Before I add the Flurry library into my .APK, I'd like to know how are they able to provide a free analytic service?
They see all the data I ship back from my app. but how do they monetize that? What does an app developer give up or give away by using someone else's analytics SDK?
Peter
As with many/most "freemium" solutions, they are providing the analytics at the cost of data privacy. While they do clearly state that they don't want you sending PII, they are saying that they have the right to use the information you send, in return for the right to use the analytics solution.
Per their terms of service (TOS): http://www.flurry.com/about-us/legal/tos.html
Privacy and Information Collection
As a condition of your access to the Analytics Service, you agree that Flurry has the right, for any purpose, to retain, use, and publish in an aggregate manner, subject to the terms of its Privacy Policy located here (or such other URL that Flurry may provide from time to time), information collected in your use of the Analytics Service, including without limitation, User Data. Flurry will not disclose to any third parties any User Data collected by the Analytics Service from your applications in a manner that contains or reveals any personally identifiable information or is specifically attributable to you, your applications or your customers. You will not (and will not allow any third party to) use the Analytics Service to track or collect personally identifiable information of end users, nor will you (or will you allow any third party to) associate any data gathered from your application(s) with any personally identifying information from any source as part of your use (or such third parties' use) of the Analytics Service. You agree that you have and will abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from end users of your applications. You must post a privacy policy and that policy must provide notice of your use of a tracking pixel, agent or any other visitor identification technology that collects anonymous data about end users of your applications.
Also, on their legal page look at the disclosure section: http://www.flurry.com/about-us/legal/privacy.html
How We Disclose or Share Information with Others
Except as described in this policy, Flurry does not rent, sell, or share personally identifiable information collected on the Sites or through the Flurry Services with other people or nonaffiliated companies unless we have your consent, or under the following circumstances:
* with third party vendors, consultants and other service providers who work for us and need access to your information to do that work;
* to comply with laws or to respond to lawful requests and legal process;
* to protect the rights and property of Flurry our agents, customers, users, and others including to enforce our agreements, policies and terms of use;
* in an emergency to protect the personal safety of Flurry, its customers, or any person;
* in connection with or during negotiation of any merger, sale of company assets, financing or acquisition of all or a portion of our business to another company.
We may also share aggregated or anonymized information in a form that does not directly identify you or your End Users with any third parties.
For some organizations giving up rights to your data is acceptable in return for the ability to do analysis. If that is something that your company is not ok with you may want to research other analytic options available. Many traditional web analytics vendors and some non-free mobile analytic vendors (such as Localytics) provide more strict data privacy policies.
Related
My app keeps getting rejected from Google Play, for more than 3 times now. Below is the message I keep getting from Google Play console.
APK HAS A PRIVACY POLICY BUT IT IS NOT ADEQUATE
Privacy Policy in Play Distributed App Your app is uploading users'
Contact list and Media information to without posting a privacy policy
in Play Distributed App.
Below is also a link to the privacy policy for the app. I don't know exactly what am missing.
Privacy Policy
I know it may be hard to find time to go through the whole privacy policy so below is a section that discuss what information is collected.
Information Collection and Use
For a better experience, while using our Service, we may require you
to provide us with certain personally identifiable information,
including but not limited to Name, email address, phone number, date
of birth, gender, device contacts list. The information that we
request will be retained by us and used as described in this privacy
policy.
For a better experience, while using our services, we collect
information about how you use our products and services. We use that
information to provide you with products and services, to help keep
WalaDigital – Blood Donation more relevant to you.
Personal Information: We collect personal information from you such
as;
First and last name Email address Phone number Date of birth Gender
Blood type and genotype Device Information. We collect information
from and about the devices you use to access WalaDigital – Blood
Donation, including:
Information about your device, operating system, language and device
uuid. Your device address book, if you’ve chosen to share it with us.
Data you provide us is transmitted off your device unto our servers
for the purposes of improving your user experience and also for how
the application works.
For instance, your profile photos or images you capture are
transmitted off the device unto our servers to best serve you via our
secure Wala Digital API Services.
