Hello Google Play Developer,
Our records show that your app, XXXX, with package name com.XXXX.XXXXXXXXXX, currently violates our User Data policy regarding Personal and Sensitive Information.
Policy issue: Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. Your app requests sensitive permissions (e.g. camera, microphone, accounts, contacts, or phone) or user data, but does not include a valid privacy policy.
Action required: Include a link to a valid privacy policy on your app's Store Listing page and within your app. You can find more information in our help center.
Alternatively, you may opt-out of this requirement by removing any requests for sensitive permissions or user data.
If you have additional apps in your catalog, please make sure they are compliant with our Prominent Disclosure requirements.
Please resolve this issue by March 15, 2017, or administrative action will be taken to limit the visibility of your app, up to and including removal from the Play Store. Thanks for helping us provide a clear and transparent experience for Google Play users.
Regards,
The Google Play Team
I have many apps on Google play and i can't update apk of all one by one.
How to fix this issue?
How to generate Privacy content for following permissions:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="android.permission.VIBRATE" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
Google has been sending out warnings to developers regarding permission issue and privacy policy requirements, more so in the past few months.
You can read one of my colleague's response on Stackoverflow that's similar to yours here:
privacy policy Permission (S) :
I'll try to adapt it to your situation nonetheless:
Since Google already helped you identify exactly what information they need to see in your privacy policy, you will need to tell your users what information you're collecting in a way that they will understand:
"android.permission.INTERNET"
"android.permission.ACCESS_NETWORK_STATE"
"android.permission.WAKE_LOCK"
"android.permission.VIBRATE"
"android.permission.RECEIVE_BOOT_COMPLETED"
"android.permission.GET_ACCOUNTS"
"android.permission.READ_CONTACTS"
"com.google.android.c2dm.permission.RECEIVE"
If you need to read more about these permissions and how the group works, here.
What Google is saying, essentially, is that you need to describe the above data collection, outline its purpose and disclose it using a privacy policy.
If you want to generate a privacy policy and learn more about how to add it to your app's Store Listing page, you can find more information here:
iubenda - Privacy Policy for Android
probably you could use a text editor which allows text replacement over a large number of files at once. then you could replace e.g.
<manifest>
by
<manifest>
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="android.permission.VIBRATE" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
Text editors which support text replacement across large numbers of files at once are e.g. Notepad++ or UltraEdit.
Related
I'm writing an Apps Script Add-on for Google Sheets. There are duplicate fields on the OAuth consent screen and the Google Workspace Marketplace SDK Store Listing screen. These are "Terms of Service" and "Privacy Policy" URLs.
Do they need to be filled out in both places? It appears that they are optional on the OAuth consent screen since they do not have an asterisk next to them. Is that true?
If they do need to be entered in both places, do they need to match? On the Store Listing, I used URLs pointing to a shared (with everyone) Google Doc. But on the OAuth screen, it appears they are requiring the documents to be on my website, since they are under the App domain section.
I've seen a working tutorial from a few years ago where a shared Google doc was used for the store listing. But has that policy changed and now do they have to be on my website?
If you are planning to make the OAuth Consent Screen for External users you should add the Terms and Conditions as well the Privacy Policy fields, otherwise it's very unlikely that it will be approved in the verification process, if it will be for Internal users you might try to keep these fields empty as in this case the OAuth Consent Screen will not be verified.
Regarding if these fields should match the fields on the Marketplace listing, it will be weird if they doesn't match. AFAIK Google doesn't review exhaustively the Marketplace listings but if users complain the might review it. They might contact you giving some recommendations, disable the Marketplace listing, etc.
If you want to use a Google Editor files for your TOS and Policy files, you might embed them in a Google Site with a custom URL.
Resources
Use a custom domain for your site
I found the following information about the "Privacy Policy" URLs:
Make sure that your app's Privacy Policy meets the following requirements:
The Privacy Policy must be visible to users, hosted within the domain of your website, and linked from the OAuth consent screen on the Google API Console.
The Privacy Policy must disclose the manner in which your application accesses, uses, stores, or shares Google user data. Your use of Google user data must be limited to the practices disclosed in your published Privacy Policy.
Based on the first requirement, I will say they need to be the same URL under the Google Workspace Marketplace SDK Store Listing and the OAuth consent screen in the project.
However, there is no such restriction for the Terms of Service inside Google Documentation.
Reference:
OAuth API verification FAQs.
Getting prepared for verification
I am in the process of implementing an OAuth2 flow for a sensitive scope in my chrome extension. In order to remove the 'unverified app' warning in the OAuth2 popup I must verify the app in the Google Cloud Console.
The verification form requires 'Authorized domains' though, and it does not accept a chrome extension URL of the form 'chrome-extension://', neither does it accept a URL of the form '.chromiumapp.org'.
Is it possible to provide another domain I own as the authorized domain, and still initiate an OAuth2 flow from the chrome extension using chrome.identity.getAuthToken({interactive: true}...?
I think you need to read though the documentation on application verification
The very first one mentions that your domain must be authorized and verified in search console. The files must also be hosted on your verified registered domain.
It clearly states that
Links to the Google Play Store or Facebook are not considered valid application homepages.
The only requirements are that
Domain is registered in Search console.
Home page listed in the auth screen is relevant to your app.
So i don't see any reason you can't put it on one of your other domains. Just make sure that it qualifies for this clear its relevance to the app you’re verifying
Relevant points in the documentation.
Verify ownership of your project’s authorized domains using the Search Console. Use an account that is either a Project Owner or a Project Editor of your Cloud Console project.
