer account, and
investigation and possible termination of related Google accounts.
The Google Play Team
WOW!
exactly the same mail I received from Google play 2 days back! Word by word same.
Great, So the issue 100% is the permission settings for the Flurry and TapStream SDKs. I just contacted Flurry/Tapstream for this, awaiting a reply from them.
By the way I checked Tap Stream here
You can clearly see they have asked for adding an intent under the application tag
<receiver android:name="com.tapstream.sdk.ReferrerReceiver" android:exported="true" >
<intent-filter>
<action android:name="com.android.vending.INSTALL_REFERRER" />
</intent-filter>
</receiver>
This is used to get the list of apps installed just to record analytics to count the App installs and see how many users are still using the App.
but regarding the Location collecetion [Dangerous content] I still have to figure out.
One possible measure I have thought of doing is adding an EULA before letting user use the app, on the first run. It makes sure that my back is covered. Additionally, you can also add permission for FINE_LOCATION under manifest. Since it is for sure that one/both of the SDKs are using user location.
Good question!
Will update as soon as I receive any updates.
UPDATE
Finally, I received Mail from Tapstream, they are saying that they have made changes according to the Google's Policy change on November 15 2014 hence, asked me to change the SDK version to the lastest one.
Quoted here
Hi there,
Tapstream has updated its Android SDK to comply with a recent Google Play store policy change.
Due to this policy change, a minor component of Tapstream's device identification process can no longer be collected by the Android SDK. This change will not impact your tracking.
To avoid any app approval issues on the Play store, you should deploy this new SDK as soon as possible.
You can find the updated Android SDK here: tapstream.com/developer/android/sdk
The updated SDK is a drop-in replacement; no other changes are required. If you need any assistance, or would like further information, just reply to this email.
I hope that might serve as a solution apparently.