This transmission process is highly secured to protect your data. All
data such as contact address list and photos are not shared with any
third party.
Although, the app does use third-party services that may collect
information used to identify you.
Link to the privacy policy of third-party service providers used by
the app.
NOTE: There is a privacy policy in the app as well during signup.
A more clear Privacy Policy that discloses the sensitive personal data you collect and how you handle that data might be required.
For example, Google Play considers contacts and media as sensitive data which are subject to sensitive permissions policies [1]:
Declare runtime sensitive permissions
Integrate consent screens before asking for contacts, media data (see Prominent Disclosure & Consent)
Comply with Personal and Sensitive User Data policy and Google Play requirements for a Privacy Policy [2]:
Disclosing the types of personal and sensitive user data your app accesses, collects, uses, and shares; and any parties with which any personal or sensitive user data is shared.
Secure data handling procedures for personal and sensitive user data.
The developer’s data retention and deletion policy.
[1] https://developer.android.com/games/develop/permissions
[2] https://support.google.com/googleplay/android-developer/answer/10144311?hl=en
I'm developing a pay for win Android app, in which users are, among others, ranked according to the amount they have spent. The payments are Android in-app purchases.
My questions are:
Is an authentication system required for my users, in order to purchase and be ranked? In other words: instead of using an authentication system, could I use the UUID of the phone, or its MAC address, or any other piece of information that would actually act as an authentication system? If yes: why isn't there any other Android app that proceed in this way (indeed, they use Facebook/Google authentication, or e-mail + password authentication, etc.)?
Is there any Java ranking library that I could use and bind it to the Android in-app purchases? In particular: does Google offer such an API?
Is it a good idea to use Google's authentication and ranking based on Google Play? The ranking criteria must also be the total spent amounts.
Authentication and authorization
Firstly, I would like to make the distinction between authentication and authorization.
Authentication is a way to determine a user apart from other users. Authentication allows a developer to identify Jane Doe as a separate entity from all other users. Authentication is often a precursor to authorization.
Authorization pertains to what actions a user can take on particular resources. Authorization deals with the what, when, how as opposed to the authentication that deals with who.
To state your questions using more definitive language you are asking for best practices relating to:
Authenticating a user inside an application that is available on the Google Play Store, and
Calculating totals related to Android's In-App purchasing, and
Authorizating a user to take a claim action on a prize entity depending on the aforementioned total aggregate
Recommendations
I would highly suggest you use Google's OAuth 2.0 service to authenticate users as opposed to building your own authentication framework or implementing any other authentication framework, especially if this application is only used within th Android ecosystem. I recommend this because:
Android users already have a Google account, and
Implementing your own authentication framework requires very niche skills which usually require a team of people, and
Google already offers an Subscription and In-App Purchasing API which can be queried to rank you users, and
You will already have implemented this API to support in app purchasing to begin with
I would highly suggest you do not use MAC address or UUID authentication because
On a rooted phone I can change my MAC address, and
It does not uniquely identify a user across multiple devices, and
Using this type of authentication would not provide any benefit to your second goal of authorizing actions based on a total aggregate
In other words by using Google's authentication mechanism you can not only uniquely identify users across multiple devices, but you can also leverage the in app payment system to build your particular authorization logic.
The In-App Purchasing API already contains the necessary information you want since you will need to implement it to support in app purchasing to begin with. You might as well use it as a basis for ranking since it is readily available, secure, and contains the information you need with well documented ways of accessing it.
Additionally, you may want to look at the promotional capabilities and one time product-specific billing features functions and related APIs. This might fit your use case and it may make your application more secure and standardized.
Using the provided authentication framework and in app purchasing capabilities standardizes your application up until you implement the claim your prize functionality. People enjoy standardization because they become familiarized with it, and it provided a level of trust, so I would definitely investigate the other aforementioned APIs to see if your prize idea can be based off a foundation provided by Android. This would standardize your app all the way through and, in my opinion, would be best practice.
