Tag Archives: safety

Developer tips and guides: Common policy violations and how you can avoid them

By Andrew Ahn, Product Manager, Google Play App Safety

At Google Play, we want to foster an ecosystem of safe, engaging, useful, and entertaining apps used and loved by billions of Android users worldwide. That’s why we regularly update and revise our Google Play Developer Policies and Developer Distribution Agreement, detailing the boundaries of app content and functionalities allowed on the platform, as well as providing latest guidance on how developers can promote and monetize apps.

In recent efforts in analyzing apps for policy compliance on Google Play we identified some common mistakes and violations that developers make, and we’re sharing these with the developer community with tips and guides on how to avoid them, mitigating the risks of apps and developer accounts being suspended for violating our policies.

Links that take users back to other apps on the Play Store

One of the most common mistakes we see are apps that have buttons and menus that link out to the Play Store -- either to apps by the same developer, or other apps that may be affiliated with the developer, but not being clear that these are ads or promotional links. Without this clarity, apps may get enforced for having deceptive / disguised ads. One of the ways to avoid such mistakes is by explicitly calling these out by labeling the buttons and links as ‘More Apps’, ‘More Games’, ‘Explore’, ‘Check out our other apps’, etc.

Example of app content that link out to app listing on Play

Example of app content that link out to app listing on Play

Spammy app descriptions

Another mistake we frequently observe is where developers ‘stuff’ keywords in the app description in hope for better discoverability and ranking against certain keywords and phrases. Text blocks or lists that contain repetitive or unrelated keywords or references violate our Store Listing and Promotion policy. Writing a clear app description intended and optimized for user’s readability and understanding is one of the best ways to avoid this violation.

Watch this video to learn how to avoid spammy store listings and efforts to artificially boost app visibility.

Abandoned and broken apps

There are apps that have been published by the developers a long time ago, and are no longer being maintained. Abandoned and unmaintained apps often create user experience issues -- broken app functionality, for example. Not only are such apps at risk of getting a low star rating and negative user reviews, they will also be flagged as violating the minimum functionality policy. To mitigate the negative impact to the developer reputation and app enforcement, consider unpublishing such apps from the Play Store. Note the updated unpublish action won’t affect existing users who already installed the app, and developers can always choose to re-publish them after addressing the broken experiences.

Example of an abandoned app that provides a broken app experience

Example of an abandoned app that provides a broken app experience

Play icon with graduation cap

Take the ‘Minimum and Broken Functionality Spam’ course on Play Academy



Apps vs. Webview

Lastly, we observe a large volume of app submissions that are just webviews of existing websites. Most of these apps are submitted with a primary purpose of driving traffic rather than providing engaging app experiences to Android users. Such apps are considered webview spam, and are removed from Play. Instead, consider thinking through what users can do or do better with the app than in a web experience and implement relevant features and functionalities that enrich the user experience.

Example of webview without any app functionality

Example of a webview without any app functionality

Play icon with graduation cap

Take the ‘Webview Spam’ course on Play Academy



While the above are one of the most frequent mistakes, make sure to stay up to date with the latest policies by visiting the Play Developer Policy Center. Check out Google Play Academy’s Policy training, including our new Spam courses, and watch our Play PolicyBytes videos to learn more about recent policy updates.

Developer tips and guides: Common policy violations and how you can avoid them

By Andrew Ahn, Product Manager, Google Play App Safety

At Google Play, we want to foster an ecosystem of safe, engaging, useful, and entertaining apps used and loved by billions of Android users worldwide. That’s why we regularly update and revise our Google Play Developer Policies and Developer Distribution Agreement, detailing the boundaries of app content and functionalities allowed on the platform, as well as providing latest guidance on how developers can promote and monetize apps.

In recent efforts in analyzing apps for policy compliance on Google Play we identified some common mistakes and violations that developers make, and we’re sharing these with the developer community with tips and guides on how to avoid them, mitigating the risks of apps and developer accounts being suspended for violating our policies.

