Resolve 30 day notice from Google Play Review Team, re BIND_ACCESSIBILITY_SERVICE

[kspearrin]

Need to file an appeal or figure out why we are in violation here. It appears that Google does not want us using accessibility services for stuff that isn't actually helping people with disabilities. We use this service for autofilling.

Anyone have experience with dealing with these notices from Google?

We’re contacting you because your app, bitwarden Password Manager, with package name com.x8bit.bitwarden is requesting the ‘android.permission.BIND_ACCESSIBILITY_SERVICE.’ Apps requesting accessibility services should only be used to help users with disabilities use Android devices and apps. Your app must comply with our Permissions policy and the Prominent Disclosure requirements of our User Data policy.

Action required: If you aren’t already doing so, you must explain to users how your app is using the ‘android.permission.BIND_ACCESSIBILITY_SERVICE’ to help users with disabilities use Android devices and apps. Apps that fail to meet this requirement within 30 days may be removed from Google Play. Alternatively, you can remove any requests for accessibility services within your app. You can also choose to unpublish your app.

If you need to make changes to your apps, please follow these steps:

Read through the Permissions and User Data policies for more details, and make sure your app complies with all policies listed in the Developer Program Policies.

If you don’t need the BIND_ACCESSIBILITY_SERVICE permission in your app or the permission is being used for something other than helping users with disabilities use Android devices and apps: Remove your request for this permission from your app’s manifest. Sign in to your Play Console and upload your modified, policy-compliant APK.

Or, if you need the BIND_ACCESSIBILITY_SERVICE permission in your app to help users with disabilities use Android devices and apps: Include the following snippet in your app’s store listing description: “This app uses Accessibility services.” Provide prominent user-facing disclosure of this usage before asking the user to enable this permission within your app. Your disclosure must meet each of the following requirements: Disclosure must be provided via the android:summary and android:description elements of the AccessibilityServiceInfo class Disclosure must describe the functionality that the Accessibility Service permission is enabling for your app. Each feature used with the Accessibility Service request must be declared in your disclosure with justification.

Alternatively, you can choose to unpublish the app. All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.

If you’ve reviewed the policy and feel we may have been in error, please reach out to our policy support team. One of my colleagues will get back to you within 2 business days.

Regards,

The Google Play Review Team

[kspearrin]

More people are getting these. See:

https://www.reddit.com/r/Android/comments/7c4go5/is_google_play_really_going_to_suspend_all_apps/

https://groups.google.com/forum/#!topic/tasker/ZDbjtD4bAts

https://ausdroid.net/2017/11/11/google-play-developers-use-accessibility-service-properly-removed/

[jerryn70]

If we are no longer able to use accessibility then we need to look alternative methods like keyboard integration #62 . Now keepass2android can switch keyboard automatically on non rooted device with keyboard swap plugin .

[mbirth]

@jerryn70: But that one needs the user to set a specific permission using adb. (see here)

Wouldn't it be easier to provide the Accessibility stuff via a separately downloadable "plugin"? Like e.g. Lawnchair launcher or Nova add the Google Now page.

[kspearrin]

More news/discussion coming out:

https://www.xda-developers.com/google-threatening-removal-accessibility-services-play-store/

https://www.reddit.com/r/Android/comments/7cfldu/google_is_threatening_to_remove_apps_with/

[jerryn70]

@mbirth but we cannot give that plugin through play store. If we provide that through other stores/clouds , then no one will trust that. Especially for a password manger

[kspearrin]

https://thenextweb.com/apps/2017/11/13/googles-about-to-brick-a-bunch-of-useful-android-apps-that-rely-on-accessibility-services/

[walrus543]

I discussed this issue with other devs. Many apps will lose features or will be removed... If only bitwarden could be FLOSS, you would publish it on F-Droid. Too much power was put in their hands...

[mbirth]

@jerryn70 The main app (from the Play Store) could verify the integrity of the plugin file, e.g. via checksum of the plugin's apk file. Maybe there's a way to check the developer signature, too. This way you could make sure to only use the plugin when it's genuine.

[samlu]

Read this post https://blog.lastpass.com/2017/11/lastpass-android-accessibility-services.html/

It seems that they do the same thing as you by using Accessibility services but not getting the warning email from Google review team. FYI.

[kspearrin]

@samlu Well hopefully that applies to bitwarden as well (and other password apps) and not just LastPass because they have special contacts with the play store team.

