Crashlytics or Analytics and No Privacy Policy = App Removed

What happened?

I woke this morning to find an email stating that one of my apps has been removed from the Google Play Store. The reason for removal was:

Issue: Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement

Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. We’ve identified that your app collects and transmits the Android advertising identifier, which is subject to a privacy policy requirement. If your app collects the Android advertising ID, you must provide a valid privacy policy in both the designated field in the Play Console, and from within the app.

Advertising identifier”? The app in question doesn’t use or display ads from any ad network. “Sensitive user or device information”? It doesn’t collect any of that, either.

It does, however, use Crashlytics for crash reporting, and Firebase Analytics to track user flows between screens, etc.

What’s going on?

How did it happen?

Adding Crashlytics to your app requires you to add the following to your app module build.gradle:

implementation 'com.google.firebase:firebase-core:16.0.8'
implementation 'com.crashlytics.sdk.android:crashlytics:2.9.9'

This is because Crashlytics requires the core Firebase library. There’s no way Crashlytics uses the Advertising ID, right? Google wouldn’t drop the ball like that, would they? No, ads lives in its own Firebase module, firebase-ads. And I’m not importing that. Maybe it’s coming in as a transitive dependency of another library? gradlew :app:dependencies to the rescue!

+--- com.google.firebase:firebase-core:16.0.8
|    \--- com.google.firebase:firebase-analytics:16.4.0
|         +--- com.google.android.gms:play-services-measurement:16.4.0
|         |    +--- com.google.android.gms:play-services-basement:16.2.0 (*)
|         |    +--- com.google.android.gms:play-services-measurement-base:[16.4.0] -> 16.4.0
|         |    |    \--- com.google.android.gms:play-services-basement:16.2.0 (*)
|         |    +--- com.google.android.gms:play-services-measurement-impl:[16.4.0] -> 16.4.0
|         |    |    +--- com.google.android.gms:play-services-ads-identifier:16.0.0
|         |    |    |    \--- com.google.android.gms:play-services-basement:16.0.1 -> 16.2.0 (*)

There we go, play-services-ads-identifier! Firebase core includes Analytics, which brings in the ads identifier library via its dependencies. And I don’t want any of them.

What next?

First, I’ve uploaded privacy policies for all my published apps.

My next steps are:

  • Add links to my privacy policies within my apps

  • Configure Proguard and/or R8 to be much more aggressive in removing unused code and libraries

  • Go through all Google’s policies and agreements in detail, to make sure I understand and am following everything properly.

  • Re-evaluate my use of Crashlytics and Firebase. Are there better services out there? Microsoft Azure maybe?

Remember, Google is Your Friend.

Comments