Is my app or its dependencies violating the Android Advertising Id policy?

android google-play google-play-console google-advertising-id

I've just received this message from Google Play but I'm not collecting the Advertising ID.

Reason for warning: Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement

Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. We’ve identified that your app collects and transmits the Android advertising ID, which is subject to a privacy policy requirement.

Is it possible any of my dependencies uses it? Here's the list of dependencies:

implementation "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version"
implementation "org.jetbrains.anko:anko-common:$anko_version"

implementation ("com.android.support:appcompat-v7:$android_support_version") {
    exclude group: 'com.android.support', module: 'animated-vector-drawable'
    exclude group: 'com.android.support', module: 'design'
}
implementation ("com.android.support:design:$android_support_version") {
    exclude group: 'com.android.support', module: 'animated-vector-drawable'
}
implementation ("com.android.support:cardview-v7:$android_support_version") {
    exclude group: 'com.android.support', module: 'animated-vector-drawable'
    exclude group: 'com.android.support', module: 'design'
}
implementation 'com.github.PhilJay:MPAndroidChart:v3.0.2'
implementation 'com.github.apl-devs:appintro:v4.2.3'
implementation('com.crashlytics.sdk.android:crashlytics:2.6.8@aar') {
    transitive = true
}
implementation 'com.firebase:firebase-jobdispatcher:0.7.0'
implementation ("com.google.firebase:firebase-firestore:$firestore_version") {
    exclude group: 'com.google.firebase', module: 'firebase-auth'
}
implementation ("com.google.firebase:firebase-auth:$firebase_version") {
    exclude group: 'com.google.firebase', module: 'firebase-firestore'
}
implementation ("com.google.firebase:firebase-storage:$firebase_version") {
    exclude group: 'com.google.firebase', module: 'firebase-firestore'
}
implementation ('com.google.android.gms:play-services-auth:16.0.0') {
    exclude group: 'com.google.firebase', module: 'firebase-firestore'
}
implementation 'com.android.support.constraint:constraint-layout:1.1.3'
implementation 'com.android.support:multidex:1.0.3'
implementation ("com.android.support:exifinterface:$android_support_version") {
    exclude group: 'com.android.support', module: 'animated-vector-drawable'
    exclude group: 'com.android.support', module: 'design'
}
implementation 'com.soundcloud.android:android-crop:1.0.1@aar'
implementation 'com.github.bumptech.glide:glide:4.7.1'

Solution 1:

Disable advertising id collection

According to the Firebase docs you can disable advertising id collection by setting:

<meta-data android:name="google_analytics_adid_collection_enabled" android:value="false" />

in your AndroidManifest.xml under the <Application> tag.

EDIT: It seems like people are having mixed success with this approach. Try adding configurations { all*.exclude group: 'com.google.firebase', module: 'firebase-core' all*.exclude group: 'com.google.firebase', module: 'firebase-iid' } to the Gradle app dependencies area as per comment below.

Solution 2:

Today many developers are getting this same issue. I also got this issue. I didn't collect any sensitive data, I am not even showing ads to my users. In your case the Crashlytics lib could be an issue. It deals with advertising IDs. In the mail they mention the required action:

Action required: Add a privacy policy to your store listing and app

So I think all of us should add a privacy policy on the store listing as well as on the app. Before taking the action we should go through the related privacy policy. Here are some links from where you can get help:

Privacy policy to upload an app

Usage of Android Advertising ID

Developer Distribution Agreement

Developer Program Policies

Solution 3:

You are using crashlytics below 2.9.3. Apparently it's collecting and sending the google advertising id as a key in their header. That might be the or one of the issues. You can check if it's sending the advertising id through a proxy like Charles.

Edit *** It seems that version 2.9.3 and above are still getting the advertisingID from by calling AdvertisingIdClient.getAdvertisingIdInfo() from the com.google.android.gms.ads.identifier package. I checked it by setting a break point on the method. I am assuming it is somehow still being send to fabric. Which would mean updating to higher version will not solve it..

Related

codestyle; put javadoc before or after annotation?
What Scala web-frameworks are available? [closed]
How to simulate Android killing my process
What does "Mass Assignment" mean in Laravel?
What is the purpose of providedIn with the Injectable decorator when generating Services in Angular 6?
ASP.NET MS11-100: how can I change the limit on the maximum number of posted form values?
convert streamed buffers to utf8-string
How do you git show untracked files that do not exist in .gitignore
Convert a python 'type' object to a string
What is a good practice to check if an environmental variable exists or not?
Equivalent of varchar(max) in MySQL?
Why does IE9 switch to compatibility mode on my website?