Is my app or its dependencies violating the Android Advertising Id policy?
I've just received this message from Google Play but I'm not collecting the Advertising ID.
Reason for warning: Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement
Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. We’ve identified that your app collects and transmits the Android advertising ID, which is subject to a privacy policy requirement.
Is it possible any of my dependencies uses it? Here's the list of dependencies:
implementation "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version"
implementation "org.jetbrains.anko:anko-common:$anko_version"
implementation ("com.android.support:appcompat-v7:$android_support_version") {
exclude group: 'com.android.support', module: 'animated-vector-drawable'
exclude group: 'com.android.support', module: 'design'
}
implementation ("com.android.support:design:$android_support_version") {
exclude group: 'com.android.support', module: 'animated-vector-drawable'
}
implementation ("com.android.support:cardview-v7:$android_support_version") {
exclude group: 'com.android.support', module: 'animated-vector-drawable'
exclude group: 'com.android.support', module: 'design'
}
implementation 'com.github.PhilJay:MPAndroidChart:v3.0.2'
implementation 'com.github.apl-devs:appintro:v4.2.3'
implementation('com.crashlytics.sdk.android:crashlytics:2.6.8@aar') {
transitive = true
}
implementation 'com.firebase:firebase-jobdispatcher:0.7.0'
implementation ("com.google.firebase:firebase-firestore:$firestore_version") {
exclude group: 'com.google.firebase', module: 'firebase-auth'
}
implementation ("com.google.firebase:firebase-auth:$firebase_version") {
exclude group: 'com.google.firebase', module: 'firebase-firestore'
}
implementation ("com.google.firebase:firebase-storage:$firebase_version") {
exclude group: 'com.google.firebase', module: 'firebase-firestore'
}
implementation ('com.google.android.gms:play-services-auth:16.0.0') {
exclude group: 'com.google.firebase', module: 'firebase-firestore'
}
implementation 'com.android.support.constraint:constraint-layout:1.1.3'
implementation 'com.android.support:multidex:1.0.3'
implementation ("com.android.support:exifinterface:$android_support_version") {
exclude group: 'com.android.support', module: 'animated-vector-drawable'
exclude group: 'com.android.support', module: 'design'
}
implementation 'com.soundcloud.android:android-crop:1.0.1@aar'
implementation 'com.github.bumptech.glide:glide:4.7.1'
Solution 1:
Disable advertising id collection
According to the Firebase docs you can disable advertising id collection by setting:
<meta-data android:name="google_analytics_adid_collection_enabled" android:value="false" />
in your AndroidManifest.xml
under the <Application>
tag.
EDIT: It seems like people are having mixed success with this approach. Try adding
configurations { all*.exclude group: 'com.google.firebase', module: 'firebase-core' all*.exclude group: 'com.google.firebase', module: 'firebase-iid' }
to the Gradle app dependencies area as per comment below.
Solution 2:
Today many developers are getting this same issue. I also got this issue. I didn't collect any sensitive data, I am not even showing ads to my users. In your case the Crashlytics lib could be an issue. It deals with advertising IDs. In the mail they mention the required action:
Action required: Add a privacy policy to your store listing and app
So I think all of us should add a privacy policy on the store listing as well as on the app. Before taking the action we should go through the related privacy policy. Here are some links from where you can get help:
Privacy policy to upload an app
Usage of Android Advertising ID
Developer Distribution Agreement
Developer Program Policies
Solution 3:
You are using crashlytics below 2.9.3. Apparently it's collecting and sending the google advertising id as a key in their header. That might be the or one of the issues. You can check if it's sending the advertising id through a proxy like Charles.
Edit ***
It seems that version 2.9.3 and above are still getting the advertisingID from by calling AdvertisingIdClient.getAdvertisingIdInfo()
from the com.google.android.gms.ads.identifier
package. I checked it by setting a break point on the method. I am assuming it is somehow still being send to fabric. Which would mean updating to higher version will not solve it..