Links that take users back to other apps on the Play Store

One of the most common mistakes we see are apps that have buttons and menus that link out to the Play Store -- either to apps by the same developer, or other apps that may be affiliated with the developer, but not being clear that these are ads or promotional links. Without this clarity, apps may get enforced for having deceptive / disguised ads. One of the ways to avoid such mistakes is by explicitly calling these out by labeling the buttons and links as ‘More Apps’, ‘More Games’, ‘Explore’, ‘Check out our other apps’, etc.

Example of app content that link out to app listing on Play

Example of app content that link out to app listing on Play

Spammy app descriptions

Another mistake we frequently observe is where developers ‘stuff’ keywords in the app description in hope for better discoverability and ranking against certain keywords and phrases. Text blocks or lists that contain repetitive or unrelated keywords or references violate our Store Listing and Promotion policy. Writing a clear app description intended and optimized for user’s readability and understanding is one of the best ways to avoid this violation.

Watch this video to learn how to avoid spammy store listings and efforts to artificially boost app visibility.

Abandoned and broken apps

There are apps that have been published by the developers a long time ago, and are no longer being maintained. Abandoned and unmaintained apps often create user experience issues -- broken app functionality, for example. Not only are such apps at risk of getting a low star rating and negative user reviews, they will also be flagged as violating the minimum functionality policy. To mitigate the negative impact to the developer reputation and app enforcement, consider unpublishing such apps from the Play Store. Note the updated unpublish action won’t affect existing users who already installed the app, and developers can always choose to re-publish them after addressing the broken experiences.

Example of an abandoned app that provides a broken app experience

Example of an abandoned app that provides a broken app experience

Play icon with graduation cap

Take the ‘Minimum and Broken Functionality Spam’ course on Play Academy



Apps vs. Webview

Lastly, we observe a large volume of app submissions that are just webviews of existing websites. Most of these apps are submitted with a primary purpose of driving traffic rather than providing engaging app experiences to Android users. Such apps are considered webview spam, and are removed from Play. Instead, consider thinking through what users can do or do better with the app than in a web experience and implement relevant features and functionalities that enrich the user experience.

Example of webview without any app functionality

Example of a webview without any app functionality

Play icon with graduation cap

Take the ‘Webview Spam’ course on Play Academy



While the above are one of the most frequent mistakes, make sure to stay up to date with the latest policies by visiting the Play Developer Policy Center. Check out Google Play Academy’s Policy training, including our new Spam courses, and watch our Play PolicyBytes videos to learn more about recent policy updates.

Developer tips and guides: Common policy violations and how you can avoid them

By Andrew Ahn, Product Manager, Google Play App Safety

At Google Play, we want to foster an ecosystem of safe, engaging, useful, and entertaining apps used and loved by billions of Android users worldwide. That’s why we regularly update and revise our Google Play Developer Policies and Developer Distribution Agreement, detailing the boundaries of app content and functionalities allowed on the platform, as well as providing latest guidance on how developers can promote and monetize apps.

In recent efforts in analyzing apps for policy compliance on Google Play we identified some common mistakes and violations that developers make, and we’re sharing these with the developer community with tips and guides on how to avoid them, mitigating the risks of apps and developer accounts being suspended for violating our policies.

Links that take users back to other apps on the Play Store

One of the most common mistakes we see are apps that have buttons and menus that link out to the Play Store -- either to apps by the same developer, or other apps that may be affiliated with the developer, but not being clear that these are ads or promotional links. Without this clarity, apps may get enforced for having deceptive / disguised ads. One of the ways to avoid such mistakes is by explicitly calling these out by labeling the buttons and links as ‘More Apps’, ‘More Games’, ‘Explore’, ‘Check out our other apps’, etc.

Example of app content that link out to app listing on Play

Example of app content that link out to app listing on Play

Spammy app descriptions

Another mistake we frequently observe is where developers ‘stuff’ keywords in the app description in hope for better discoverability and ranking against certain keywords and phrases. Text blocks or lists that contain repetitive or unrelated keywords or references violate our Store Listing and Promotion policy. Writing a clear app description intended and optimized for user’s readability and understanding is one of the best ways to avoid this violation.

Watch this video to learn how to avoid spammy store listings and efforts to artificially boost app visibility.

