• General Chat

  • Google Play Dev account almost suspended due permissions requested that shouldn't have been.

Right. Not trying to point fingers here, trust me, if anything this is my own fault for not having checked every line of source code prior to compilation, and Google isn't the most friendliest of folks to work with either. I'm just trying to figure out what went wrong.

So, i've created my first Android game, uploaded it to Google Play as an internal test & alpha release only for app testing and testing possible implementations of IAP, which was later scrapped since Google now requires you to publish the address of your sanctuary ( a.k.a. home address if you're an indie developer like me ) for every Rick, Nick and D-head to see at the store due to EU's consumer protection laws, and so, i decided my app would be solely ad-supported.

So, when i thought the app was finally ready, i created a brand new App, renaming the previous one '<app name> Internal testing only' since it was now tagged as an IAP-enabled app due to the internal testing i did, and released the new clean one as a production release.

A week later i get two dreadful e-mails from Google stating both my apps were rejected off the store due to my apps requesting sensitive permissions such as accessing contacts and camera & for me not having uploaded a Privacy Policy file. I was totally confused, i couldn't figure out exactly could've be up with my app to trigger such things. So i've emailed the Google support team about the issue, and i was told, 4 days later, today, that my app requested the following permissions:

android.permission.READ_PHONE_STATE android.permission.RECORD_AUDIO android.permission.GET_ACCOUNTS android.permission.READ_CONTACTS android.permission.CAMERA

Even more confused i was now, since i had never set Godot's export permissions to request most, if not all, of those things, if anything, the android.permission.READ_PHONE_STATE would be acceptable for the access network state permission.

Further notes:

-> app only had the Internet and Access Network state permissions enabled; -> export templates were compiled with kloder-games's admob plugin.

I do sincerely apologise if i'm getting my assumptions totally wrong here, i'm no expert in neither java nor gradle.

Looking at kloder-game's files, found here, i've noticed that atleast for iOS, the plugin requests, most oddly notably:

'-framework','CoreTelephony' '-framework','MessageUI' '-framework','CoreBluetooth' '-framework','CoreText' '-framework','ImageIO' '-framework','CoreVideo'

Which i assume are similar for Android. I'm not sure how an ad plugin even as the need to import such frameworks.

And with this alone, i already have two strikes on my account, the third will be a life suspension.

Just a word of advice for other indie developers, you shouldn't continue using Google's draconian app store if you already have two strikes, i will probably use other app stores, and always check every non-official line of code you incorporate into your applications.

In all honesty, i'm having a feeling it might have been Godot mis-configuring the export template.

Google in general has been starting to really crack down on games that do things like excessive permissions (considering the thousands of poorly put-together throwaway games that hit Google Play every month). Game developers are also required to stop using old versions of certain API's as they try to move more Android users to newer versions of the OS).

It's not like Apple has lax policies with their App. Store either (right now, your game is required to meet Apple's standard in quality and intuitive design, must support the iPhone X's notch, can't use certain API's, must not mention Google Play in marketing, must respect certain built-in iOS features, can't have guns in the icon, ect...).

At least with Android though you can access multiple storefronts (though most people just use the built in Google Play due to its visibility).

People have recently pointed out the Godot permissions thing on Github.

I fail to understand how this counts as 'two strikes' against you, though...?

Because they were two apps that were removed, the internal testing, and the new app i created that wasn't already flagged IAp-enabled.

Yesterday i did open my apk on android studio, headed to manifest.xml and there was very much a full list of all possible permissions, almost all were invalid placeholders that Android ignores.

Furthermore....

I did notice that the person that replied to me typed into the e-mail 'android.permission. CAMERA' , with a space, instead of 'android.permission.CAMERA', which was a text fix edit of mine for this post, meaning the staff was probably copy-pasting, and editing on pasting the placeholders that began with 'godot.' over at the manifest.xml.

Ofc most devs would never include a full list of permission requests for their app, independently of whether they're valid instructions or not.

I've e-mailed google support, i will await a reply on this as i refuse to accept their we-will-find-any-reason-to-ban-your-account policy, and especially when there is no justification as i did not violate any guidelines.

I don't pretend to know what it's like to export to android, as I've never done it. But, isn't there...or shouldn't there be some way to check what kind of permissions you app is asking for, before you deploy? A summary...or something? Or as the developer you just need to know?

Does Godot basically throw the doors wide open by default? I would think that the best way would be by default, apply the minimum, or even no permissions, then the developer would request only the permissions the app really needs.

Again, I'm asking from a true laymans point of view. I'm by no means an expert.

