Google requires that apps send sensitive information over https, and it also requires that you prominently disclose what you’re doing with user data.
This ‘a good thing’. I fully support these requirements.
Unfortunately, Google keeps removing my apps from the store for breaking these rules when I 100% definitively do not.
All my Android apps offer you an option to get setup instructions sent to you by email. This is the process:
1) I offer to send you instructions. You click on the orange button ‘Yes Send me details’
2) I open up a new page where you enter your email address and click the orange button ‘Send’
You won’t be surprised that this sends your email address to my server where I use it to send you instructions.
Naturally – that data is sent over https.
Here is where it gets frustrating:
First Removal
17th May:Message from Google Play:
After review, VLC Remote, com.hobbyistsoftware.android.vlcremote_us, has been removed from Google Play because it violates our personal and sensitive information policy.
…must handle the user data securely,… (for example, over HTTPS)….Your app is not currently handling user data securely.
I wrote back to explain that yes – my app is using https. They respond to say that ‘If, after making changes, you think your app is in compliance, please submit your app for another review.’
I clarify that I’m not making any changes – because none are required and resubmit.
25th May: They respond to say
Good news – I see your app, VLC Remote (com.hobbyistsoftware.android.vlcremote_us), was resubmitted earlier and has been approved.
Second Removal
29th May: A Very Similar Message
After review, VLC Remote, … has been removed from Google Play because it violates our personal and sensitive information policy … This app won’t be available to users until you submit a compliant update.
We go through the same dance. I explain that it isn’t violating their policy. It does send the user’s email to my server, but only when explicitly asked to – and over https.
They approve the resubmission.
Seriously – Again???
6th June:
After review, VLC Remote, com.hobbyistsoftware.android.vlcremote_us (Version Code: 47963), has been removed from Google Play because it violates our personal and sensitive information policy
The focus now is on ‘Prior to the collection and transmission, it must prominently highlight how the user data will be used, describe the type of data being collected and have the user provide affirmative consent for such use.’
I’m lost for words here. Supposedly, someone has reviewed the app. And they have looked setup help process. They clicked on ‘yes send me details’ then entered their email address, clicked ‘Send’ and they consider that I haven’t been clear about what is going on.
Incidentally – I had the exact same process with VLC Streamer on 20th March.
And of course my app is off the store – and not making any sales
I’ll build again, submit again and see what happens. This is getting very boring though…
Removed again – despite already being removed, and not having resubmitted yet!
13th June:
After review, VLC Remote, … has been removed from Google Play because it violates our personal and sensitive information policy
Your app is uploading users’ email information to … without posting a privacy policy in both the designated field in the Play Developer Console and from within the Play distributed app itself. Your app must also handle user data securely, … (for example, over HTTPS).
I’m guessing that my ‘this is ridiculous’ email triggered a review.
This time, the primary objection is that the app must have ‘a privacy policy in both the designated field in the Play Developer Console and from within the Play distributed app itself’
Of course – I do.
I know this because on the 29th May, VLC Remote was removed for exactly that reason.
On the 29th of May – it was correct. I did have a privacy policy linked in the store – but it wasn’t within the app itself. This app has been up for years, and I don’t know when the requirement came in to have the privacy policy within the app.
Anyway – after the email of the 29th of May, I sent in an update which added the privacy policy into the app within the settings page. I resubmitted and was approved.
At the time, I thought it was ridiculous that Google would remove the app from the store immediately over a violation like this. They could easily have sent me an email and given me (say) 7 days to put things right.
It was more ridiculous than removing me for the same reason _after_ I have fixed the problem.
btw; In the Apple store, when you submit an app for review, there is a ‘reviewer notes’ field. You can use this to let the reviewer know anything you think is important.
For example you might let them know where the privacy policy was shown (in the settings) – or that you always upload sensitive data over https. Google has nothing like this, and clearly doesn’t keep notes on review decisions / appeals.
I’m going to respond to the latest email with a link to this blog post. We’ll see what happens.
Update 18th June
I submitted yet another appeal. This time with a google doc to explain what was going on.
The response looked like the old rejections – but in the reviewer did helpfully highlight the version number.
It turns out this is an old build uploaded in 2016 which targets users on API level 14. There are 20 active installs.
I disabled all the old versions of the app, resubmitted, and (so far) everything is live.
(Hopefully) Final Thoughts
The Apple review process can be infuriating. Apple have some rules that seem ridiculous to me, and they’re seldom flexible about applying them. However, they communicate clearly – as real people. When there is a minor issue, they’ll ask you to fix it rather than just booting you out of the store. They also seem able to keep notes about previous discussions and if they have resolved one issue – they won’t come back to it again.
By contrast – Google make it seem like you’re dealing with a badly programmed Eliza-Bot.
There is no context in their replies – they just bang out the same template letters with no acknowledgement of any points, requests or comments you have made.
I’m wondering if they are forbidden from sending out personalised emails – and have to resort to highlighting as the only marginally personal communication method available to them.
I never got any acknowledgement that the first four removal reasons were completely without merit. But my app spent weeks out of the store because of them.
The final rejection felt like they were scraping the barrel to justify the removal – and although it was probably true (I haven’t checked) – the particular version was only used by 20 devices, and had been in place since 2016, so they could have either disabled that one version, or approved the app and asked me to do that within (say) 7 days.
This whole process was deeply frustrating – and in the end, no changes have been made to the builds which triggered the first bunch of rejections.