App removed from Google Play Store due to permission issue.

reeturajc commented 5 years ago

Issue

This is from Two35 PLAYtform team. Our app (O'Pancho) is basically about quiz and made in React Native for Android. This requires some permission for sending OTP and verifying the OTP back. We are currently using Google's Firebase services for authentication [RNFirebase]. So when we are mentioning these permissions in android manifest file and trying to upload it on Google's Play Store, a form generates where it is required to notify about the permission we are using in the app. But the subject for the condition (OTP authentication via SMS) is not mentioned anywhere, due to this we are unable to upload the app (O'Pancho).

We are using this Example Code :

firebase.auth() .verifyPhoneNumber(phoneNumber) .on('state_changed', (phoneAuthSnapshot) => { // How you handle these state events is entirely up to your ui flow and whether // you need to support both ios and android. In short: not all of them need to // be handled - it's entirely up to you, your ui and supported platforms.

// E.g you could handle android specific events only here, and let the rest fall back
// to the optionalErrorCb or optionalCompleteCb functions
switch (phoneAuthSnapshot.state) {
  // ------------------------
  //  IOS AND ANDROID EVENTS
  // ------------------------
  case firebase.auth.PhoneAuthState.CODE_SENT: // or 'sent'
    console.log('code sent');
    // on ios this is the final phone auth state event you'd receive
    // so you'd then ask for user input of the code and build a credential from it
    // as demonstrated in the `signInWithPhoneNumber` example above
    break;
  case firebase.auth.PhoneAuthState.ERROR: // or 'error'
    console.log('verification error');
    console.log(phoneAuthSnapshot.error);
    break;

  // ---------------------
  // ANDROID ONLY EVENTS
  // ---------------------
  case firebase.auth.PhoneAuthState.AUTO_VERIFY_TIMEOUT: // or 'timeout'
    console.log('auto verify on android timed out');
    // proceed with your manual code input flow, same as you would do in
    // CODE_SENT if you were on IOS
    break;
  case firebase.auth.PhoneAuthState.AUTO_VERIFIED: // or 'verified'
    // auto verified means the code has also been automatically confirmed as correct/received
    // phoneAuthSnapshot.code will contain the auto verified sms code - no need to ask the user for input.
    console.log('auto verified on android');
    console.log(phoneAuthSnapshot);
    // Example usage if handling here and not in optionalCompleteCb:
    // const { verificationId, code } = phoneAuthSnapshot;
    // const credential = firebase.auth.PhoneAuthProvider.credential(verificationId, code);

    // Do something with your new credential, e.g.:
    // firebase.auth().signInWithCredential(credential);
    // firebase.auth().currentUser.linkWithCredential(credential);
    // etc ...
    break;
}

}, (error) => { // optionalErrorCb would be same logic as the ERROR case above, if you've already handed // the ERROR case in the above observer then there's no need to handle it here console.log(error); // verificationId is attached to error if required console.log(error.verificationId); }, (phoneAuthSnapshot) => { // optionalCompleteCb would be same logic as the AUTO_VERIFIED/CODE_SENT switch cases above // depending on the platform. If you've already handled those cases in the observer then // there's absolutely no need to handle it here.

// Platform specific logic:
// - if this is on IOS then phoneAuthSnapshot.code will always be null
// - if ANDROID auto verified the sms code then phoneAuthSnapshot.code will contain the verified sms code
//   and there'd be no need to ask for user input of the code - proceed to credential creating logic
// - if ANDROID auto verify timed out then phoneAuthSnapshot.code would be null, just like ios, you'd
//   continue with user input logic.
console.log(phoneAuthSnapshot);

}); // optionally also supports .then & .catch instead of optionalErrorCb & // optionalCompleteCb (with the same resulting args)

And if we just use then also Google is rejecting our app due to violation of their policy.

Here's what Google sent us :

Hi Developers at Two35 PLAYtform, After a recent review, O'Pancho - The PLAYtform : Play more Win more (com.awishcar.opancho) has been removed from Google Play. We reviewed your app and found that it does not qualify for use of the requested permissions.

The declared functionality {Default SMS handler (and any other core functionality usage while default handler)} is determined to be unnecessary or not aligned with the core functionality of your app.
Publishing Status Publishing status: Removed Your app has been removed due to a policy violation. This app won’t be available to users until you submit a compliant update. Reasons of violation
Issue: Violation of Permission policy Your app does not qualify for use of the requested permissions. Permission requests should make sense to users. You may only request permissions that are necessary to implement critical current features or services in your application. You may not use permissions that give access to user or device data for undisclosed, unimplemented, or disallowed features or purposes. Next steps: Submit your app for another review

Read through the Permissions policy and the Play Console Help Center article, which describes intended uses, exceptions, invalid uses, and alternative options for use of Call Log or SMS permissions.
Make appropriate changes to your app.
Sign in to your Play Console and submit the update to your app.