Abandoned and broken apps

There are apps that have been published by the developers a long time ago, and are no longer being maintained. Abandoned and unmaintained apps often create user experience issues -- broken app functionality, for example. Not only are such apps at risk of getting a low star rating and negative user reviews, they will also be flagged as violating the minimum functionality policy. To mitigate the negative impact to the developer reputation and app enforcement, consider unpublishing such apps from the Play Store. Note the updated unpublish action won’t affect existing users who already installed the app, and developers can always choose to re-publish them after addressing the broken experiences.

Example of an abandoned app that provides a broken app experience

Example of an abandoned app that provides a broken app experience

Play icon with graduation cap

Take the ‘Minimum and Broken Functionality Spam’ course on Play Academy



Apps vs. Webview

Lastly, we observe a large volume of app submissions that are just webviews of existing websites. Most of these apps are submitted with a primary purpose of driving traffic rather than providing engaging app experiences to Android users. Such apps are considered webview spam, and are removed from Play. Instead, consider thinking through what users can do or do better with the app than in a web experience and implement relevant features and functionalities that enrich the user experience.

Example of webview without any app functionality

Example of a webview without any app functionality

Play icon with graduation cap

Take the ‘Webview Spam’ course on Play Academy



While the above are one of the most frequent mistakes, make sure to stay up to date with the latest policies by visiting the Play Developer Policy Center. Check out Google Play Academy’s Policy training, including our new Spam courses, and watch our Play PolicyBytes videos to learn more about recent policy updates.

Google Supports Scams Awareness Week

This year, #scamsweek2020 comes at a time where many of us are spending more time at home, and are using a plethora of new apps and communications tools to work, learn, access information, and stay connected with loved ones.  We are joining the ACCC Scamwatch team this week to promote the importance of identifying and managing online security risks - some of which we do on your behalf without you even realising and some of which we ask you to make an informed decision about. 


When people first started staying home due to COVID-19 earlier this year, our advanced, machine-learning classifiers saw 18 million daily malware and phishing attempts related to COVID-19, in addition to more than 240 million COVID-related spam messages globally. Our security systems have detected a range of new scams circulating, such as phishing emails posing as messages from charities and NGOs, directions from “administrators” to employees working from home, and even notices spoofing healthcare providers. Our systems have also spotted malware-laden sites that pose as sign-in pages for popular social media accounts, health organisations, or even official coronavirus maps. 


To protect you from these risks, we've built advanced security protections into many Google products to automatically identify and stop threats before they ever reach you. Our machine learning models in Gmail already detect and block more than 99.9 percent of spam, phishing and malware. Our built-in security also protects you by alerting you before you enter fraudulent websites, by scanning apps in Google Play before you download, and more. But we want to help you stay secure everywhere online, not just on our products, so we’re providing these simple tips, tools and resources.



Know how to spot and avoid COVID-19 scams
With many of the COVID-19 related scams coming in the form of phishing emails, it’s important to pause and evaluate any COVID-19 email before clicking any links or taking other action. Be wary of requests for personal information such as your home address or bank details. Fake links often imitate established websites by adding extra words or letters to them—check the URL’s validity by hovering over it (on desktop) or with a long press (on mobile).

Tips to Avoid Common Scams

Use your company’s enterprise email account for anything work-related
Working with our enterprise customers, we see how employees can put their company’s business at risk when using their personal accounts or devices. Even when working from home, it’s important to keep your work and personal email separate. Enterprise accounts offer additional security features that keep your company’s private information private. If you’re unsure about your company’s online security safeguards, check with your IT professionals to ensure the right security features are enabled, like two-factor authentication.



Secure your video calls on video conferencing apps
The security controls built into Google Meet are turned on by default, so that in most cases, organisations and users are automatically protected. But there are steps you can take on any video conferencing app to make your call more secure:
  • Consider adding an extra layer of verification to help ensure only invited attendees gain access to the meeting.
  • When sharing a meeting invite publicly, be sure to enable the “knocking” feature so that the meeting organiser can personally vet and accept new attendees before they enter the meeting.
  • If you receive a meeting invite that requires installing a new video-conferencing app, always be sure to verify the invitation—paying special attention to potential imposters—before installing.