-emo

This is Godot's stock manifest. If you export for android with no permissions enabled that's how the manifest permissions list will resemble, it'll copy every line. If you tick some permissions, it'll then edit the properties of those ticked permissions to valid ones that you requested prior to exporting.

Example:

An unticked ACCESS_CHECKIN_PROPERTIES permission: <uses-permission android:name="godot.ACCESS_CHECKIN_PROPERTIES"/> is invalid, Android ignores.

A ticked ACCESS_CHECKIN_PROPERTIES permission: <uses-permission android:name="android.permission.ACCESS_CHECKIN_PROPERTIES"/> would be a valid instruction.

Ofc Google gets itchy-nosed just for having those things there, even if they're not valid or have any actual impact.

P.S. I will uninstall Chrome if i don't get my account reputation clean again because of this, Google.

I also received the same message for my 3 published apps. The only thing I had to do was check an option in "Store Presence" -> "Pricing & Distribution" -> "Primarily Child-Directed" and republish them.

I am a contributor of the cited Admob module and I can assure you that it does not request any unnecessary permissions, as you can see here.

Looking at kloder-game's files, found here, i've noticed that atleast for iOS, the plugin requests, most oddly notably:

'-framework','CoreTelephony' '-framework','MessageUI' '-framework','CoreBluetooth' '-framework','CoreText' '-framework','ImageIO' '-framework','CoreVideo'

Well, these frameworks are Admob's dependencies for iOS, without them, it won't compile.

and always check every non-official line of code you incorporate into your applications it's one valid option, another one is to write all the code you need by yourself.

Hi Shin, nice meeting you again! ( last time we spoke was on github with me as hasherkeen hehe )

I did check the permissions file for android and did notice it did not request unnecessary permissions i just found the imported dependencies strange.

I believe i've found the culprit, and i think it's the fact that godot's manifest includes every permission, whether it's a placeholder or not, Google really doesn't like it.

Further note, don't republish your apps just yet by just toggling the COPPA setting, in case you haven't yet, i had it set to NO prior to publishing, odds are you will be getting yet another rejection triggered.

I've done an easy fix around the issue for the placeholders atleast, which is wipping them off the template manifest file prior to compilation. Everything, every line, from line 37 to line 202.

Then, opening the exported APK in android studio and heading to manifests>AndroidManifest.xml, those placeholders will no longer appear there. Only the valid ticked permissions.

When toggling the permissions Godot will simply add the correct entries starting with android.permission, in fact, i have no idea why those placeholders are even there for.

Question for those with knowledge in Android: Are XML files the only ones that are used to parse permissions? Is AndroidManifest.xml the only file that holds those permissions?

Hello again hasherkeen. Let's wait then, I've republished my apps some weeks ago.

You was right __Aeon__, I've just received another e-mail from Google saying that my app uses permissions that needs a privacy policy declaration:

Policy issue: Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. Your app requests sensitive permissions (e.g. camera, microphone, accounts, contacts, or phone) or user data, but does not include a valid privacy policy.

And I'm not using any of the mentioned permission.

I think i've found out about what the support guy was talking about. This is for Godot 2.1.5, sources pulled from gtihub.

Debugging the exported APK on android studio and doing a tree search for android.permission, i found within the files:

FingerprintManagerCompat.smali value = "android.permission.USE_FINGERPRINT"

zzaqo.smali const-string v2, "android.permission.ACCESS_COARSE_LOCATION" const-string v2, "android.permission.ACCESS_FINE_LOCATION"

zzaiw.smali const-string v2, "android.permission.RECORD_AUDIO" const-string v2, "android.permission.CAMERA"

zzmw.smali const-string v1, "android.permission.WRITE_EXTERNAL_STORAGE"

WorkSourceUtil.smali const-string v2, "android.permission.UPDATE_DEVICE_STATS"

Hopefully your account is still in good standing, Shin? Were your apps removed or suspended on the second strike?

Any idea why these permissions pop up in an exported app? Are these programamtically generated or something? Because i've opened up godot's source code folder in notepad++ and did a global search for the keyword 'android.permission' and nothing of that pops up anywhere...

