I woke this morning to find an email stating that one of my apps has been removed from the Google Play Store. The reason for removal was:
Issue: Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement
“Advertising identifier”? The app in question doesn’t use or display ads from any ad network. “Sensitive user or device information”? It doesn’t collect any of that, either.
It does, however, use Crashlytics for crash reporting, and Firebase Analytics to track user flows between screens, etc.
What’s going on?
How did it happen?
Adding Crashlytics to your app requires you to add the following to your app module build.gradle:
implementation 'com.google.firebase:firebase-core:16.0.8' implementation 'com.crashlytics.sdk.android:crashlytics:2.9.9'
This is because Crashlytics requires the core Firebase library. There’s no way Crashlytics uses the Advertising ID, right? Google wouldn’t drop the ball like that, would they? No, ads lives in its own Firebase module, firebase-ads. And I’m not importing that. Maybe it’s coming in as a transitive dependency of another library?
gradlew :app:dependencies to the rescue!
+--- com.google.firebase:firebase-core:16.0.8 | \--- com.google.firebase:firebase-analytics:16.4.0 | +--- com.google.android.gms:play-services-measurement:16.4.0 | | +--- com.google.android.gms:play-services-basement:16.2.0 (*) | | +--- com.google.android.gms:play-services-measurement-base:[16.4.0] -> 16.4.0 | | | \--- com.google.android.gms:play-services-basement:16.2.0 (*) | | +--- com.google.android.gms:play-services-measurement-impl:[16.4.0] -> 16.4.0 | | | +--- com.google.android.gms:play-services-ads-identifier:16.0.0 | | | | \--- com.google.android.gms:play-services-basement:16.0.1 -> 16.2.0 (*)
There we go, play-services-ads-identifier! Firebase core includes Analytics, which brings in the ads identifier library via its dependencies. And I don’t want any of them.
First, I’ve uploaded privacy policies for all my published apps.
My next steps are:
Add links to my privacy policies within my apps
Configure Proguard and/or R8 to be much more aggressive in removing unused code and libraries
Go through all Google’s policies and agreements in detail, to make sure I understand and am following everything properly.
Re-evaluate my use of Crashlytics and Firebase. Are there better services out there? Microsoft Azure maybe?
Remember, Google is Your Friend.