Install security updates when notified
When working from home, your work computer may not automatically update your security technology as it would when in the office and connected to your corporate network. It’s important to take immediate action on any security update prompts. These updates solve for known security vulnerabilities, which attackers are actively seeking out and exploiting.



Use a password manager to create and store strong passwords
With all the new applications and services you might be using for work and school purposes, it can be tempting to use just one password for all.  In fact, 69% of Aussies admit to using the same password across multiple accounts, despite 90% knowing that this presents a security risk. To keep your private information private, always use unique, hard-to-guess passwords. A password manager, like the one built into Android, Chrome, and your Google Account can help make this easier.



Protect your Google Account
If you use a Google Account, you can easily review any recent security issues and get personalised recommendations to help protect your data and devices with the Security Checkup. Within this tool, you can also run a Password Checkup to learn if any of your saved passwords for third party sites or accounts have been compromised and then easily change them if needed.


You should also consider adding two-steps verification (also known as two-factor authentication), which you likely already have in place for online banking and other similar services, to provide an extra layer of security. This helps keep out anyone who shouldn't have access to your accounts by requiring a secondary factor on top of your username and password to sign in. To set this up for your Google Account, go to g.co/2SV.


Posted by Samantha Yorke, Government Affairs and Public Policy Senior Manager, Google Australia

Protecting your Google Play Console account with 2-Step Verification

Posted by Tom Grinsted, Product Manager, Google Play Console

Google Play Console has something for everyone, from QAs and PMs to engineers and marketing managers. The new Google Play Console beta, available now at play.google.com/console, offers customized, secure access to everyone on your team. For a closer look at some of its new features and workflows, tune in to this week’s series of live webinars, which will also be available on demand.

Granting your team members safe access to specific features in your developer account is one of the best ways to increase the value of our tools for your organization. We want to make sure that your developer account is as safe as possible so you feel confident when granting access. A key way to do that is to make sure that every person who has access to your account signs in using secure methods that follow best practices. That’s why, towards the end of this year, we’re going to start requiring users of Google Play Console to sign in using Google's 2-Step Verification.

Google

2-Step Verification uses both your password and a second way to identify you for added security. This could be a text message to a registered phone, an authenticator app, alerts on supported devices, or a hardware security key. Normally, you only have to do this when you sign in for the first time on a new computer. It’s one of the easiest ways to increase the level of security for you and your team members’ accounts.

Learn more about 2-Step Verification here, and how to set it up for your own account.

If you have any comments or concerns about using 2-Step Verification to sign in to Google Play Console, or if you think it will impact you or your teams’ use of Google Play Console, use this form to let us know. All responses will be read by our product team and will help us shape our future plans.

Your team won’t be required to use 2-Step Verification immediately, although we recommend that you set it up now. We will start mandating 2-Step Verification with new users to Google Play Console towards the end of Q3, followed by existing users with high-risk permissions like app publishing or changing the prices in in-app products, later in the year. We’ll also remind every impacted user in Google Play Console at least 30 days before the change takes effect. We may also start to re-verify when you’re undertaking a sensitive action like changing your developer name or transferring ownership of an app.

Hundreds of thousands of Google Play Console users already use 2-Step Verification to keep their accounts safe, and it's been the default for G Suite customers for years. But we understand that requiring this may impact some of your existing workflows, which is why we’re giving advance notice of this change and asking for your feedback.

We can all take steps to keep our accounts and the developer community safe. Thanks for publishing your apps on Google Play.


How useful did you find this blog post?

Safer and More Transparent Access to User Location

Posted by Krish Vitaldevara, Director of Product Management Trust & Safety, Google Play

Last year, we made several changes to our platform and policies to increase user trust and safety. We’re proud of the work we’ve done to improve family safety, limit use of sensitive permissions, and catch bad actors before they ever reach the Play Store.

We realize that changes can lead to work for developers. Last year, you told us that you wanted more detailed communications about impactful updates, why we’re making them, and how to take action. You also asked for as much time as possible to make any changes required.