Then the section about
Make sure that your homepage meets the following requirements:
Your homepage must be publicly accessible, and not behind a sign-in page.
Your homepage must make clear its relevance to the app you’re verifying.
Your homepage must be accurate, inclusive, and easily accessible to all users.
Links to the Google Play Store or Facebook are not considered valid application homepages.
There is also the Privacy posily
Make sure that your app's Privacy Policy meets the following requirements:
The Privacy Policy must be visible to users, hosted within the domain of your website, and linked from the OAuth consent screen on the Google API Console.
The Privacy Policy must disclose the manner in which your application accesses, uses, stores, or shares Google user data. Your use of Google user data must be limited to the practices disclosed in your published Privacy Policy.
I have a video that goes though the application verification process. Google OAuth. What you need to know about verification in 2021.
In 2019 I have published an Word Add-In in the Office store. Last week-end I have updated the application, changing the UI and expanding its functionality. In the same time I have hosted it on a new domain. I have also updated the privacy policy as I am using a Google Analytics tag for obtaining data regarding the use of the application.
Considering the change in the URL I have submitted with the Office store a new manifest file for approval.
Following the certification process i have received a message mentioning that the validation has failed due to a critical validation failure related to 100.6.1 Privacy Policy
Below is the message body:
Privacy Policy links must lead to information on your policies
regarding users’ personal information (a link to the old
privacy policy from the old domain is inserted here) Please update the Privacy Policy
link in the offer listing and re-submit your offer. Please Note: The
privacy policy must be displayed on the page opened.
The office add-in is developed as an SPA based on Vue framework. The Privacy Policy link is placed in the footer of the website and is not an actual html link but a button which on a click event will display an overlay and a modal containing the privacy policy text.
In the offer listing (which in my mind refers to the Dashboard of the add-in in the Partner Center) the url for the privacy policy is the main url of the add-in as the button displaying he privacy modal appears on all pages (routes) of the application.
I am not quite sure if the problem arise from the fact that privacy policy is not an actual html link leading to a new web page or there are other issues regarding the content of the policy itself.
In the Microsoft Partner Center Dashboard, in the Properties Section of the Add-In i have an alert stating the following:
To pass certification, your privacy policy must include:
Information on your policies regarding user's personal information
Refer to the app or your service overall and NOT your website
Your service description must include the name of app submitted
A valid URL link that does not generate a 404 error
Again, I am not sure if this is an alert message customized to my particular situation or is just a general alert which wish to emphasize some general requirements regarding the privacy policy.
The commercial marketplace certification policies that you can find at this link
https://learn.microsoft.com/ro-ro/legal/marketplace/certification-policies#1006-personal-information
are not very informative in this respect.
So my questions are:
It is mandatory for passing the certification process to actually have the privacy policy as an html link that opens in a separate page or it can be a modal?
Why the e-mail mentioning the failure is referring to the old privacy policy (which was indeed an html link leading to a new web page)? Is this is an indication that I need to keep the old way of displaying this privacy policy?
Considering that this is a Single Page Application a separate route for privacy policy will pass the certification process?
Any help on this matter will be appreciated, as i am not certain of what I need to change.
It will not hurt that this validation failure message to be more specific, either.
I'm looking to use Azure API Management to provide a centralized API for some external, authenticated APIs (Twitter, etc.), utilizing application-only authentication. I want to provide specific tweets, etc. to a dashboard-like mobile app without users needing to authenticate with their own account for each service.
I haven't been able to find any documentation or examples on doing this so far. Policies look promising, but I haven't been able to prove them out yet. Or possibly creating my own API App for each external service (to handle the authentication properly) and then managing that API via API Management.
Anyone have thoughts/ideas on better ways of accomplishing this? Thanks.
Thanks to #DarrelMiller for keeping me on the correct path
The solution ended up being just needing to pass the correct bearer token as a header, accomplished with Set-Header in the inbound policy of the operation. Twitter has non-trivial instructions on how to obtain the bearer token for their service.
Example:
<inbound>
<set-header name="Authorization" exists-action="override">
<value>Bearer xxxxxxxxxxxxxxxxxxxxx</value>
</set-header>
<base />
</inbound>
I have read all the information and guidance and watched the videos on
Developers Google Drive (sorry, I do not have enough "reputation points" to include all the links that would be relevant here).
as well as Google Privacy Policies.
In the list of Google Drive auth scopes, which ones are covered by the permissions request to users for the app to "view basic account information"?
https://developers.google.com/drive/scopes
I can only find examples, rather than a complete list.
I am also trying to understand how this relates to the Privacy Policy, ie. whether this "basic account information" is "Personal Information" or "Google Account" information.
http://www.google.com/intl/en-GB/policies/privacy/key-terms/#toc-terms-personal-info
Personal information
This is information which you provide to us which personally
identifies you, such as your name, email address or billing
information, or other data which can be reasonably linked to such
information by Google.
Google Account
You may access some of our services by signing up for a Google Account
and providing us with some personal information (typically, your name,
email address and a password). This account information will be used
to authenticate you when you access Google services and protect your
account from unauthorised access by others. You can edit or terminate
your account at any time through your Google Account settings.
I have read elsewhere that the "basic account information" is not actually "viewed", ie. visible to, the app developer but is instead transmitted in encrypted form for use by the app.
(I am not an app developer - this just seems to be the only place where there are Google staff watching and answering these sorts of questions).
User's profile and email is available if you grant access for the following scopes:
profile: https://www.googleapis.com/auth/userinfo.profile
email: https://www.googleapis.com/auth/userinfo.email
Profile stands for a Google Account and contains user's ID, name, photo, URL, country, language, timezone, and birthdate.