22

Google Play Team has rejected my app because:

The advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier (for example: SSAID, MAC address, IMEI, etc.) without explicit consent of the user.

For example, we have identified that your app's attribution SDK enables collection of IMEI from devices which have an Android advertising ID without prominent disclosure, which is a violation of our Android Advertising ID policy.

I'm not collecting the IMEI explicitly so the IMEI must be accessed by one of the dependencies of the app.

How I could detect which one is accessing to the IMEI?

Updated: These are my dependencies

    compile "com.android.support:appcompat-v7:$support_version"
    compile "com.android.support:mediarouter-v7:$support_version"      // I'm using icons from here, like ic_media_pause and such
    compile "com.android.support:recyclerview-v7:$support_version"
    compile "com.android.support:design:$support_version"
    compile "com.android.support:support-compat:$support_version"

    compile 'com.android.support:multidex:1.0.2'

    // individual dependencies -- https://stackoverflow.com/a/43407421/1121497
    compile "com.google.android.gms:play-services-maps:$gms_version"
    compile "com.google.android.gms:play-services-analytics:$gms_version"
    compile "com.google.android.gms:play-services-gcm:$gms_version"
    compile "com.google.firebase:firebase-appindexing:$gms_version"
    compile "com.google.firebase:firebase-core:$gms_version"

    compile "com.facebook.android:facebook-android-sdk:$facebook_version"
    compile 'com.facebook.android:notifications:1.0.2'

    compile 'com.batch.android:batch-sdk:1.11.0'

    compile 'commons-codec:commons-codec:1.9'
    compile 'com.nostra13.universalimageloader:universal-image-loader:1.9.3'
    compile 'com.github.chrisbanes.photoview:library:1.2.2'
    compile 'de.greenrobot:eventbus:2.4.0'
    compile 'info.hoang8f:android-segmented:1.0.5'
    compile 'io.card:android-sdk:5.4.2'
    compile 'me.dm7.barcodescanner:zxing:1.9'
    compile 'com.google.android.exoplayer:exoplayer:r2.2.0'
    compile 'com.squareup.retrofit:retrofit:1.9.0'
    compile 'com.squareup.okhttp:okhttp:2.2.0'

    compile 'io.reactivex:rxandroid:1.1.0'
    compile 'io.reactivex:rxjava:1.1.0'
    //compile 'io.reactivex:rxjava-joins:0.22.0' // to use JoinObservable (and-then-when combinator)

    compile "org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version"

    // In libs we have:
    // - ZooZ 1.02 : From https://github.com/Zooz/Zooz-Android/releases/tag/1.02
    // - AppsFlyer : AF-Android-SDK 2.3.1.13 jar
    // - Volley
    compile fileTree(dir: '../libs', include: '*.jar')

    compile('com.crashlytics.sdk.android:crashlytics:2.7.1@aar') {
        transitive = true
    }

Note: AppsFlyer has been configured as:

        AppsFlyerLib.setCollectIMEI(false); // https://play.google.com/about/monetization-ads/ads/ad-id/
        AppsFlyerLib.setCollectMACAddress(false);
        AppsFlyerLib.setCollectAndroidID(false);
Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
Ignasi
  • 5,887
  • 7
  • 45
  • 81
  • Can you please post your gradle dependencies – Farabi Abdelwahed May 10 '18 at 07:44
  • 1
    Do you have `android.permission.READ_PHONE_STATE` permission in your `manifest`? Do you need it ? You cannot get `IMEI` without it (for API >4).See also [Attribution & Analytics SDKs](http://blog.safedk.com/sdk-economy/attribution-mobile-app-sdks-need-to-know/)For reference [Best practices for unique identifiers](https://developer.android.com/training/articles/user-data-ids). Could be `crashlytics` ? – Jon Goodwin May 10 '18 at 09:07
  • 1
    Yes, I have the `android.permission.READ_PHONE_STATE` permission. I'm not sure what I will break removing this permission. I'm going to check the resources you provided, thanks. Why do you suspect `crashlytics`? – Ignasi May 10 '18 at 09:15

5 Answers5

20

My application is also removed by Google. I have done the following method to republish it.

  1. Create a privacy policy of application using Free Privacy Policy URL

  2. Publish the privacy policy at URL

  3. Copy the published privacy policy link and add it in Developer Play Console.
  4. Add the privacy policy link in Application also (Optional)

Hope this will help you also.

Tayyab Amin
  • 686
  • 10
  • 28
  • 2
    Perfect ! Note that now on the first website is hosting your privacy policy so you don't even have to use the second link. – Dan Chaltiel Oct 01 '18 at 06:55
14

Crashlytics uses a variety of identifiers to provide their services including the Android ID, and the Android Advertising ID.

So crashlytics lib can be an issue. This lib is dealing with advertising ID. Many of developer getting this warning who are using crashlytics lib and not using AppsFlyerLib. So I think you should also be concern about crashlytics library.

For more clarification you can visit crashlytics security page

Mafujul
  • 1,090
  • 10
  • 15
5

You have to add privacy policy on your application.

First, you have to create a privacy policy URL and then add this URL in GOOGLE PUBLISHER CONSOLE based on application. You can easily create privacy policy using this website.

Privacy Policies

If you have a server/host try to upload privacy policy page on your own server otherwise you can use this website for storing.

Mentioned: you have to add this policy page on your application. Create a menu as privacy police and show all your policy content on a dialog. Easiest way

Md.Tarikul Islam
  • 1,241
  • 1
  • 14
  • 16
3

You are using Appsflyer below sdk 4.3. This is the problem. This is the email they sent all developers.

Hi there,

The AppsFlyer and Google Play teams are collaborating to ensure that all advertisers using the AppsFlyer SDK are compliant with the Google Play privacy policy. To avoid any disruption to your business, we strongly encourage that all advertisers take the following steps.

If you are running the AppsFlyer SDK version 4.3 or earlier: Please update to the latest AppsFlyer SDK as soon as possible to maintain full compliance. If you have enabled IMEI collection in a newer SDK version: Disable IMEI collection via the AppsFlyer SDK by removing the following code AppsFlyerLib.getInstance().setImeiData("IMEI_DATA_HERE") If your apps are not yet compliant with the Google Play privacy policy, we recommend that you correct your data collection in a timely manner. For more information about the AppsFlyer SDK, please visit the Help Center or contact your success manager.

Thank you, The AppsFlyer Team

Matthieu
  • 2,736
  • 4
  • 57
  • 87
Bruno
  • 46
  • 1
  • Thanks for your answer @Bruno I appreciate it. However I would like to know if exists a procedure/application/whatever to detect who is accessing to IMEI instead of checking each dependency individually (depending of the project could be really hard work). Fortunately my app has been approved so I'm just curious in case it happens to me again. – Ignasi May 11 '18 at 07:43
  • @ilopezluna Hi. I have the same problem in my app. Was it the appsflyer that caused the rejection? How do you initialize the appsflyer in the latest version to make sure it doesn't collection the IMEI then? Thanks! – dor506 May 14 '18 at 17:13
  • We have added the following lines: `AppsFlyerLib.setCollectIMEI(false); // https://play.google.com/about/monetization-ads/ads/ad-id/ AppsFlyerLib.setCollectMACAddress(false); AppsFlyerLib.setCollectAndroidID(false);` **Note**: we are not using the latest version. – Ignasi May 15 '18 at 07:36
1

In my case it was due privacy policy URL was not set in Google Play Console. I also use Crashlytic. But when I added Privacy Policy, it took some time to process and then it got resolved. I didnt event had to re-publish it again.

M. Gomes
  • 81
  • 10