stripe-android icon indicating copy to clipboard operation
stripe-android copied to clipboard

Published 20 hours ago verified publisher icon stripe

Stripe-Android SDK doesn’t comply with the User Data and Mobile Unwanted Software policies of Google Play Store

Open itboy87 opened this issue 2 years ago • 19 comments

Google play removed my app saying this "We’ve identified that your app is using Stripe SDK or library, which facilitates the transmission and collection of Phone Number and Installed Application information without meeting the prominent disclosure guidelines. Make sure to also post a privacy policy in both the designated field in the Play Developer Console and from within the Play distributed app itself. If necessary, you can consult your SDK provider(s) for further information."

Installation method

Gradle dependency: implementation 'com.stripe:stripe-android:20.2.2'

Dependency Versions

kotlin: 1.6.21 stripe-android: 20.2.2 Android Gradle Plugin: 7.1.3 Gradle: 7.4.2

itboy87 avatar May 14 '22 06:05 itboy87

I'm experiencing the same issue. My previous release was referencing com.stripe:stripe-android: 19.2.+ version. After upgrading to com.stripe:stripe-android: 20.1.+ my release has been rejected with the following message:

CleanShot 2022-05-16 at 13 21 22

korzonkiee avatar May 16 '22 10:05 korzonkiee

Hi @itboy87, @korzonkiee, thank you for reporting this issue. Can you please make sure you have checked the following?

  • If you're using tipsi-stripe, you must upgrade to v9.1.0+
  • You don't have older versions of your app bundled in your active release (to support older Android versions, for example)
    • Some users reported that even inactive channels are taken into account and old builds with impacted APKs need to be removed from those channels as well.
  • You don't have older versions of your app available in testing tracks on Google Play Console.
  • Check out this Stackoverflow answer

jameswoo-stripe avatar May 16 '22 17:05 jameswoo-stripe

If you're using tipsi-stripe, you must upgrade to v9.1.0+

I'm not using tipsi-stripe. I'm using flutter_stripe package.

I was able to successfully release an Android app to Google Play Console using flutter_stripe:2.4.0 which was referencing com.stripe:stripe-android:19.2.+.

Then, I upgraded to flutter_stripe:2.5.0 which was referencing com.stripe:stripe-android:20.1.+ and we received the aforementioned email from Google Play Console about rejected release.

Then, I downgraded back to flutter_stripe: 2.4.0, but it didn't help - Google Play Console still rejects our release.

korzonkiee avatar May 17 '22 09:05 korzonkiee

@jameswoo-stripe I'm not using tipsi-stripe. I have only added implementation 'com.stripe:stripe-android:20.2.2' dependency. It was working fine with 19.+ version.

itboy87 avatar May 18 '22 09:05 itboy87

We are looking into any possible issues with version 20.0.0 of the SDK, but can confirm that 19.3.1 is approved by Google Play Policies. If possible please revert back to that version and remove all bundles in violation of the policy from all tracks in the console @itboy87

After a rejection from Google Play, you must remove all bundles that are in violation of the policy from all tracks in the console. @korzonkiee

michelleb-stripe avatar May 18 '22 18:05 michelleb-stripe

I had the exact same issue, i've tried all the 20+ releases (every time updating all bundles in all tracks) but i've got finally accepted only after restoring 19.3.1

eriksquare avatar May 19 '22 08:05 eriksquare

@michelleb-stripe thanks for quickly acting upon this issue. We got quite some people having the same issue in our Flutter Stripe library. What is weird though is that the rejection seems completely random (I was able to upload an app with 20+ without issues). Let me know if I can help pinpointing the issue

remonh87 avatar May 21 '22 15:05 remonh87

@remonh87 Thanks for letting us know about your success with a 20+ version of the SDK. We have not found any cases of our SDK that would cause the Google Play policy violations and are communicating with the Google teams to resolve the issue.

  1. I am curious if you could report exactly which version of the Stripe SDK you are using?
  2. Can you also share if your application is already in need of collecting phone number and package names? Also is your app requesting permission to QUERY_ALL_PACKAGES and/or permissions related to phone numbers?
  3. Finally did you fill out the data safety section in Google Play for your application?

michelleb-stripe avatar May 21 '22 18:05 michelleb-stripe

@korzonkiee If you are still seeing rejections with 19.3.1 go back into all tracks and make sure any bundle with the 20.0.0+ Stripe SDK is removed.

michelleb-stripe avatar May 21 '22 18:05 michelleb-stripe

@michelleb-stripe here are my answers:

  1. We are using Stripe 20.1+ in the version that I was using. We follow the react-native library when setting the android sdk. The latest version 3.0 has the same sdk constraints

  2. Yes we use Firebase Auth with phone verification enabled. I did check the merged_manifest and no QUERY_ALL_PACKAGES permission is requested.

