search

kotoMJ / security-showcase-android

Sample application pointing some security related practices on Android device.
130 stars 11 forks source link

Deceptive device settings changes policy #28

Closed mradzinski closed 7 years ago

mradzinski commented 7 years ago

Hi, quick question over here: Is it currently safe to use KeystoreCompat 1.1.2 and publish an app to the play store without it being rejected? Just wondering because you said you were working on a new version which didn't relay on BIND_DEVICE_ADMIN. We are working on an app that currently targets KitKat (pre-Lollipop) and I have this feeling BIND_DEVICE_ADMIN is sort of needed for such minSDK.

Thanks

kotoMJ commented 7 years ago

Hey,

these are two things, you mentioned:

1) fulfill the Deceptive device policy. You must explain to users why you are requesting the 'android.permission.BIND_DEVICE_ADMIN' in your app. Apps must provide accurate disclosure of their functionality and should perform as reasonably expected by the user. Any changes to device settings must be made with the user's knowledge and consent and be easily reversible by the user.

2) allow user to use KeystoreCompat library for some M or L and above. So in case app supports Android L and above, you dont want to solve step 1) above. Then it's good to modularize library and be able to use just parts of the library. K+ or L+ or M+

Actually I am almost done with the second attempt of publishing the same (with KitKat support) sample app again. I will try to fullfil step 1) above

I would recommend for you to use KeystoreCompat 1.2.0

It's the version with shortened package.

https://bintray.com/kotomisak/cz.koto/android-keystore-compat/1.2.0

Happy coding! Michal

On Sep 19, 2017 02:11, "Matias Radzinski" notifications@github.com wrote:

Hi, quick question over here: Is it currently safe to use KeystoreCompat 1.1.2 and publish an app to the play store without being rejected? Just wondering because you said you were working on a new version which didn't relay on BIND_DEVICE_ADMIN and we are developing an app that currently targets KitKat (pre-Lollipop).

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/kotomisak/security-showcase-android/issues/28, or mute the thread https://github.com/notifications/unsubscribe-auth/AETa0A1eqrPS2Fh-LYHYM6_xWQn_WP1Rks5sjwaVgaJpZM4PbsHu .

mradzinski commented 7 years ago 
Apps must provide accurate disclosure of their functionality and should perform
as reasonably expected by the user. Any changes to device settings must be
made with the user's knowledge and consent and be easily reversible by the
user.

One must learn to love how "clear" Google guidelines are sometimes :joy:. I'll try to find some more info regarding what they mean by should perform as reasonably expected by the user (that has many lectures) and I'll drop you a message here if I get to know a bit more.

Cheers!

kotoMJ commented 7 years ago

This is complete mail I got last time, and then they really removed app from GooglePlay:

We reviewed your app, Security Showcase, with package name cz.koto.misak.securityshowcase, and noticed that it violates our developer terms.

REASON FOR WARNING: Violation of the Deceptive behavior policy

You must explain to users why you are requesting the ‘android.permission.BIND_DEVICE_ADMIN’ in your app. Apps must provide accurate disclosure of their functionality and should perform as reasonably expected by the user. Any changes to device settings must be made with the user's knowledge and consent and be easily reversible by the user.

Please complete the following actions within 7 days, or your app will be removed from Google Play: Read through the Deceptive Device Settings Changes policy for more details, and make sure your app complies with all policies listed in the Developer Program Policies. If you don't need the BIND_DEVICE_ADMIN permission in your app: Remove your request for this permission from your app's manifest. Sign in to your Play Console and upload your modified, policy compliant APK. Or, if you need the BIND_DEVICE_ADMIN permission in your app: Include the following snippet in your app’s store listing description: “This app uses the Device Administrator permission.” Provide prominent user facing disclosure of this usage before asking the user to enable this permission within your app. Your disclosure must meet each of the following requirements: Disclosure must be displayed in normal course of usage of your app. Your users should not be required to navigate into a menu or settings to view disclosure. Disclosure must describe the functionality Device Admin permission is enabling for your app. Each security policy used with the Device Admin request must be declared in your disclosure, and each policy must be accompanied with justification for the request. Disclosure cannot only be placed in your privacy policy, TOS or EULA. Alternatively, you can choose to unpublish the app.

All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.

Regards,

The Google Play Team

kotoMJ commented 5 years ago

I fixed this issue the way to let user switch off DEVICE ADMIN RIGHT in the app directly (See sample app). I also don't bind this code for lighter variant of library (elplus/emplus), thus programmers doesn't have to solve this issue.