Dangerous app / app removed / Google rant

[admin]

If your phone just asked you to remove my app because it can spy on you, I can understand your suspicion. The reason is that Google has removed the app since it it did not comply with their policy.

All apps should of course comply with the policies, and I have done my best to do so. So I have added "prominent disclosures" telling you that this app may track your position, read your data, when you use the app a notification appears etc.

After the app was removed from the Play Store I filed an appeal. For full transparency I include the mail correspondence here.

q:o)          Theis

[admin]

From Google Aug 18, 2022, 11:27 AM

Dear Google Play Developer,
Thanks for contacting Google Play. Your appeal has been submitted successfully and will be reviewed by a specialist. The ticket number for your appeal is referenced in the subject of this message. Currently, we are experiencing a high volumes so there may be a delay in our responses.
Thank you for your patience and understanding while we work on getting a response back to you as soon as possible.  
 
Thanks,
The Google Play Team

[admin]

From Google Aug 19, 2022, 12:45 AM



Hi Theis,
Thanks for contacting the Google Play team.
I've received your appeal and I appreciate your patience while I look into it.

I'll let you know as soon as I have any additional information to share. Please let me know if you have any questions in the meantime.
Regards,
Bianca
The Google Play Team
Please visit the Google Play Developer Policy Center and Google Play's Academy for App Success to learn more about building policy compliant and high quality apps. You can also visit the Android Developers Blog for the latest Android and Google Play news for app and game developers.

[admin]

From me Aug 24, 2022, 12:43 AM



Hi Bianca

Did you find an explanation why my app was removed?

I had +10 mio downloads and most gave a rating of 4-5 stars. I'm quite sure my app has helped a lot of users.

And I did warn the users that the app would track their location with a prominent disclosure even though it should be obvious.

BR Theis

[admin]

From Google Aug 25, 2022, 12:59 AM



Hi Theis,
Thanks for your reply.
Kindly allow us to take more time as we further check your app. We'll let you know as soon as possible once we've gathered all the information.
We truly appreciate your patience on this matter.

[admin]

From me Aug 29, 2022, 1:05 PM



Any news?

It has now been 11 days since you removed my app. Not knowing how you investigates it sounds to me like a simple task to install the app, verify that I do in fact provide a prominent disclosure telling the user that the app can track their whereabouts (which makes sense, since that's one of many features), contacts, etc.

Looking forward to hear from you, and hopefully get my app back again. I will of course comply with your policies. I have not changed my app for a long time so I have not done anything new to break your policies.

Have a nice day

q:o)          Theis

[admin]

From Google Aug 29, 2022, 11:41 PM


Hi Theis,
Thanks again for contacting the Google Play team.
Due to adjusted work schedules at this time, you may experience longer than usual process times for your appeal.
Kindly note that we are still currently looking into your appeal and I appreciate your patience while we finish our further review.
Thank you for your patience and understanding.

[admin]

From GoogleThu, Sep 1, 11:55 PM



Hi Theis,
Thanks for your patience.
Status of app: Suspended from Google Play due to policy violation
I’ve reviewed your appeal request and found that your app, Lost Android (com.androidlost, App Bundle Version: 175), still violates Google Play Policy.
During review, we found that your app violates the Stalkerware of the Malware policy. We don't allow apps with any code that could put a user, a user’s data, or a device at risk. If your app was developed by a third party, we recommend contacting them to verify that they designed your app to comply with our policies.
You can read through the Malware policy page for more details and examples of common violations.
For example, your app currently contains stalkerware code that collects and/or transmits personal or sensitive user data from a device without adequate notice or consent and doesn't display a persistent notification that this is happening.
Please note that suspensions count as strikes against the good standing of your Google Play Developer account. Egregious or multiple policy violations can result in suspension, as can repeated app rejections or removals.
If your developer credentials are still in good standing with Google Play and if your app allows for it, you can publish a new compliant version of the app by following these steps:

1. Make the necessary changes to your app to address the issue described above, if possible.
   
2. Double check that your app complies with all other policies listed in the Developer Policy Center as additional enforcement could occur if there are further policy violations.
   
3. Sign in to Play Console and upload a new app using a new package name and a new app name.
   

Please let me know if you have any other questions. Thanks for your continued support of Google Play.

[admin]

From me Fri, Sep 2, 1:14 AM

Hi Bianca

Did you not read my emails? Let's take a quick summary:

18/8: GOOGLE: we have removed your app since it contains stalkerware
19/8: GOOGLE: we have received your appeal
24/8: ME: Any updates? I do have a prominent disclosure warning users that my app will track them
29/8: ME: Any updates? I repeat that I do not hide that the app will collect position, contacts, etc
29/8: GOOGLE: we are reviewing your case
1/9: GOOGLE: we have removed your app since it contains stalkerware

Now, in your last email you emphasize:
For example, your app currently contains stalkerware code that collects and/or transmits personal or sensitive user data from a device without adequate notice or consent and doesn't display a persistent notification that this is happening.
Let us have a look.

Logically it makes sense that an app that can find your device will need to get the location. And if you wish to backup your contacts or files the app will need to get them from the phone. So yes, user data is collected and sent to the user.

But this is allowed if the user is properly notified and informed.

Do I force the user through a consent screen when installing? YES!
Is there prominent disclosures saying that the app will collect data? YES!
Is there a persistent notification when tracking the phone? YES!

Here are some of the prominent disclosures that I provide to my users:

   

   

   

Just to be clear: I ONLY collect the users personal data when they command me to do so. The data is only displayed to the user. I do not collect, view, store or sell any user data.

So if you could please elaborate on what specific points you think I am breaking your policies I would be very grateful. If I by accident have missed a part of your policy I will of course do my best to comply. But right now I fail to see that I do not present the users with prominent disclosures, persistent notifications, etc.

I hope to hear from you soon...

Best regards

q:o)             Theis

P.S: the last time we went through this "prominent disclosure" was a couple of months ago where you said I collected my users "social profile". I still have no idea what that means since I do not collect any user data, uses google analytics, facebook or anything else. I do believe that your algorithm for detecting malware is seriously flawed and keeps picking me out since it has given me a bad developer rating.

I strongly suggest that you bump this case up the command chain or have a chat with the AI people. Feel free to give me a call if I can elaborate on anything. I am really a nice guy who tries to do something good for my users and I have really tried to comply with your policies.

P.P.S: Since you have already removed my app from all my users my appeal is now mainly to let my developer account be restored to a good standing.

[admin]

From Google Fri, Sep 2, 6:51 PM


Hi Theis,
Thanks for your reply.
I understand the inconvenience you are facing right now for your app and I appreciate your patience. As much as I'd like to help, I’m not able to provide any more detail or a better answer to your question. In our previous email, I made sure to include all the information available to me. As mentioned, we don't allow apps that violates Malware policy for having stalkerware code that target device users by monitoring personal or sensitive user data, and transmitting or making this data accessible to third parties. 
Please note that your app must present users with a persistent notification at all times when the app is running and a unique icon that clearly identifies the app.
For further guidance, you can read through the Malware policy page for more details and examples of common violations.
Thanks for your continued support of Google Play.