Google Play's spyware policy is designed to safeguard user privacy and protect devices from malicious applications, code and behaviours. By ensuring that our ecosystem is free from spyware and other types of malware, Google aims to create a safe and trusted ecosystem that users can rely on.
Overview
The Spyware policy requires that apps abide by the following:
- Policy-compliant functionality: Apps must limit the access, collection, use and sharing of personal and sensitive user data acquired through the app to app and service functionality reasonably expected by the user. Remember, an SDK's collection and handling of user data must align with your app's policy-compliant use of said data.
- Protecting user privacy: Apps and embedded SDKs must comply with the user data policy. .
- Preventing all forms of spyware: Any behaviours that can be considered as spying on the user can also be flagged as spyware. You can see a non-exhaustive list of spyware examples below.
- Compliance with other Google Play policies: In addition to the spyware policy, all apps must also comply with all other Google Play Developer Programme policies, including user and devices data policies, such as Mobile unwanted software, User data, Permissions and APIs that access sensitive information and SDK requirements. Ensure that any third-party code (for example, SDKs) and practices in your app do not cause your app to violate policies.
Examples of spyware policy violations
The Spyware policy provides a non-exhaustive list of practices that are considered spyware violations. Further examples of behaviours that can be considered spyware violations are provided below:
- An app that uses an SDK which transmits data from audio or call recordings when it is not related to policy-compliant app functionality.
- An application that steals information from other apps' notifications.
- Transmitting any of the following non-exhaustive list of information without policy-compliant functionality or in a manner that is unexpected to the user (for example, if data collection occurs in the background when the user is not engaging with your app):
- Contact list
- Photos or other files from the SD card, or that aren’t owned by the app
- Content from user email
- Call log
- SMS log
- Information from the /data/ directories of other apps
Other resources
To ensure compliance with the Spyware policy and other Google Developer Programme Policies regarding device and user data, please refer to the following resources:
- Best practices for prominent disclosure and consent
- Understand app privacy and security practices with Google Play's Data safety section
- Using SDKs safely and securely
- Google Play Protect – potentially harmful applications (spyware)
- Google Play Academy’s training on Malware Play policy and Mobile unwanted software (MUwS) Play policy