Google requires that apps send sensitive information over https, and it also requires that you prominently disclose what you’re doing with user data.
This ‘a good thing’. I fully support these requirements.
Unfortunately, Google keeps removing my apps from the store for breaking these rules when I 100% definitively do not.
All my Android apps offer you an option to get setup instructions sent to you by email. This is the process:
1) I offer to send you instructions. You click on the orange button ‘Yes Send me details’
2) I open up a new page where you enter your email address and click the orange button ‘Send’
You won’t be surprised that this sends your email address to my server where I use it to send you instructions.
Naturally – that data is sent over https.
Here is where it gets frustrating:
17th May:Message from Google Play:
After review, VLC Remote, com.hobbyistsoftware.android.vlcremote_us, has been removed from Google Play because it violates our personal and sensitive information policy.
…must handle the user data securely,… (for example, over HTTPS)….Your app is not currently handling user data securely.
I wrote back to explain that yes – my app is using https. They respond to say that ‘If, after making changes, you think your app is in compliance, please submit your app for another review.’
I clarify that I’m not making any changes – because none are required and resubmit.
25th May: They respond to say
Good news – I see your app, VLC Remote (com.hobbyistsoftware.android.vlcremote_us), was resubmitted earlier and has been approved.
29th May: A Very Similar Message
After review, VLC Remote, … has been removed from Google Play because it violates our personal and sensitive information policy … This app won’t be available to users until you submit a compliant update.
We go through the same dance. I explain that it isn’t violating their policy. It does send the user’s email to my server, but only when explicitly asked to – and over https.
They approve the resubmission.
Seriously – Again???
After review, VLC Remote, com.hobbyistsoftware.android.vlcremote_us (Version Code: 47963), has been removed from Google Play because it violates our personal and sensitive information policy
The focus now is on ‘Prior to the collection and transmission, it must prominently highlight how the user data will be used, describe the type of data being collected and have the user provide affirmative consent for such use.’
I’m lost for words here. Supposedly, someone has reviewed the app. And they have looked setup help process. They clicked on ‘yes send me details’ then entered their email address, clicked ‘Send’ and they consider that I haven’t been clear about what is going on.
Incidentally – I had the exact same process with VLC Streamer on 20th March.
And of course my app is off the store – and not making any sales
I’ll build again, submit again and see what happens. This is getting very boring though…
Removed again – despite already being removed, and not having resubmitted yet!
After review, VLC Remote, … has been removed from Google Play because it violates our personal and sensitive information policy
I’m guessing that my ‘this is ridiculous’ email triggered a review.
Of course – I do.
I know this because on the 29th May, VLC Remote was removed for exactly that reason.
At the time, I thought it was ridiculous that Google would remove the app from the store immediately over a violation like this. They could easily have sent me an email and given me (say) 7 days to put things right.
It was more ridiculous than removing me for the same reason _after_ I have fixed the problem.
btw; In the Apple store, when you submit an app for review, there is a ‘reviewer notes’ field. You can use this to let the reviewer know anything you think is important.
I’m going to respond to the latest email with a link to this blog post. We’ll see what happens.