braintree_android
braintree_android copied to clipboard
braintree
com.paypal.android.sdk:data-collector not compliant with Play store policy due to device location collection
Braintree SDK Version
3.21.1
Environment
Production
Android Version & Device
No response
Braintree dependencies
com.braintreepayments.api:braintree:3.21.1
Describe the bug
We recently updated from 3.14.0 to 3.21.1. This might look similar to others, but the messaging is different from Google, I guess due to having used 3.14.0 for so long.
Violation User Data policy: Violation of User Data, Permissions and APIs that Access Sensitive Information Policies Details We have observed that your app is using an SDK that is designed to collect device location by default. This SDK can result in your app violating the prominent disclosure and consent and/or approved purpose requirements of Google Play’s User Data and Permissions and APIs that Access Sensitive Information policies. You are hereby requested to provide evidence of your compliance with the Prominent Disclosure and Consent requirements. Your app submissions will be rejected pending your action.
How to fix
Paypal Data Collector com.paypal.android.sdk:data-collector: Consider upgrading to version com.braintreepayments.api:data-collector:3.21.0 of the SDK.
The messaging in https://github.com/braintree/braintree_android/issues/783 is about persistent device identifiers, which is not the case here.
We previously dismissed this issue, after reading up on similar issues here, by upgrading from 3.14.0 to 3.21.1.
We also updated all unused tracks, apks by uploading new builds that only include com.braintreepayments.api:braintree:3.21.1.
The warning from Google is still there, referencing old builds that have been replaced in all tracks, and the deadline is moving closer. When we appealed, we were told the latest release, that definitely includes 3.21.1, is not compliant, which does not make sense.
Maybe Google is at fault here for not removing the warning yet? Looking at the diff here, the location lookup is removed between 3.14.0 and 3.21.1 - https://github.com/braintree/braintree_android/compare/3.14.0...3.21.1.
Can you confirm that 3.21.1 does not collect anything related to location?
Upgrading to v4+ is a major piece of work that is not feasible in a few days.
To reproduce
Release an app to the Play store using com.braintreepayments.api:braintree:3.21.1
Expected behavior
The app is not flagged by Google.
Screenshots
Hi @costafotjet thanks for using the Braintree SDK. We've gotten assurance from Google that version 3.21.1 resolves the issue in the past.
Also Google mentioned:
Please ask your merchants who believe they are only using newer/compliant versions to double-check all tracks (even private and unpublished tracks) and then to submit an appeal to Play directly.
Hopefully the above will help?
@costafotjet as an aside, would you be willing to share some of your experience upgrading to v4 of the SDK? We've received some feedback in the past about some of the migration being unclear, and we want to update our documentation to clear up any ambiguities. Any and all feedback (positive or negative) would be helpful 🙏.
Hello :)
I thought that was the problem at first. We have replaced all old builds, in every track (private, beta, alpha, you name it).
I can understand old builds with 3.14.0 being flagged by Google, as it is using some Kount methods that are querying location in some way? At least, that's what I got out of a look into the source code for 3.14.0.
But for 3.21.1 it all looks normal in my eyes and should be compliant.
When we sent an appeal, the latest release that includes 3.21.1 only, got mentioned in the email, which added even more confusion.
I have checked the build scan and the build itself is strictly using 3.21.1. My only option is to remove the SDK and try again, but that is not what we would like to do by any means.
We would love to do the migration. However, It is a complete rewrite and not something we could do safely in 3 days, hence why I am trying to find a temporary solution while the migration to v4 happens on a normal sprint that goes through testing etc.
@costafotjet got it yeah that's understood. It may be a Google issue we've seen a few inbounds related to this recently and even double checked with Google recently this month. They actually helped us modify 3.21.1 to reach compliance and it has been approved for other merchants in the past.
They basically told us "as long as the artifact hasn't changed, the SDK should be compliant." And we haven't made changes to the 3.21.1 artifact so theoretically it should be compliant. They are extremely vague on their process of scanning apps for compliance.
Our best option may be to file an appeal here. If there's anything specific to your app's submission they should be able to pinpoint the root cause.
I will include this issue and responses alongside other evidence that we are compliant.
Have a feeling the review/warning is stale, and now we are running around in circles trying to fix something that will probably go away on its own on deadline day.
Thanks for the prompt responses @sshropshire
@costafotjet I'm received email from google after using "com.braintreepayments.api:data-collector:3.21.0" . have you get any solution ? because today is on deadline day. @sshropshire Please update here
Hi all - we reached out to Google recently to confirm that these versions of the SDK are still compliant see comment here.
Yes please update to 3.21.1 for v3 and 4.41.0 for v4 on all tracks (public and private) in the Google Play Console.