Summary
I would provide some sample code but your questions are still a but high level to provide anything useful in the way of code snippets. To summarize though my recommendations are as follows
Leverage the Google OAuth 2.0 framework for authentication, and
Leverage the In-App purchasing API and related APIs as a way to calculate total and rank users, and
Investigate the promotional capabilities, or one time product-specific features already provided by Google to see if it fits your use case, and
Avoid using MAC addresses and UUIDs for authentication for the reasons I outlined above
Edit ....
After rereading your title I realized I glossed over the fact that, as I understand it, the term ranking and it's related functionality as used by Android is mostly centered around where you application sits, popularity wise, in comparison to other applications. I have not seen the term used by Android to refer to internal ranking of users against some developer-defined criteria ( total, in your case ).
I'm not saying it does not exist, just that every time I see ranking it refers to application popularity. Therefore I would refrain from using that as a query term when researching how to build this application as you will likely get a plethora of false positives.
What I think you want, to reiterate, is
Authentication
Calculating in app purchasing totals
Promotional or one time features based on that total
Those terms will suite you much better. Please feel free to start a new post when you get further in to the project if you need assistance consuming the APIs
I am about to submit an app to the Apple AppStore built in Swift that uses Crashlytics to capture crash information. As users of Crashlytics know, some information about usage, duration, crashes, etc. is captured and stored on the Crashlytics servers. My application does not ask for, store or attempt to capture any user data.
My question is about the privacy policy for my application. Since I don't capture any user data, I want to state that in my privacy policy but I'm not sure that's factual since I am using Crashlytics. Any feedback on people that have used Crashlytics in their app and have an actual privacy policy?
Thanks
--Vinny
Quick answer: yes, you need that privacy policy. There are ways to get it done fast, too.
Longer answer:
Third parties (here Crashlytics)
When dealing with a third party service like this, often a quick look into their legal documents will help (for Crashlytics in this case as described in your question).
(...) At all times during the term of this Agreement, Developer shall
maintain a privacy policy (a) that is readily accessible to users from
its website or within its online service (as applicable), (b) that
fully and accurately discloses to its users what information is
collected about its users and (c) that states that such information is
disclosed to and processed by third party providers like Crashlytics
in the manner contemplated by the Services, including, without
limitation, disclosure of the use of technology to track users’
activity and otherwise collect information from users. (...)
And
Developer shall at all times comply with all applicable laws, rules
and regulations relating to data collection, privacy and security,
including, without limitation, the Children’s Online Privacy
Protection Act (“COPPA”). Crashlytics may, at its sole discretion from
time to time during the Term of this Agreement, audit Developer Data
to verify compliance.
Crashlytics is actually being unusually vocal about this topic.
The App Store
At the time of writing (and since iOS8) Apple requires privacy policies for 5 categories:
Kids Category, HomeKit, HealthKit, Apple Pay, and Keyboard Extentions. Also they require privacy policies for user registrations (more). I can't tell if any of the above for your app is true. Apple still says in their App Store Review Guidelines that you need to be compliant with all applicable laws. This brings us to the third and most important reason.
Privacy related regulations
All of the above is just there because of global privacy regulations, these companies would most likely not care otherwise. As soon as you work with User data you are mostly under an obligation to disclose these facts. It's personal data like names, addresses or the tracking of user behaviour. It's been written at length why analytics services need privacy policies. All of it is more important as soon as you share data and use third party services for it. Mostly the disclosure or some kind of consent is the condition for it's compliant usage.
If you are interested in reading more about the matter in the context of mobile apps I'd suggest any of these documents:
ICO UK
Ireland
USA/California
Canada
Australia
Hope this helps.
(For proper disclosure: I do some work for iubenda, a tool that helps creating privacy policies for apps and websites)
Vinny, I think it's not mandatory (I've seen apps using Crashlytics wihtout a privacy policy), but it's recommended to have transparency in the communications with your users.
Crashlytics already has a privacy policy so you can just use that policy and add a statement informing that you are not collecting any sensitive information from the user, such as email or phone number.