  3. Yes we explicitly mention we collect the phone number in the personal info. In our app's case this is also true because we use it for verification. I also guess that this needs to be checked explicitly after Stripe's latest update?

remonh87 avatar May 22 '22 14:05 remonh87

Hi @michelleb-stripe & @remonh87 just a feedback from us, in our app we were using flutter_stripe version ˆ2.5.0 (which is dependant on Stripe 20.1+) and we got rejected 3 times, then we downgraded to 2.4.0 (dependent on 19.2.+) and we got the app approved immediately, we did update all the tracks with the latest build.

albertolina avatar May 23 '22 10:05 albertolina

Confirmed also the same issue. We were able to release the app multiple times with no issue until recently. My guess is this has something to do with Google's recent policy change.

From google appeals/support:

"We have performed another review on your app and are able to verify that your app is uploading users' Installed Application and Phone Number information to Stripe SDK.

Kindly check your App Bundle Version: 50 and 51 in the below class:

com/stripe/android/stripe3ds2/init "

Correct me if I'm wrong, but the only way to get a list of installed apps is via the following APIs:

https://developer.android.com/reference/android/content/pm/PackageManager.html#getInstalledApplications(int) https://developer.android.com/reference/android/content/pm/PackageManager#getInstalledApplications(android.content.pm.PackageManager.ApplicationInfoFlags)

I've searched the entire APK and saw no calls to these functions.

isegal avatar May 24 '22 00:05 isegal

We're working with Google to investigate this issue, and they've temporarily paused notifications for the impacted versions of the Stripe SDK. Let us know if you're still seeing this message on app submission, and feel free to submit an appeal with a link to this thread.

davidme-stripe avatar May 25 '22 02:05 davidme-stripe

We have been going through appeals and ended up at a dead end. Here is the last correspondence from Google:

Thanks for your patience.
As much as I'd like to help, I’m not able to provide any more details or a better answer to your question.

As mentioned previously, your app (App Bundle Version: 51, Track: Closed Testing) is uploading users' Installed Application and Phone Number information to Stripe SDK with inadequate prominent disclosure. Kindly also ensure to post a valid privacy policy in both the designated field in the Play Console and from within the Play distributed app itself.

( Google Ticket #8-6995000032714 in case this is helpful)

In the meantime I have re-submitted another build with earlier version of the library.

Happy to hear that there is progress with Google from your side.

isegal avatar May 25 '22 04:05 isegal

@davidme-stripe do you have any updates? We've reverted Stripe to com.stripe:stripe-android:19.2.+., but Google Play keeps rejecting our builds.

korzonkiee avatar May 31 '22 13:05 korzonkiee

Sorry to bug you, but we were unable to launch the app for 3 weeks now. We rolled back to flutter_stripe: 2.4.0 (Android Stripe SDK 19.3.1), but the builds it still being rejected with the same message. It seems that the only way to overcome this is to implement a "prominent disclosure" about the data that is being collected (installed applications & phone numbers) as required by Google Play, although the Stripe SDK doesn't seem to collect this data as https://github.com/stripe/stripe-android/issues/5013#issuecomment-1135270070.

korzonkiee avatar Jun 08 '22 07:06 korzonkiee

@isegal and @korzonkiee If you could do a few things:

  1. Make sure that tracks (closed testing, internal testing, etc) do not contain a version of the SDK that has been rejected. Any old version will need to be removed.
  2. Double check that the app bundle version listed in the notification is deleted (even if it contains a version of the SDK you think is good).
  3. Update the version number of your app
  4. Resubmit the application.

michelleb-stripe avatar Jun 08 '22 19:06 michelleb-stripe

Hey @michelleb-stripe.

I can confirm that once I uploaded the bundle with the older version of Stripe to each track then it finally passed the review process. I missed one of the tracks before because I thought paused tracks were not taken into consideration during the review process

Thanks for the help!

Do you have any clue why the newer version of the Stripe SDK causes those issues?

korzonkiee avatar Jun 13 '22 09:06 korzonkiee

@korzonkiee Glad to hear that it worked out.

Google has indicated to us that Google has paused any notifications. If you update the Stripe SDK and your version number and re-submit, there should be no issue.

michelleb-stripe avatar Jun 13 '22 11:06 michelleb-stripe

It looks like Google has fixed this, we haven't seen any new users have this problem. Please open a new issue if you face this problem.

brnunes-stripe avatar Aug 24 '22 19:08 brnunes-stripe