I'm just chiming in to echo everything @costafotjet has mentioned, our experience has been the same throughout.
Perhaps a minor difference in our experience was that when I initially made the update to our app to move to 3.21.1 I only submitted that change to closed beta and then production tracks (also we were upgrading from 3.17.2 as the non-compliant version).
I then received the rejection and only then moved to update the inactive tracks containing out of compliance builds, at which point I appealed and received the same messaging that my latest builds were still out of compliance.
We're currently past our deadline and waiting to hear back from support but I don't know what else to do besides trying to start the work involved in upgrading to v4.
Has anyone had success in resolving this issue by migrating to v4?
Additionally, do you have any insight @sarahkoop on what Google's system is looking for when marking an app as out of compliance? I only ask because I know that the change that resolved compliance issues was the removal of Kount in #742 but when I decompile my app using version 3.21.1 I can still see one string reference to kountMerchantId. I would hope that Google's system would not be looking at that instance to trigger a false positive but perhaps something similar to that is going on.
Here are some attached screenshots of the decompiled code and the single reference to it.
This also makes me wonder if this could be an issue for some of us due to some incorrectly set proguard settings....
Ah, I see, that decompiled code refers to KountConfiguration.java in the 3.x branch. I see that is still referenced in the Configuration class but is always set as null.
I don't know if that could be impacting Google's analysis but that is the only reference to to kount I can find in the build that Google is claiming is non-compliant.
Also, this rules out any proguard type issue since that class can't be removed due to still being referenced by Configuration.
Hi guys, we are having the same problem with our app, did anyone manage to solve it?
Hi everyone, we are facing same policy violation problem with our React native app. Used these sdks for braintree
- com.braintreepayments.api:drop-in:5.4.0
- com.braintreepayments.api:google-payment:3.3.1
- com.braintreepayments.api:braintree:3.21.0
Please help me to fix this issue.
We managed to fix the issue by migrating to v4 - com.braintreepayments.api:paypal:4.41.1.
The warning did not go away until:
- All test tracks + production were replaced and pushed to 100% 1 day before the deadline.
- Warning was still there after the deadline. So we uploaded another build to a test track and send it for review.
- Then the warning got removed.
For anyone trying com.braintreepayments.api:braintree:3.21.1:
- This is supposed to be a compliant version.
- Google will not remove the warning before the deadline if you use this on everything besides production. Emails/appeals sent before to check if they would accept this version on production did not get anywhere constructive.
- We never risked finding out on deadline day if v3.21.1 on all tracks + prod would have worked. Your mileage may vary.
We managed to fix the issue by migrating to v4 -
com.braintreepayments.api:paypal:4.41.1.The warning did not go away until:
- All test tracks + production were replaced and pushed to 100% 1 day before the deadline.
- Warning was still there after the deadline. So we uploaded another build to a test track and send it for review.
- Then the warning got removed.
For anyone trying
com.braintreepayments.api:braintree:3.21.1:
- This is supposed to be a compliant version.
- Google will not remove the warning before the deadline if you use this on everything besides production. Emails/appeals sent before to check if they would accept this version on production did not get anywhere constructive.
- We never risked finding out on deadline day if v3.21.1 on all tracks + prod would have worked. Your mileage may vary.
@costafotjet Thanks for your reply.
So upgrading to com.braintreepayments.api:braintree:3.21.1 will fix this issue ?
Hi @costafotjet We are having the same issue. Could you confirm upgrading to com.braintreepayments.api:braintree:3.21.1 enough to fix this issue ? Thank you very much for your advise. Regards,
@Kowshika-aspire try updating to version 5.4.2 of DropIn.
@vuphamdirox updating to version 3.21.1 should be enough.
Also in Google Play, please make sure all tracks (production and test) are referencing the new build. This is the only explicit advice we've received from Google. It will not work unless all tracks reference your latest build with the up to date Braintree versions.
Also @kmayoral KountConfiguration.java is a data class maintained by Braintree. It's only used for JSON parsing, so it should be fine.
I am pretty sure all tracks were updated, even unpacking APK file marked by google shows it's using proper versions:
Packaged versions
We tried sending appeal for this exact build yesterday - no luck, appeal got rejected with exactly same reason. @costafotjet mentioned they got exactly same unproductive outcome from appealing:
Emails/appeals sent before to check if they would accept this version on production did not get anywhere constructive.
@sshropshire what would be your advice on appealing this? There are cleary something wrong with SDK or with google. Maybe you can provide "confirmation message" that @sarahkoop mentioned before to send them as argument?
@costafotjet 's comment seems to confirm (thank you by the way!) that the warning did not get resolved by updating to 3.21.1 and instead was only resolved after updating to the 4.x branch.