My recently uploaded version of an existing app on Google Play wasn't published since it didn't meet certain privacy policy criteria . Now, I've updated the privacy policy on my website; however how do I re-submit the app so that the new version goes live?
With millions of emails sent by Google warning developers you are definitely not alone. Before resubmitting, update your privacy policy correctly, you do want to make sure you submit it with the necessary changes.
You say you've updated your privacy policy on your site, however Google requires the privacy policy to be there compliant in the Google Play store as well. That's likely where you need to resubmit.
To add it to the Store Listing:
Log into your Google Play Developer Console
Next, select All Applications and select the application whose privacy policy you'd like to edit.
After that, select Store Listing.
Then, scroll to the section marked Privacy Policy and enter the URL where you have the privacy policy hosted online.
Lastly, be sure to click Save or update.
More information about how to write your privacy policy for the Play Store
The best way to comply is to have a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:
who you are (identity and contact details),
what precise categories of personal data the app wants to collect and process,
why the data processing is necessary (for what precise purposes),
whether data will be disclosed to third parties (not just a generic but a specific description to whom the data will be disclosed),
what rights users have, in terms of withdrawal of consent and deletion of data.
With that said, if you do decide to create your own policy, here are some tips:
Outline which dangerous/sensitive permissions you request
Outline any other user data you collect, for instance advertisement services!
Describe what purpose they serve and use them only for that purpose
Information about the site/app owner.
The kind of data being collected and how it is collected.
The purpose of the data collection (i.e. analytics, email marketing).
Any third parties that have access to the information and through which means (widgets and integrations).
The rights of users regarding their data (i.e. the ability to request to see the data, to rectify, erase, or block).
The process for notifying users and visitors regarding material changes to the privacy policy.
Effective date of the privacy policy.
(p.s I work on a tool called iubenda that helps with the generation of a privacy policy - link)
I am in the early stages of scoping an app that targets a specific vertical market. It is not consumer orientated. The organisation developing the app has existing web-based products and established infrastructure for registering user accounts and billing for those products, and the app should inter-operate with these products. To that end, I have a few questions:
1) If the app that has functionality that can only be enabled from outside the app (for example, via a separate web site) and where the developer bills the user for doing this:
Q1. Can this App be distributed using Google Play?
Q2. Since enabling the functionality takes place outside of the app, does the developer have to use Google Play's payment system to bill for it?
2) If the app which allows a user to create an item of content on a separate web site, so that they can subsequently modify it on that site and be billed for doing so (eg, a bug tracking app that charges for creating a bug record on a site):
Q3 Does this count as an in-app purchase and require use Google Play's payment system to bill for it?
Where can I find definitive statements from Google on these scenarios? I am only finding material that relates to consumer applications where the purchasing and billing scenario is fairly simple.
I cannot shed much light on the potential "thou shalst not have any payment methods beside me" aspect of your question, but as per the technical side, the following aspects come to my mind.
Q1: Technically, the app could either be free on GP and use other payment methods, or it could use the Licensing Validation service.
Q2: The only secure way of deploying Google Play Licensing is to perform all integrity checks on your own secure server. The app could request the GP LVL info and pass it to your server. You could use the GP LVL user ID (an obfuscated binary app-specific byte string) to identify the user and negotiate with your app any password details you may want to implement. Of course, in this scenario, I would expect the user to feel like he already payed so the registration on the server side should be smoothly integrated. If an "enabling"/"authentication" step is additionally required on the server side, I'm not so sure I'd use the GP LVL.
Q3: You could use GP IAB V3 consumable in-app purchases for this (or V2 subscriptions but it sounds more like a per-item payment). Again, this is only secure if you generate a per-purchase developerPayload for the buy Intent on your server and validate it when the app looks at the user's purchases. Validation again must take place on your server, or else you'll have to include your app's public key in your app, which is a major step towards your app getting cracked.
In general, if you have a user management of your own which is to be used, it is important to know that the GP info is relatively anonymous (LVL: obfuscated, IAB V3: no info in the direction of the app at all). So a reliable, use-case oriented binding between "your" accounts and the GP experience would be key here, I'd say.