search

braintree / braintree-android-drop-in

Braintree Drop-In SDK for Android
https://developers.braintreepayments.com/guides/drop-in/android/v2
MIT License
124 stars 78 forks source link

Google is warning removal from Play Store because of Violation of User Data, Permissions and APIs that Access Sensitive Information policies #460

Closed EdoardoFoust closed 8 months ago

EdoardoFoust commented 8 months ago

Braintree SDK Version

5.4.2

Environment

Production

Android Version & Device

Google Play Review

Braintree dependencies

com.braintreepayments.api:drop-in:5.4.2

Describe the bug

Hello.

We are using this repository updated to version 5.4.2.

Google is warning us that we need to update this dependency:

Unless the update is applied the app will be removed from the Play store on the 28th of February.

Looking at the latest release, it seems that it still doesn't have the version 3.21.0 of com.paypal.android.sdk:data-collector because it applies the version 4.40.1 of the braintree_android module dependency, and not the 4.41.0 version, which resolves the issue.

Is an update scheduled?

To reproduce

N/A

Expected behavior

Information on a new version which would bump Braintree sdk version to: 4.41.0

Screenshots

Warning

sarahkoop commented 8 months ago

Hi @EdoardoFoust - version 5.4.2 of this library should resolve this issue. Have you confirmed that all apps on all tracks have been updated to the compliant version?

We also always recommend updating to the latest version of the SDK, which is currently 6.14.0

EdoardoFoust commented 8 months ago

Thank you for your kind reply. The app has been updated to 5.4.2 version from 5.4.0 of this library, but the issue is persistent. The app in production has been updated to this version, in fact, Google is telling us that the problem is specific to this app, in particular Version code 156 (see screenshot).

The problem regarding the update of the SDK to 6.14.0 is that we don't have much time to perform it, but this will be done in the near future.

Is there any way to have Google accept the 5.4.2 version of this library?

Thank you again.

sarahkoop commented 8 months ago

We've confirmed with Google that there were no changes to the Play Store rules made recently that would block a previously compliant SDK version, but the enforcement team did move forward with apps that have not fixed the underlying issue in 1 or more of their tracks in the last day or so.

If you have confirmed that you are using a compliant version (5.4.2+, or 6.10.0+), please double-check all tracks (even private and unpublished tracks) and then to submit an appeal to Play directly.

See these steps for additional instructions on how to update all tracks.

achalkias commented 7 months ago

While i updated my app with these build plugin versions and even though i use the 3.21.0 version of paypal data collector

implementation 'com.braintreepayments.api:drop-in:3.+', { exclude group: 'com.android.support', module: 'appcompat-v7' exclude group: 'com.com.paypal.android.sdk', module:'data-collector'} implementation 'com.braintreepayments.api:data-collector:3.21.0' implementation 'com.paypal.android.sdk:data-collector:3.21.0'

I Then appealed to the issue in the google play console. And i received the following message from them: I’ve reviewed your appeal request and found that your app is currently in violation of Google Play policy. Please resolve this issue by February 28, 2024 or your app will be removed from Google Play.

During review, we found that your app, x (xx.xx.xx)(App Bundle Version: 4, Track: Production) is not compliant with the Location Permissions policy:

We don’t allow apps that request location in the background for either unapproved and/or undisclosed purposes. Apps that request location in the background must successfully complete a console-based declaration process and adequately disclose use to users. You may not use permissions or APIs that access sensitive information that give access to user or device data for undisclosed, unimplemented, or disallowed features or purposes.

You can read through the Location Permissions policy page for more details and examples of common violations.

For example, your app currently contains Paypal Data Collector SDK or an SDK that one of your libraries depends on, which requests location in the background for either unapproved and/or undisclosed purposes.

You may consider moving to another SDK; removing this SDK; or if available from your SDK provider, upgrading to a policy-compliant version of this SDK that does not include the violating behavior.

According to the information provided by your SDK provider, you may consider upgrading the SDK version used in your app to 3.21.0. Please consult the SDK provider for further information.

Before resubmitting your app for further review, please make sure to DEACTIVATE the non-compliant APKs (App Bundle Version: 4, Track: Production) and increment the version number of the APK. Kindly note that all active APK versions need to be compliant.

Action required: Submit an updated app by February 28, 2024

Read through the Location Permissions policy for more details. Make appropriate changes to your app, and be sure to address the issue described above. You may also want to check your app’s store listing for compliance, if applicable. In addition to your Production release, if you have other release types that you use for testing and/or quality assurance checks (for example, Internal test, Closed, Open), please make sure to update those tracks as well. Double check that your app is compliant with all other Developer Program policies. Sign in to your Play Console account and submit the update to your app or upload the modified, policy-compliant APK across all tracks, and deactivate the noncompliant APK(s). To deactivate a non compliant APK, please create a new release and upload a compliant APK to the same track. Be sure to increment the APK version number and set the release to 100% rollout, in order to successfully override and deactivate the noncompliant APK. If you are located in the EU, you may have additional redress options. Learn more about those potential options in the EU Out-of-Court Dispute Resolution Help Center. Routing ID: ZLFS

sshropshire commented 7 months ago

@achalkias you'll need the latest version 3.21.1 to ensure compliance.