Kindly suggest how to resolve the issue.

Project Files

iOS

`ios/Podfile`:

[x] I'm not using Pods
[ ] I'm using Pods and my Podfile looks like:

# N/A

`AppDelegate.m`:

// N/A

Android

`android/build.gradle`:

// N/A

`android/app/build.gradle`:

// N/A

`android/settings.gradle`:

// N/A

`MainApplication.java`:

// N/A

`AndroidManifest.xml`:

<!-- N/A -->

Environment

Platform that you're experiencing the issue on:
- [ ] iOS
- [x] Android
- [ ] iOS but have not tested behavior on Android
- [ ] Android but have not tested behavior on iOS
- [ ] Both
If known, the version of the platform are you experiencing the issue on:
- ADD_SOMETHING_HERE e.g. iOS 10 or Android API 28
Operating System:
- [ ] MacOS, version: N/A
- [x] Windows, version: N/A
- [ ] Other, please specify: N/A
Build Tools:
- ADD_SOMETHING_HERE e.g. Xcode 10, Android Studio 3.2
React Native version:
- 0.55.3
React Native Firebase library version:
- 4.3.6
Firebase module(s) you're using that has the issue:
- [ ] N/A
- [x] Authentication
- [ ] Analytics
- [ ] Cloud Firestore
- [ ] Cloud Messaging (FCM)
- [ ] Crashlytics
- [ ] Dynamic Links
- [ ] Functions Callable
- [ ] In App Messaging
- [ ] Indexing
- [ ] Invites
- [ ] Instance ID
- [ ] ML Kit
- [ ] Notifications
- [ ] Performance Monitoring
- [ ] Realtime Database
- [ ] Remote Config
- [ ] Storage
Are you using TypeScript?
- [x] No
- [ ] Yes, version: N/A
Are you using Expo, e.g. ExpoKit?
- [x] No
- [ ] Yes, I've not ejected
- [ ] Yes, but I have ejected to ExpoKit
- [ ] Yes, but I have ejected to vanilla React Native
- Expo version: N/A

Think react-native-firebase is great? Please consider supporting the project with any of the below:

👉 Donate via Open Collective
👉 Follow React Native Firebase and Invertase on Twitter
👉 Star this repo on GitHub ⭐️
👉 Contribute; see our contributing guide

Salakar commented 5 years ago

@reeturajc thanks for reporting this issue - this permission is not something we are adding - you can see all the permissions we request for RNFirebase here: https://github.com/invertase/react-native-firebase/blob/v5.x.x/android/src/main/AndroidManifest.xml - nothing related to SMS at all.

If you're not adding these permissions yourself (you shouldn't need to do so, SMS verification auth part of Google Play Services) then my guess is this is coming from the Firebase Android SDK permissions (defined in their AndroidManifest.xml) - this file is not public though so can't be sure. I'd suggest raising a Firebase Support issue if you did not add these permissions and provide the information in this issue/link here.

Please report back when you get a response.

stale[bot] commented 5 years ago

Hello 👋, this issue has been automatically marked as stale because it has not had activity for quite some time. Has the issue been fixed, or does it still require the community's attention? This issue may be closed if no further activity occurs. Thank you for your contributions.

kmcnellis commented 5 years ago

So when we are mentioning these permissions in android manifest file and trying to upload it on Google's Play Store

-> Firebase Auth doesn't require you to request SMS-read permissions in your AndroidManifest.xml. Google Play Services handles the auto-retrieval of verification SMS messages (similarly to the SMS retriever API - https://developers.google.com/identity/sms-retriever/overview)

a form generates where it is required to notify about the permission we are using in the app. But the subject for the condition (OTP authentication via SMS) is not mentioned anywhere

-> This isn't a supported use case for the SMS read permission. https://support.google.com/googleplay/android-developer/answer/9047303

meliodev commented 3 years ago

Firebase phone authentication works using Google play services so it doesn't require any SMS permission. Use something like grepWin to fetch on all files of your project the permisssion that is causing you this issue. You will probaly find on Androidmanifest.xml of at least one library listing an SMS permission (such as READ_SMS or RECEIVE_SMS). So just uninstall those libraries. Hope this helps.

invertase / react-native-firebase