Issue with Google Play policies

Question

Issue with Google Play policies

felipeaugusto1 opened this issue 3 years ago · 5 comments

Google Play recently reached out to me saying that one of our SDKs facilitates the collection and transmission of users’ installed packages information and contains security vulnerabilities. After some time, I found out that the issue is located here and a bunch of javascript dependencies use instanbuljs.

I know this might not be an easy change (since tons of libraries will have to update), but is there a workaround?

I'll paste the google message here.

After a recent review, we found that your app is not compliant with one or more of our Developer Program Policies. Please resolve this issue as soon as possible. See below for more information about violation and how to correct the issue.

(javascript:void(0);)

Issue with your app
We found your app is using a non-compliant version of Tapjoy SDK which facilitates the collection and transmission of users’ installed packages information and contains security vulnerabilities, which can expose user information or damage a user’s device.

Specifically, your app(s) are vulnerable to the Sensitive JavaScript Interface Vulnerability.
Apps or third-party code (e.g., SDKs) with interpreted languages (JavaScript, Python, Lua, etc.) loaded at run time (e.g. not packaged with the app) must not allow potential violations of Google Play policies.

After 60 days, new app releases containing this non-compliant version of this SDK will be rejected. This SDK version violates the User Data and Device & Network Abuse policy. You may consider moving to another SDK; removing this SDK; or if available from your SDK provider, upgrading to a policy-compliant version of this SDK that does not include the violating code.

According to the information provided by your SDK provider Tapjoy, you may consider upgrading to their version 12.8.1 which they have recommended for use. Google is not endorsing or recommending any third party software. Please consult the SDK provider for further information.

You must also ensure that your app is compliant with all other Developer Program Policies, including ensuring that any SDK or other third-party code incorporated in your app complies with all Play developer policies.

(javascript:void(0);)

About the User Data Policy

You must be transparent in how you handle user data (e.g., information collected from or about a user, including device information). That means disclosing your app’s access, collection, use, and sharing of the data, and limiting the use of the data to the purposes disclosed. If your app handles sensitive user data, then you must follow the Personal and Sensitive User Data policy.
We don’t allow code that introduces or exploits security vulnerabilities. Check out the App Security Improvement Program to find out about the most recent security issues flagged to developers.

Action required: Publish a new compliant version of your app within 60 days

Here’s what to do to help make sure that your app stays available on Google Play:

1.Review the User Data and Device & Network Abuse policies for more details.
2.Make appropriate changes to your app, and be sure to address the issue identified above. In addition to your Production release, if you have other release types that you use for testing and/or quality assurance checks (e.g. Internal test, Closed, Open), please make sure to update those tracks as well.
3.Double check that your app is compliant with all other Developer Program Policies. Additional enforcement could occur if there are further policy violations.
4.Sign in to your Play Console, upload the modified, policy compliant APK across all tracks, and deactivate the non-compliant APK(s).
5.Click "Manage track" and "Create new release"
If the release with the violating app bundles / APKs are in a draft state, discard the release.
Otherwise, add the policy compliant version of app bundles / APKs.
Make sure the non-compliant version is under the Not Included section of this release.
Enter a release name and click Save. Once saved, click "Review release" and then proceed to roll out the release to 100%.
6.If the non-compliant versions are released to multiple tracks, repeat step 5 in each track.7.Submit the update to your app.Contact supportIf you’ve reviewed the policy and feel our decision may have been in error, please reach out to our policy support team. We'll get back to you within 2 business days.Learn moreVisit the Android Developers Blog to learn more about free tools and resources for building safe and successful apps.Thanks for your continued support in helping to make Google Play a positive experience for both developers and consumers. Please complete a two question survey to help us improve this experience.The Google Play Team

Answer 1 · 2021-12-26T18:08:00.000Z

Are You using Applovin Ads Network??
I'm getting same policy notification so I think it's may be due to Applovin. I just want to confirm with you.

Answer 2 · 2022-01-11T19:38:41.000Z

@errohitdev I'm not using Applovin ads network

Answer 3 · 2022-02-09T03:28:19.000Z

This issue due to appsgeyser, I think you develop your application with appsgeyser, if yes then just update your application at all track including Internal testing.

Answer 4 · 2022-02-09T13:29:58.000Z

@errohitdev I'm not using appsgeyser either

Answer 5 · 2022-02-21T18:41:33.000Z

I see no reason not to remove javascript:void(0); from our reports, if we do so anywhere.