Yes, my account still alive and my apps was suspended again :(

Here's my app's full permissions listed on Google Play console:

! android.permission.ACCESS_NETWORK_STATE ! android.permission.INTERNET ! godot.ACCESS_CHECKIN_PROPERTIES ! godot.ACCESS_COARSE_LOCATION ! godot.ACCESS_FINE_LOCATION ! godot.ACCESS_LOCATION_EXTRA_COMMANDS ! godot.ACCESS_MOCK_LOCATION ! godot.ACCESS_SURFACE_FLINGER ! godot.ACCESS_WIFI_STATE ! godot.ACCOUNT_MANAGER ! godot.ADD_VOICEMAIL ! godot.AUTHENTICATE_ACCOUNTS ! godot.BATTERY_STATS ! godot.BIND_ACCESSIBILITY_SERVICE ! godot.BIND_APPWIDGET ! godot.BIND_DEVICE_ADMIN ! godot.BIND_INPUT_METHOD ! godot.BIND_NFC_SERVICE ! godot.BIND_NOTIFICATION_LISTENER_SERVICE ! godot.BIND_PRINT_SERVICE ! godot.BIND_REMOTEVIEWS ! godot.BIND_TEXT_SERVICE ! godot.BIND_VPN_SERVICE ! godot.BIND_WALLPAPER ! godot.BLUETOOTH ! godot.BLUETOOTH_ADMIN ! godot.BLUETOOTH_PRIVILEGED ! godot.BRICK ! godot.BROADCAST_PACKAGE_REMOVED ! godot.BROADCAST_SMS ! godot.BROADCAST_STICKY ! godot.BROADCAST_WAP_PUSH ! godot.CALL_PHONE ! godot.CALL_PRIVILEGED ! godot.CAMERA ! godot.CAPTURE_AUDIO_OUTPUT ! godot.CAPTURE_SECURE_VIDEO_OUTPUT ! godot.CAPTURE_VIDEO_OUTPUT ! godot.CHANGE_COMPONENT_ENABLED_STATE ! godot.CHANGE_CONFIGURATION ! godot.CHANGE_NETWORK_STATE ! godot.CHANGE_WIFI_MULTICAST_STATE ! godot.CHANGE_WIFI_STATE ! godot.CLEAR_APP_CACHE ! godot.CLEAR_APP_USER_DATA ! godot.CONTROL_LOCATION_UPDATES ! godot.custom.0 ! godot.custom.1 ! godot.custom.10 ! godot.custom.11 ! godot.custom.12 ! godot.custom.13 ! godot.custom.14 ! godot.custom.15 ! godot.custom.16 ! godot.custom.17 ! godot.custom.18 ! godot.custom.19 ! godot.custom.2 ! godot.custom.3 ! godot.custom.4 ! godot.custom.5 ! godot.custom.6 ! godot.custom.7 ! godot.custom.8 ! godot.custom.9 ! godot.DELETE_CACHE_FILES ! godot.DELETE_PACKAGES ! godot.DEVICE_POWER ! godot.DIAGNOSTIC ! godot.DISABLE_KEYGUARD ! godot.DUMP ! godot.EXPAND_STATUS_BAR ! godot.FACTORY_TEST ! godot.FLASHLIGHT ! godot.FORCE_BACK ! godot.GET_ACCOUNTS ! godot.GET_PACKAGE_SIZE ! godot.GET_TASKS ! godot.GET_TOP_ACTIVITY_INFO ! godot.GLOBAL_SEARCH ! godot.HARDWARE_TEST ! godot.INJECT_EVENTS ! godot.INSTALL_LOCATION_PROVIDER ! godot.INSTALL_PACKAGES ! godot.INSTALL_SHORTCUT ! godot.INTERNAL_SYSTEM_WINDOW ! godot.KILL_BACKGROUND_PROCESSES ! godot.LOCATION_HARDWARE ! godot.MANAGE_ACCOUNTS ! godot.MANAGE_APP_TOKENS ! godot.MANAGE_DOCUMENTS ! godot.MASTER_CLEAR ! godot.MEDIA_CONTENT_CONTROL ! godot.MODIFY_AUDIO_SETTINGS ! godot.MODIFY_PHONE_STATE ! godot.MOUNT_FORMAT_FILESYSTEMS ! godot.MOUNT_UNMOUNT_FILESYSTEMS ! godot.NFC ! godot.PERSISTENT_ACTIVITY ! godot.PROCESS_OUTGOING_CALLS ! godot.READ_CALENDAR ! godot.READ_CALL_LOG ! godot.READ_CONTACTS ! godot.READ_EXTERNAL_STORAGE ! godot.READ_FRAME_BUFFER ! godot.READ_HISTORY_BOOKMARKS ! godot.READ_INPUT_STATE ! godot.READ_LOGS ! godot.READ_PHONE_STATE ! godot.READ_PROFILE ! godot.READ_SMS ! godot.READ_SOCIAL_STREAM ! godot.READ_SYNC_SETTINGS ! godot.READ_SYNC_STATS ! godot.READ_USER_DICTIONARY ! godot.REBOOT ! godot.RECEIVE_BOOT_COMPLETED ! godot.RECEIVE_MMS ! godot.RECEIVE_SMS ! godot.RECEIVE_WAP_PUSH ! godot.RECORD_AUDIO ! godot.REORDER_TASKS ! godot.RESTART_PACKAGES ! godot.SEND_RESPOND_VIA_MESSAGE ! godot.SEND_SMS ! godot.SET_ACTIVITY_WATCHER ! godot.SET_ALARM ! godot.SET_ALWAYS_FINISH ! godot.SET_ANIMATION_SCALE ! godot.SET_DEBUG_APP ! godot.SET_ORIENTATION ! godot.SET_POINTER_SPEED ! godot.SET_PREFERRED_APPLICATIONS ! godot.SET_PROCESS_LIMIT ! godot.SET_TIME ! godot.SET_TIME_ZONE ! godot.SET_WALLPAPER ! godot.SET_WALLPAPER_HINTS ! godot.SIGNAL_PERSISTENT_PROCESSES ! godot.STATUS_BAR ! godot.SUBSCRIBED_FEEDS_READ ! godot.SUBSCRIBED_FEEDS_WRITE ! godot.SYSTEM_ALERT_WINDOW ! godot.TRANSMIT_IR ! godot.UNINSTALL_SHORTCUT ! godot.UPDATE_DEVICE_STATS ! godot.USE_CREDENTIALS ! godot.USE_SIP ! godot.VIBRATE ! godot.WAKE_LOCK ! godot.WRITE_APN_SETTINGS ! godot.WRITE_CALENDAR ! godot.WRITE_CALL_LOG ! godot.WRITE_CONTACTS ! godot.WRITE_EXTERNAL_STORAGE ! godot.WRITE_GSERVICES ! godot.WRITE_HISTORY_BOOKMARKS ! godot.WRITE_PROFILE ! godot.WRITE_SECURE_SETTINGS ! godot.WRITE_SETTINGS ! godot.WRITE_SMS ! godot.WRITE_SOCIAL_STREAM ! godot.WRITE_SYNC_SETTINGS ! godot.WRITE_USER_DICTIONARY

