CardinalComm SDK Warning from Google Play

[dimitradg]

Integration Details:

• SDK/Library version: 4.12.0
• Environment: Production
• Android Version and Device: All
• Braintree dependencies: gradle (app level)

implementation 'com.braintreepayments.api:card:4.12.0' implementation 'com.braintreepayments.api:data-collector:4.12.0' implementation 'com.braintreepayments.api:three-d-secure:4.12.0'

app (project level)

maven { url "https://cardinalcommerceprod.jfrog.io/artifactory/android" credentials { username **** password **** } }

Describe the bug I am using the above mentioned brain tree sdks (v4.12.0) and today I received a warning from Google Play with the following message: Your app is using the Cardinal Mobile SDK which collects persistent device identifiers, but may not be limited to Android ID and hardware IDs. Persistent device identifiers may not be linked to any other personal and sensitive user data and/or resettable device identifiers (e.g., IMEI, IMSI, SIM Serial #, etc).

You may consider upgrading to a policy-compliant version of this SDK, if available from your SDK provider or removing the SDK. According to your SDK provider, you may consider upgrading to 2.2.7-2. Please consult the SDK provider for further information. Google is unable to endorse or recommend any third party software.

Thank you in advance

[HeyPouya]

Hello, we also got this email today. I'm not sure if it helps, but after checking the build scan, the resolved Cardinal dependency version is 2.2.7-2 for our project, but we still got that email. Maybe the latest version of cardinal (2.2.7-2) also is not policy-compliant?

[dimitradg]

Hello, we also got this email today. I'm not sure if it helps, but after checking the build scan, the resolved Cardinal dependency version is 2.2.7-2 for our project, but we still got that email. Maybe the latest version of cardinal (2.2.7-2) also is not policy-compliant?

@SirLordPouya May I ask where did you manage to check cardinal dependency? This may be a silly question but I am kind of confused.

[HeyPouya]

@SirLordPouya May I ask where did you manage to check cardinal dependency? This may be a silly question but I am kind of confused.

@dimitradg You can use gradle build scan. gradle build --scan

[marxhendrik]

Exact same issue here. We are using this version:

According to your SDK provider, you may consider upgrading to 2.2.7-2

[dimitradg]

@SirLordPouya May I ask where did you manage to check cardinal dependency? This may be a silly question but I am kind of confused.

@dimitradg You can use gradle build scan. gradle build --scan

Thank you :)

[dimitradg]

Exact same issue here. We are using this version:

According to your SDK provider, you may consider upgrading to 2.2.7-2

I saw the issue you commended above - however it is not very clear to me I have to change the content of Data Safety form and what should I change

[bm185178]

What's the concrete step for this? Would it be resolving the warning if we upgrade braintree sdk 4.18.0 which supports 2.2.7-2? This warning will suspend our customers' releases in the future if we do not do comply. This should not be taken lightly because dealing with google suspension is not easy and this is a legal matter. We need an answer asap.

[4gus71n]

+1 ☝️ – I'm in the same spot, we just got this warning from Google and we have 60 days to fix this issue otherwise our app will be taken off the Google Playstore. Please share some updates as soon as there's a fix for this. Thanks! 🙇

[sshropshire]

Thanks all. We're investigating the issue and should have an update in the coming days. We appreciate your patience in the meantime.

[hollabaq86]

Hi folks, can I get 👍 reactions from folks getting these notifications that:

1. You are on the latest version of the SDK (4.20.0)
2. The text of the notification from the Google Playstore specifically mentions the following:

   Your app is using the Cardinal Mobile SDK which collects persistent device identifiers, but may not be limited to Android ID and hardware IDs. Persistent device identifiers may not be linked to any other personal and sensitive user data and/or resettable device identifiers (eg, IMEI, IMSI, SIM Serial #, etc).

If the contents of the notification you're getting from Google is different, please drop that in a comment here or contact Support referencing this issue.

We need a solid confirmation of this info so that we're correctly escalating the issue and that version 2.2.7-2 of Cardinal's SDK indeed does not resolve these alerts. Thanks all for your patience as we try to resolve this 🙏

I also want to mention that we are actively trying to reproduce these notifications with a demo app, too, but in the interest of the urgency of this issue we're asking for your help in confirming a few things. Thanks!