I'm several days past our deadline with multiple email threads with Google support underway while they investigate on their side but so far I can confirm that having all tracks set to a build that includes the 3.21.1 release is not resolving the issue even though Google has told me it should. That is why I went digging to find any unrelated references to Kount since my concern was they were just searching for that string within the build to raise a false positive for compliance flags.
I'll report back if I make any progress with Google on the 3.21.1. build but it sounds like I might need to do an emergency upgrade to 4.x based on @costafotjet 's latest comment. Thanks all for the help!!
I'm facing the same issue, we are using com.braintreepayments.api:braintree:3.21.1 and Google is complaining about com.paypal.android.sdk:data-collector lib, they are asking me to update to com.braintreepayments.api:data-collector, is there a way to enforce com.braintreepayments.api:braintree to use com.braintreepayments.api:data-collector instead of com.paypal.android.sdk:data-collector?
@Kowshika-aspire try updating to version
5.4.2of DropIn.@vuphamdirox updating to version
3.21.1should be enough.Also in Google Play, please make sure all tracks (production and test) are referencing the new build. This is the only explicit advice we've received from Google. It will not work unless all tracks reference your latest build with the up to date Braintree versions.
@sshropshire Updated drop-in to 5.4.2. But still got policy violation issue,
This is our build.gradle file. Any suggestions please ?
@Kowshika-aspire try updating to version
5.4.2of DropIn. @vuphamdirox updating to version3.21.1should be enough. Also in Google Play, please make sure all tracks (production and test) are referencing the new build. This is the only explicit advice we've received from Google. It will not work unless all tracks reference your latest build with the up to date Braintree versions.@sshropshire Updated drop-in to 5.4.2. But still got policy violation issue,
This is our build.gradle file. Any suggestions please ?
@kmayoral https://github.com/braintree/braintree_android/issues/914#issuecomment-1934834555
From my understanding:
I think we have to follow steps here to upload the build with upgraded to version 3.21.1 to all tracks ( internal/ alpha/beta testing and production) because Google play scan on all tracks
The email looks like potentially all apps and tracks have not been updated. Can you please try the following and confirm if the issue still exists:
Note: If you are seeing Google Play Store flag your APK after updating to the latest version of our SDK, please try following these steps:
Go to your Play Console Select the app Go to App bundle explorer Select the violating APK/app bundle's App version at the top right dropdown menu, and make a note of which releases they are under Go to the track with the violation. It will be one of these 4 pages: Internal / Closed / Open testing or Production Near the top right of the page, click Create new release. (You may need to click Manage track first) If the release with the violating APK is in a draft state, discard the release Add the new version of app bundles or APKs Make sure the non-compliant version of app bundles or APKs is under the Not included section of this release To save any changes you make to your release, select Save When you've finished preparing your release, select Review release, and then proceed to roll out the release to 100%. If the violating APK is released to multiple tracks, repeat steps 5-9 in each track
@vuphamdirox Thanks for your reply.
We still got this issue for latest bundle with drop-in 5.4.2.
Any suggestions ?
@vuphamdirox , thanks for your reply. Just as several others and myself have mentioned though, all tracks have been updated and we keep getting notified by Google that the version code bundle containing the 3.21.1 fix is still non-compliant.
So far there's no solution to this issue? Are we supposed to sit back and relax while our apps are being rejected.
It seems that the only verified solution by @costafotjet was to update to the 4.x version of this repo. I can confirm that my bundles which contain the 3.21.1 release have been blocked and marked as non-compliant by Google (the package version code called out by google matches my 3.21.1 enabled release) so I'll be starting work on upgrading to 4.x tomorrow.
@BunnyBuddy @kmayoral we have reached out to Google as well and we're waiting to hear back. We were told this issue (due to a 3rd party dependency that we've since removed) was resolved. As soon as we receive more information we will report back here.
In the meantime, I would file an appeal in the Google Play console so that we can get more eyes on the issue.
Thank you @sshropshire! I've also filed several appeals and have been waiting for a response from a "specialist" support team on the Google side for five days now. They originally quoted a 24-48 hour turnaround on this investigation so I hope this means they're looking into something.
In the meantime, depending on internal decisions today, I will work on either upgrading to v4 or removing this library entirely to see if I can unblock our release process.
I'll update this thread if I hear anything more on the Google side, thank you!
Hey @kmayoral this may be a shot in the dark, but on your branch that references Braintree Android 3.x can you try adding this line to your build.gradle file and posting the build to Google Play?
implementation 'org.jfrog.cardinalcommerce.gradle:cardinalmobilesdk:2.2.7-5'
The 3.x version of the SDK is officially no longer supported, however I'm looking at the dependencies linked by the latest 3.x version, and I'm hoping the above line may elevate the Gradle dependency to a more compliant version if included.