[pehlm]

It's possible that passwordmanagers can receive reprieve "from possible upcoming removals from the Play Store" as they write on Androidauthority. So it's important to contact Google.

[kspearrin]

It's possible that passwordmanagers can receive reprieve "from possible upcoming removals from the Play Store" as they write on Androidauthority. So it's important to contact Google.

Anyone have a contact for Google? 😃

[pehlm]

The only one I've is https://docs.google.com/forms/d/e/1FAIpQLScem3Xhk4991YKhX3YtPUZ7_YSuFZGacdH5r5yFO8lrSMQNqA/viewform?usp=sf_link. But it's for Oreo Autofill API though.

[kspearrin]

@pehlm Yes, we've already reached out with that form for Oreo, but I don't think that help us with this issue :)

[moneytoo]

Or https://support.google.com/googleplay/android-developer/contact/appappeals It creates a new ticket where you talk to a real person via email (with 2 day response time).

[kspearrin]

@moneytoo Looks like that is only for apps that have been removed?

[jerryn70]

https://www.androidauthority.com/lastpass-google-accessibility-services-815528/

Lastpass, keeper, dashlane and 1password are on safe zone 🤔 what about us

[pehlm]

Yes it seems so as I also said. But he wants to know where to contact Google about it. Maybe all password managers are spared, but who will take that risk being removed from Play Store?

[kspearrin]

Anyone have a way that I can directly contact someone at Google Play regarding this? I've been unsuccessful at finding a way to actually contact a human being.

[kspearrin]

Well, not looking good guys. I tried following up through the play store console support channel to get further clarification on our use of accessibility services for autofilling as a password manager. Below is the reply that I got. Seems mostly like copy/paste from the original message but they are clearly saying we can no longer do this. I guess the only way will be to use the Android 8.0 autofill.

Hello,

Thanks for contacting the Google Play team.

During review, we found that your app bitwarden Password Manager (com.x8bit.bitwarden) violates our policy on deceptive device settings changes.

Accessibility services should only be used to help users with disabilities use Android devices and apps. If you are accessing user data via accessibility services, you may only request access to the user data necessary to implement existing features or services used to help users with disabilities use Android devices and apps.

Provided your app meets these requirements, you must clearly disclose to users your reason(s) for requesting the ‘android.permission.BIND_ACCESSIBILITY_SERVICE.’ Permission requests should make sense to users, and should be limited to the critical information necessary to implement your application.

Here’s how you can submit your app again:

Read through the Permissions and User Data policies for more details.

If you don’t need the BIND_ACCESSIBILITY_SERVICE permission in your app or the permission is being used for something other than helping users with disabilities use Android devices and apps:

Remove your request for this permission from your app’s manifest. Sign in to your Play Console and submit the modified, policy compliant APK.

Or, if you need the BIND_ACCESSIBILITY_SERVICE permission in your app to help users with disabilities use Android devices and apps:

Include the following snippet in your app’s store listing description: “This app uses Accessibility services.”

Provide prominent user-facing disclosure of this usage before asking the user to enable this permission within your app. Your disclosure must meet each of the following requirements:

Disclosure must be provided via the android:summary and android:description elements of the AccessibilityServiceInfo class.

Disclosure must describe the functionality Accessibility Service permission is enabling for your app. Each feature used with the Accessibility Service request must be declared in your disclosure with justification.

Make sure you’ve corrected all policy violations before submitting your app again. You may want to review the Developer Program Policies for additional guidance.

Regards, Linda The Google Play Team

[Moxville]

Kyle, Maybe you can post a query in Hacker News or Reddit. Someone might share ideas or direct contacts. Worth a shot. https://news.ycombinator.com/

Bitwarden should also be in safe zone like LastPass, 1Password, etc.

[pehlm]

It's very remarkable, I agree with Moxville that Bitwarden must be on the safe ground together with Lastpass, Dashlane, 1Password and Keeper. You are a little player but are in the same boat as them. Truly sarcastic by Google, if it's their official opinion. You must phone them, they have phone numbers all over the world and in the US: https://www.google.com/intl/sv/about/locations/?region=north-america&office=mountain-view. Don't give up! Otherwise if you can't come to an agreement with them, release the accessibility autofill service as an external plugin. Likely it can be downloaded from your site. And then release the Oreo autofill when that time come. Regards.

[mbirth]

Others seem to just put that "This app uses accessibility services" info into the Play Store description and that's it. See also this Reddit thread where the argument is that disabled people can make use of those apps, so they can use the accessibility services.