erawhctim commented 7 months ago

~Can someone help confirm if these two artifacts are the same?~

  • ~com.paypal.android.sdk:data-collector:3.21.1~
  • ~com.braintreepayments.api:data-collector:3.21.1~

~We depend on v5.4.2 of the drop-in SDK, which transitively depends on com.paypal.android.sdk:paypal-one-touch:3.21.1 and com.paypal.android.sdk:data-collector:3.21.1.~

~Google's rejections continue to mention com.braintreepayments.api:data-collector instead of >?com.paypal.android.sdk:data-collector. We thought that everything would be find as long as we're on v3.21.1, but we're realizing now that the different group names may be what is holding up Google's reviewers internally.~

~Do we need to do extra work to exclude the paypal data-collector dependency and manually add the braintree one? Are they identical? Any guidance/recommendation on this?~

Moved this question to it's own discussion here

Kowshika-aspire commented 7 months ago

Can someone help me to fix this issue ? I'm facing this same policy violation issue. Attached screenshot below,

Screenshot 2024-03-07 at 11 58 25 AM

I'm using com.braintreepayments.api:drop-in:5.4.0 , com.braintreepayments.api:google-payment:3.3.1 and com.braintreepayments.api:braintree:3.21.0

erawhctim commented 7 months ago

@Kowshika-aspire drop-in v5.4.0 depends on braintree-android v3.20.0, which is non-compliant.

You need to upgrade the drop-in dependency to v5.4.2 (or higher) which depends on braintree-android v3.21.0

Kowshika-aspire commented 7 months ago

@Kowshika-aspire drop-in v5.4.0 depends on braintree-android v3.20.0, which is non-compliant.

You need to upgrade the drop-in dependency to v5.4.2 (or higher) which depends on braintree-android v3.21.0

@erawhctim Updated drop-in to 5.4.2. But still got policy violation issue from google,

This is our build.gradle file,

Screenshot 2024-03-08 at 3 20 16 PM
erawhctim commented 7 months ago

You're in the same boat as the rest of us then.

BunnyBuddy commented 6 months ago

@Kowshika-aspire drop-in v5.4.0 depends on braintree-android v3.20.0, which is non-compliant. You need to upgrade the drop-in dependency to v5.4.2 (or higher) which depends on braintree-android v3.21.0

@erawhctim Updated drop-in to 5.4.2. But still got policy violation issue from google,

This is our build.gradle file,

Screenshot 2024-03-08 at 3 20 16 PM

Same issue here man, tried everything above and still getting the warning don't know what to do anymore. If we mention in our app's policy that we collect device data will that resolve the issue as it will be a declaration?

sshropshire commented 6 months ago

@here we're still waiting to hear back from Google. We've received assurance that the SDK was compliant in the past, and we've made no changes recently that would reverse compliance. They haven't been the most communicative with us in regards to the compliance issue. We're reaching out to them internally and we will report back any new information we receive.

sshropshire commented 6 months ago

In the meantime, please make sure you are up to date with the latest DropIn version and that you have updated all Google Play console release tracks to use the new version of your app.

Also consider filing an appeal in the Google Play console so that we can get more visibility on this issue and help get it resolved more quickly. Thank you for your patience while we work this out.

BunnyBuddy commented 6 months ago

In the meantime, please make sure you are up to date with the latest DropIn version and that you have updated all Google Play console release tracks to use the new version of your app.

Also consider filing an appeal in the Google Play console so that we can get more visibility on this issue and help get it resolved more quickly. Thank you for your patience while we work this out.

We updated the dropin to 5.4.2 and we appealed but they're generating the same response (looks like computer generated) as mentioned by someone above in this thread. I think if we add background location permission in the manifest file maybe just maybe the'll accept it? because the problem to me seems like they have issues with accessing background location without consent.

I asked in my appeal to playstore if we just mention in out app's description that we take background location (user device data) for fraud detection would that be okay? And I got this response from them,

Screenshot 2024-03-12 at 11 05 52 AM

marwa-tarek commented 6 months ago

@BunnyBuddy I'm facing the same issue as well. The appeal's response is stating to upgrade to version 3.21.0:

SDK: Paypal Data Collector com.paypal.android.sdk:data-collector (consider upgrading to version com.braintreepayments.api:data-collector:3.21.0)

BunnyBuddy commented 6 months ago

Okay we finally got through.

First of all I had to update all the code utilizing Data Collector and Drop-In (because my code was fine uptill Drop-in 5.4.2 but not 6.13.0, had a lot of breaking changes) and changed the library version as follows.

implementation 'com.braintreepayments.api:drop-in:6.13.0'
implementation 'com.braintreepayments.api:data-collector:4.38.2'

Secondly, added this line our app's policy page "We only collect device data for Braintree (for the sole purpose of fraud detection)"

And also provided links to PayPal and Braintree's policy pages there.