Add prominent disclosure in a dialog for location
mariobehling opened this issue · 5 comments
The Google app store shows: "Permissions and APIs that Access Sensitive Information policy: Prominent disclosure not found"
The app uses location info as it is required for Bluetooth Low Energy. Therefore implement a dialog.
"Please allow location permissions. This app requires access to location data to enable the transfer of data to LED badges via Bluetooth LE. Bluetooth LE requires this to work. // Deny / Accept"
You can find the implementation how it was done in PSLab Android here fossasia/pslab-android#2418
Your app must display a prominent disclosure in a dialog that appears before your app’s location runtime permission. Based on our review, a prominent disclosure didn’t appear. (See Google Play Policy - Declared permissions and in-app disclosures video for an example of a dialog that pops up in the app with the necessary information.)
Please implement the prominent disclosure dialog.
Google still rejects the app. Could you please check to implement the feature as described in the Google documentation?
Issue found: Prominent disclosure not found
Your app must display a prominent disclosure in a dialog that appears before your app’s location runtime permission. Based on our review, a prominent disclosure didn’t appear. (See Google Play Policy - Declared permissions and in-app disclosures video for an example of a dialog that pops up in the app with the necessary information.)
To bring your app into compliance, follow these steps:
Read through the Help Center article about understanding location in the background permissions for more information.
Review the prominent disclosure and consent requirements and add a prominent disclosure.
Your prominent disclosure must appear before your app’s location runtime permission.
Include at least the following sentence, which you adapt to include all the relevant features requesting access to location in the background in your app that are readily visible to the user: “This app collects location data to enable {feature}, {feature}, and {feature} even when the app is closed or not in use.” If you extend permitted usage to ads, also include: “This data is also used to provide ads/support advertising/support ads.”
Include any other details necessary to make it clear to the user how and why you’re using location in the background. While additional content is permitted, it should not cause the required content to not be immediately visible.
Google rejected it again.
Issue details
We found an issue in the following area(s):
In-app experience: Please see attached screenshot IN_APP_EXPERIENCE-2431.png
To bring your app into compliance, follow these steps:
Read through the Help Center article about understanding location in the background permissions for more information.
Review the prominent disclosure and consent requirements and update your prominent disclosure:
Make sure your prominent disclosure includes the term “location”.
Indicate how location is used in the background by including one of these phrases: “background” / “when the app is closed” / “always in use” / “when the app is not in use”.
Include a list of all the features that use location in the background.
If you extend permitted usage to ads include: “used to provide ads/support advertising/support ads.” (Choose the most accurate phrasing.)
This is what we need:
https://developer.android.com/develop/connectivity/bluetooth/bt-permissions#assert-never-for-location
Strongly assert that your app doesn't derive physical location
If your app doesn't use Bluetooth scan results to derive physical location, you can make a strong assertion that your app never uses the Bluetooth permissions to derive physical location. To do so, complete the following steps:
Add the android:usesPermissionFlags attribute to your BLUETOOTH_SCAN permission declaration, and set this attribute's value to neverForLocation.
Note: If you include neverForLocation in your android:usesPermissionFlags, some BLE beacons are filtered from the scan results.
If location isn't otherwise needed for your app, remove the ACCESS_FINE_LOCATION permission from your app's manifest.
The following code snippet shows how to update your app's manifest file:
<manifest>
<!-- Include "neverForLocation" only if you can strongly assert that
your app never derives physical location from Bluetooth scan results. -->
<uses-permission android:name="android.permission.BLUETOOTH_SCAN"
android:usesPermissionFlags="neverForLocation" />
<!-- Not needed if you can strongly assert that your app never derives
physical location from Bluetooth scan results and doesn't need location
access for any other purpose. -->
<strike><uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /></strike>
...
</manifest>
Feedback from Google:
Step 1: Review the policy violation with your app
We found that your app is not compliant with the Location Permissions policy, or we were unable to review and verify your in-app experience for compliance with this policy.
Specifically,Missing information in prominent disclosure
Your prominent disclosure must appear before your app’s location runtime permission, and should tell the user which feature(s) will use location in the background. Based on our review, your app’s prominent disclosure did not include the term “location” / indication that the nature of usage is in the background by using one of the following phrases “background” / “when the app is closed” / “always in use” / “when the app is not in use” / a list of all the features that use location in the background / one of the following phrases “used to provide ads / support advertising / support ads” (if you extend permitted usage to ads).
To meet the policy requirements, it is recommended that you reference one of the following example formats, the second example includes the use of location for ads (choose the most relevant phrasing):
“[This app] collects location data to enable ["feature"], ["feature"], & ["feature"] even when the app is closed or not in use.”
“[This app] collects location data to enable ["feature"], ["feature"], & ["feature"] even when the app is closed or not in use and it is also used to support advertising.”
Example: “Fitness Funds collects location data to enable fitness tracking even when the app is closed or not in use.”
Therefore I guess we need something like this:
Badge Magic collects location data to enable Bluetooth Low Energy and to connect to LED badges and transfer data to the badges even when the app is closed or not in use. No location data is transferred to external devices or our servers.
Even though this is not correct, it seems we have to do it in order to satisfy Google.
This is what we need: https://developer.android.com/develop/connectivity/bluetooth/bt-permissions#assert-never-for-location
Strongly assert that your app doesn't derive physical location If your app doesn't use Bluetooth scan results to derive physical location, you can make a strong assertion that your app never uses the Bluetooth permissions to derive physical location. To do so, complete the following steps:
Add the android:usesPermissionFlags attribute to your BLUETOOTH_SCAN permission declaration, and set this attribute's value to neverForLocation.
Note: If you include neverForLocation in your android:usesPermissionFlags, some BLE beacons are filtered from the scan results. If location isn't otherwise needed for your app, remove the ACCESS_FINE_LOCATION permission from your app's manifest.
The following code snippet shows how to update your app's manifest file:
<manifest> <!-- Include "neverForLocation" only if you can strongly assert that your app never derives physical location from Bluetooth scan results. --> <uses-permission android:name="android.permission.BLUETOOTH_SCAN" android:usesPermissionFlags="neverForLocation" /> <!-- Not needed if you can strongly assert that your app never derives physical location from Bluetooth scan results and doesn't need location access for any other purpose. --> <strike><uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /></strike> ... </manifest>
This permission flag I've already added in the last commit.