[kspearrin]

@mbirth We already had that notice in our play store description prior to contacting Google Play support (see above response). That didn't seem to satisfy their requirements.

It's pretty difficult to know what part of their policy we are even violating here since they list off several very subjective and vague things.

I'll reply to the Google Play support ticket I have open (see above) one more time with a note that I have updated our service's summary and description and see if I can get a definitive answer.

See summary/description updates here: https://github.com/bitwarden/mobile/blob/master/src/Android/Resources/values/strings.xml . Any thoughts on improvements?

[moneytoo]

IMHO you should say that this feature requiring accessibility service is only for users with disabilities and only they should enable it. Now you say "especially those with disabilities" while Google allows "only people with disabilities". From my few encounters with Google, it's usually about these exact wordings. Like other devs state it in apps like this: https://play.google.com/store/apps/details?id=org.de_studio.recentappswitcher.trial&hl=en You can't control who enables this feature but you must not encourage people to do so.

[kspearrin]

We submitted version 1.13.0 to Google Play today with updated disclosures strings (see here).

I contacted the Play Store team back via my open support ticket asking them if they could review version 1.13.0 and tell me if it was in compliance or not. Their reply:

Hello,

Thanks again for reaching out to the Google Play team.

At this time, my team is unable to comment on the compliance of your app's implementations. We encourage you to use the following guidelines and policies:

Google Play Developer Program Policies

Permissions and User Data

If you believe your app complies with our policies, please submit your app and we’ll review it again.

Thanks for supporting Google Play!

Seems I am having a hard time getting a yes/no answer.

I asked them again to review version 1.13.0 and tell me if it is in compliance or not.

[kspearrin]

So some better news this time:

Hello,

Thanks again for contacting the Google Play team.

We're evaluating responsible and innovative uses of accessibility services. While we complete this evaluation, we are pausing the 30 day notice we previously contacted you about.

We'll notify you once our evaluation is completed.If further actions are needed to bring your app into compliance with our policies, your 30 day notice period will begin when we reach back out to you.

In the meantime, we've included clarifying guidance below which may be helpful:

• If you don't need the BIND_ACCESSIBILITY_SERVICE permission in your app:
  1. Remove your declaration of this permission from your app's manifest.
  2. Sign in to your Play Console and upload your modified, policy-compliant APK.

No further action is required after publishing the app.

• If you need the BIND_ACCESSIBILITY_SERVICE permission in your app to exclusively help users with accessibility needs use Android devices and apps, or for another approved accessibility related purpose (e.g. Accessibility testing tools) that benefits users, you must set the android:description element to the following sentence to provide a user-facing disclosure of the Accessibility Service API:
  • "All usage of accessibility service privileges is exclusively for the purpose of providing accessibility features to users."

If your accessibility app uses accessibility privileges for both accessibility and non-accessibility purposes, you must instead fulfill the below criteria.

• If you use the BIND_ACCESSIBILITY_SERVICE permission in your app for any purpose not relating to, or in addition to, helping users with accessibility needs use Android devices and apps, you must update the android:description element in your accessibility service definition to provide user-facing disclosure of the Accessibility Service API: before asking the user to enable this permission within your app. Your disclosure must meet the following requirements:
  • In all cases, you must have a disclosure to explain why you need to observe user actions in general using the Accessibility Service API.
  • For each accessibility capability declared, you must have an accompanying disclosure to describe the app functionality that the Accessibility Service permission is enabling for your app. (The default disclosure tells us "what", but you must disclose to the user "why").

If you believe your app uses the Accessibility API for a responsible, innovative purpose that isn't related to accessibility, please respond to this email and tell us more about how your app benefits users.  This kind of feedback may be helpful to us as we complete our evaluation of accessibility services.

Regards,

The Google Play Team

Seems we fall into point 3. Any thoughts on how we could improve our disclosure descriptions with this new information?

[gsora]

Any thoughts on how we could improve our disclosure descriptions with this new information?

Just declaring that Google AutoFill API isn't working on every input text view should be enough, after all this is the main reason why bitwarden is still using Accessibility API if I understood everything right.

[samlu]

Looks like you guys are in the safe zone now.

http://www.androidpolice.com/2017/12/07/google-pauses-accessibility-app-ban-considers-responsible-innovative-uses-accessibility-services/

[kspearrin]

Closing this since it is no longer an issue.