App developers often rely on third-party code (for example, an SDK) to integrate key functionality and services for their apps. When including an SDK in your app, you want to make sure that you can keep your users safe and your app secure from any vulnerabilities. In this section, we demonstrate how some of our existing privacy and security requirements apply in the SDK context and are designed to help developers safely and securely integrate SDKs into their apps.
If you include an SDK in your app, you are responsible for ensuring that their third-party code and practices do not cause your app to violate Google Play Developer Program Policies. It is important to be aware of how the SDKs in your app handle user data and to ensure you know what permissions they use, what data they collect, and why. Remember, an SDK's collection and handling of user data must align with your app's policy compliant use of said data.
To help ensure your use of an SDK does not violate policy requirements, read and understand the following policies in their entirety and note some of their existing requirements pertaining to SDKs below:
User Data PolicyYou must be transparent in how you handle user data (for example, information collected from or about a user, including device information). That means disclosing the access, collection, use, handling, and sharing of user data from your app, and limiting the use of the data to the policy compliant purposes disclosed.
If you include third party code (for example, an SDK) in your app, you must ensure that the third party code used in your app, and that third party’s practices with respect to user data from your app, are compliant with Google Play Developer Program policies, which include use and disclosure requirements. For example, you must ensure that your SDK providers do not sell personal and sensitive user data from your app. This requirement applies regardless of whether user data is transferred after being sent to a server, or by embedding third-party code in your app.
Personal and Sensitive User Data
Sale of Personal and Sensitive User DataDo not sell personal and sensitive user data.
Prominent Disclosure & Consent RequirementsIn cases where your app’s access, collection, use, or sharing of personal and sensitive user data may not be within the reasonable expectation of the user of the product or feature in question, you must meet the prominent disclosure and consent requirements of the User Data policy. If your app integrates third party code (for example, an SDK) that is designed to collect personal and sensitive user data by default, you must, within 2 weeks of receipt of a request from Google Play (or, if Google Play’s request provides for a longer time period, within that time period), provide sufficient evidence demonstrating that your app meets the Prominent Disclosure and Consent requirements of this policy, including with regard to the data access, collection, use, or sharing via the third party code. Remember to ensure your use of third party code (for example, an SDK) does not cause your app to violate the User Data policy. Refer to this Help Center article for more information on the Prominent Disclosure and Consent requirement. Examples of SDK-caused violations
Additional Requirements for Personal and Sensitive Data AccessThe table below describes requirements for specific activities.
Examples of SDK-caused violations
Data safety sectionAll developers must complete a clear and accurate Data safety section for every app detailing collection, use, and sharing of user data. This includes data collected and handled through any third-party libraries or SDKs used in their apps. The developer is responsible for the accuracy of the label and keeping this information up-to-date. Where relevant, the section must be consistent with the disclosures made in the app’s privacy policy. Please refer to this Help Center article for additional information on completing the Data safety section. See the full User Data policy. |
||||||
Requests for permission and APIs that access sensitive information should make sense to users. You may only request permissions and APIs that access sensitive information that are necessary to implement current features or services in your app that are promoted in your Google Play listing. You may not use permissions or APIs that access sensitive information that give access to user or device data for undisclosed, unimplemented, or disallowed features or purposes. Personal or sensitive data accessed through permissions or APIs that access sensitive information may never be sold nor shared for a purpose facilitating sale. See the full Permissions and APIs that Access Sensitive Information policy. Examples of SDK-caused violations
|
Malware is any code that could put a user, a user's data, or a device at risk. Malware includes, but is not limited to, Potentially Harmful Applications (PHAs), binaries, or framework modifications, consisting of categories such as trojans, phishing, and spyware apps, and we are continuously updating and adding new categories.
See the full Malware policy.
Examples of SDK-caused violations
- An app that includes SDK libraries from providers that distribute malicious software.
- An app that violates the Android permissions model, or steals credentials (such as OAuth tokens) from other apps.
- Apps that abuse features to prevent them from being uninstalled or stopped.
- An app that disables SELinux.
- An app includes an SDK that violates the Android permissions model by gaining elevated privileges through the access of device data for an undisclosed purpose.
- An app includes an SDK with code that tricks users into subscribing to or purchasing content via their mobile phone bill.
Privilege escalation apps that root devices without user permission are classified as rooting apps.
Spyware
Spyware is a malicious application, code, or behavior that collects, exfiltrates, or shares user or device data that is not related to policy compliant functionality.
Malicious code or behavior that can be considered as spying on the user or exfiltrates data without adequate notice or consent is also regarded as spyware.
See the full Spyware policy.
For example, SDK-caused spyware violations include, but are not limited to:
- An app that uses an SDK which transmits data from audio or call recordings when it is not related to policy compliant app functionality.
- An app with malicious third party code (for example, an SDK) that transmits data off device in a manner that is unexpected to the user and/or without adequate user notice or consent.
Transparent behavior and clear disclosuresAll code should deliver on promises made to the user. Apps should provide all communicated functionality. Apps should not confuse users. Example violations:
Protect user dataBe clear and transparent about the access, use, collection, and sharing of personal and sensitive user data. Uses of user data in must adhere to all relevant User Data Policies, where applicable, and take all precautions to protect the data. Example violations:
See the full Mobile Unwanted Software policy. |
We don’t allow apps that interfere with, disrupt, damage, or access in an unauthorized manner the user’s device, other devices or computers, servers, networks, application programming interfaces (APIs), or services, including but not limited to other apps on the device, any Google service, or an authorized carrier’s network. Apps or third-party code (for example, SDKs) with interpreted languages (JavaScript, Python, Lua, etc.) loaded at run time (for example, not packaged with the app) must not allow potential violations of Google Play policies. We don’t allow code that introduces or exploits security vulnerabilities. Check out the App Security Improvement Program to find out about the most recent security issues flagged to developers. See the full Device and Network Abuse policy. Examples of SDK-caused violations
|
We don't allow apps that attempt to deceive users or enable dishonest behavior including but not limited to apps which are determined to be functionally impossible. Apps must provide an accurate disclosure, description and images/video of their functionality in all parts of the metadata. Apps must not attempt to mimic functionality or warnings from the operating system or other apps. Any changes to device settings must be made with the user's knowledge and consent and be reversible by the user. See the full Deceptive Behavior policy. Behavior TransparencyYour app’s functionality should be reasonably clear to users; don’t include any hidden, dormant, or undocumented features within your app. Techniques to evade app reviews are not allowed. Apps may be required to provide additional details to ensure user safety, system integrity, and policy compliance.
Example of an SDK-caused violation
|
What Google Play Developer Policies are commonly associated with SDK-caused violations?
To help you ensure that any third-party code your app is using complies with Google Play Developer Program Policies, please refer to the following policies in their entirety:
- User Data policy
- Permissions and APIs that Access Sensitive Information
- Device & Network Abuse policy
- Malware
- Mobile Unwanted Software
- Families Self-Certified Ads SDK Program
- Ads policy
- Deceptive Behavior
- Google Play Developer Program Policies
While these policies are more commonly at issue, it is important to remember that bad SDK code could cause your app to violate a different policy not referenced above. Remember to review and stay up to date with all policies in their entirety as it is your responsibility as an app developer to ensure that your SDKs handle your app data in a policy compliant manner.
To learn more, please visit our Help Center.