Just two valid android permissions there: android.permission.ACCESS_NETWORK_STATE and android.permission.INTERNET My bet is that Google does not tolerate Godot's permissions placeholders any more.

I believe it isn't a case of placeholders but rather what i pointed out. It fits the profile of what the man was talking about. This is, however, a Godot code issue.

Good to know they're on the track to fixing it, the straightforward fix they provide i've already implemented, the problem is that even if you do recompile the entire engine without said placeholders in the manifest template file, the output android template apk will still contain the exact same issues ( i believe it will ) that the support guy was talking about and that i referenced in one of my previous posts, that i will re-post.

None of the following permission requests were ticked prior to export, in fact, what you're seeing there are things that exist in a stock export template compiled from source without any added plugins.

Debugging the APK on android studio and doing a tree search for android.permission, i found within the files:

FingerprintManagerCompat.smali value = "android.permission.USE_FINGERPRINT"

zzaqo.smali const-string v2, "android.permission.ACCESS_COARSE_LOCATION" const-string v2, "android.permission.ACCESS_FINE_LOCATION"

zzaiw.smali const-string v2, "android.permission.RECORD_AUDIO" const-string v2, "android.permission.CAMERA"

zzmw.smali const-string v1, "android.permission.WRITE_EXTERNAL_STORAGE"

WorkSourceUtil.smali const-string v2, "android.permission.UPDATE_DEVICE_STATS"

This is probably best taken to the issue tracker at this point.

@Shin-NiL said: Well, we have an official note about this issue: https://godotengine.org/article/fixing-godot-games-published-google-play

This is one of the reasons why so many people are developing a strong dislike for any product or platform with the Google name on it. That reason is Google making sudden, unannounced changes in terms of use and not giving users any time to give feedback or adjust their content to be compliant (which means strikes or bans being handed out immediately).

They have to be more careful about this, or Google will find out they have finally allowed people of widely varying worldviews and beliefs to come together (against them).

Okay, i've opened a ticket at the issue tracker.

The only workaround this that i see for now is to clear the strings off the *android_perms[] pointer array of all permissions that your project does not require, replacing, example, "ACCESS_CHECKIN_PROPERTIES" with "", within the export.cpp file.

This way an empty name string will be addressed during compilation, wherever it's requested, instead of the string name of the sensitive permissions that are appearing after compilation, nullifying them altogether.

5 days later

Have you republished problem-free your apps again on the store with the modified android permissions xml Shin?