[hollabaq86]

for internal tracking, issue 1456

[sshropshire]

Hi all. Thanks for your patience while we escalated this issue to Cardinal and Google. Both Cardinal and Google have confirmed that version 2.2.7-2 of the Cardinal Commerce SDK is compliant.

Cardinal has advised folks to try updating all versions of your app in all tracks (Internal / Closed / Open testing and Production) to use the latest version of the Braintree SDK -> 4.20.0. Google emphasized that "all active versions of the app on any track need to be compliant."

If your application continues to be impacted after performing the above, file an appeal with the Google Play store mentioning that your app depends on version 2.2.7-2 of the Cardinal SDK, which is compliant.

If you're still unable to deploy an update, let us know so we can keep track of issue resolution.

[bm185178]

We are gonna try it out and let you know if we ever get back from google.

[josephyanks]

Just a heads up, we had this issue as well and it applies to ANY version of the app that is on the play store that has the issue. In our case, we had a beta + dev application versions that we weren't actively updating that had the old sdk. We had to update those versions to clear the warning. Also, if your last released version to any of the tracks have this old version, you should either release into those tracks or purge the tracks of the violating releases as those will trigger the warnings as well. Google play support was extremely unhelpful, as most of their responses seem to be automated.

[4gus71n]

Hi 👋 – The only Braintree lib our team is using is:

apply plugin: 'com.android.application'

// ...

repositories {
  maven { url "https://jitpack.io" }
  maven {
    url "https://cardinalcommerceprod.jfrog.io/artifactory/android"
    content {
      includeGroup "com.braintreepayments.api"
      includeGroup "org.jfrog.cardinalcommerce.gradle"
    }
    credentials {
      username 'braintree_team_sdk'
      // ...
    }
  }
}

dependencies {
  // ...
  implementation 'com.braintreepayments.api:drop-in:6.2.0'
  // ...
}

And we are still getting the warning from Google saying that we are not using Cardinal 2.2.7-2 – any idea if there's a new version of this API that we can use? Thanks! 🙇

Note: This version of the drop-in app is the highest AFAIK but still uses this version of the Cardinal SDK 👇

Should I try to exclude the faulty version and manually add the compliant one?

  implementation("com.braintreepayments.api:drop-in:6.2.0") {
      exclude group:"org.jfrog.cardinalcommerce.gradle", module: "cardinalmobilesdk"
  }
  implementation 'org.jfrog.cardinalcommerce.gradle:cardinalmobilesdk:2.2.7-2'

[sshropshire]

Hi @4gus71n if you update your app to use the latest DropIn version 6.5.1 you should be good.

[matejhacin]

Hi,

I am not using Braintree DropIn dependency, so upgrading that dependency (as other answers here suggest) won't do anything for me. It seems like the problematic dependency in my case is three-d-secure:3.11.1.

I have not yet managed to do the migration to v4. It was on the roadmap for early 2023 but was hoping I could stay on v3 for a little while longer.

Do I have any other options here or is this gonna force me to do the migration to V4 earlier than planned?

Thanks

[sshropshire]

Hi @matejhacin we will add a 3.x update soon after the holidays with a Cardinal update to give merchants more time to migrate. In the meantime, please consider upgrading to v4 which is under active development.

[rhyskentish]

Hi @sshropshire just wondering if you could provide an update regarding the 3.x update for this? I can see a draft PR for it however do you have a timeline on when we could expect to see this? Thanks.

[sshropshire]

Hey @rhyskentish we've released version 3.20.0 with an up to date version of Cardinal.

[jamesyorke]

We are still hitting this issue even using Braintree SDK 4.39.0, Even though the Cardinal Mobile SDK version being used is now org.jfrog.cardinalcommerce.gradle:cardinalmobilesdk:2.2.7-5 aka. above the minimum 2.2.7-2 the Google Play tells us it at least needs.

It seems to be the com.braintreepayments.api:three-d-secure:4.39.0 that uses cardinal mobile sdk, and hence is the problematic one.