With that feedback in mind, today, we’re previewing Android and Google Play policy changes that will impact how developers access location in the background.

Giving users more control over their location data

Users consistently tell us that they want more control over their location data and that we should take every precaution to prevent misuse. Since the beginning of Android, users have needed to grant explicit permission to any app that wants access to their location data.

In Android 10, people were given additional control to only grant access when the app is in use, which makes location access more intentional. Users clearly appreciated this option as over half of users select “While app is in use.”

Now in Android 11, we’re giving users even more control with the ability to grant a temporary “one-time” permission to sensitive data like location. When users select this option, apps can only access the data until the user moves away from the app, and they must then request permission again for the next access. Please visit the Android 11 developer preview to learn more.

Preventing unnecessary access to background location

Users tell us they also want more protection on earlier versions of Android - as well as more transparency around how apps use this data.

As we took a closer look at background location usage, we found that many of the apps that requested background location didn’t actually need it. In fact, many of these apps could provide the same user experience by only accessing location when the app is visible to the user. We want to make it easier for users to choose when to share their location and they shouldn't be asked for a permission that the app doesn't need.

Later this year, we will be updating Google Play policy to require that developers get approval if they want to access location data in the background. Factors that will be looked at include:

  • Does the feature deliver clear value to the user?
  • Would users expect the app to access their location in the background?
  • Is the feature important to the primary purpose of the app?
  • Can you deliver the same experience without accessing location in the background?

All apps will be evaluated against the same factors, including apps made by Google, and all submissions will be reviewed by people on our team. Let’s take a look at three examples:

An app that sends emergency or safety alerts as part of its core functionality - and clearly communicates why access is needed to the user - would have a strong case to request background location.

A social networking app that allows users to elect to continuously share their location with friends would also have a strong case to access location in the background.

An app with a store locator feature would work just fine by only accessing location when the app is visible to the user. In this scenario, the app would not have a strong case to request background location under the new policy.

When we spoke to developers for feedback, the vast majority understood user concerns over their information falling into the wrong hands and were willing to change their location usage to be safer and more transparent.

Getting approval for background access

We know that when we update our policies, you want to get actionable feedback and have ample time to make changes. Before we implement this policy change, you will be able to submit your use case via the Play Console and receive feedback on whether it will be allowed under the new policy.

We anticipate the following timeline for this policy rollout; however, it is subject to change.

  • April: official Google Play policy update with background location
  • May: developers can request feedback on their use case via the Play Console with an estimated reply time of 2 weeks, depending on volume
  • August 3rd: all new apps submitted to Google Play that access background location will need to be approved
  • November 2nd: all existing apps that request background location will need to be approved or will be removed from Google Play

Review and evaluate your location access

We encourage all developers to review the following best practices for accessing location data in their apps:

  • Review the background location access checklist to identify any potential access in your code. Remember you are also responsible for ensuring all third party SDKs or libraries that you use comply with our policies, including access to background location.
  • Minimize your use of location by using the minimum scope necessary to provide a feature (i.e., coarse instead of fine, foreground instead of background).
  • Review privacy best practices and ensure you have the proper disclosure and privacy policies in place.

We hope you found this policy preview useful in planning your roadmap for the year and we appreciate your efforts to build privacy-friendly apps. Together, we can keep the Android ecosystem safe and secure for everyone.

What’s under the hood: Security on Google Pay

https://lh4.googleusercontent.com/kqimQE52YHUk85s4_gch87PrS7s5lO0NDSP3WkTLWJh3eJCMSeuEskErQ-sj2UmtRsIoO4gehtH99tYnR1V4f9duF3FRuNEQQ0GLAABwWbLTUOFvi17V0grH__j2cCX5bzJUi-7j Ambarish Kenghe Director, Product Management Google Pay
In the last two years, instant bank-to-bank transfers via UPI have become the preferred form of payment for millions of Indians, many adopting digital payments for the first time. At Google Pay, we’ve been very excited to be part of this story, and bringing the convenience of UPI to millions of users, in a simple and secure user experience. 


We launched Google Pay with the best of Google’s security infrastructure, leveraging our experience of 20 years of bringing some of the world’s most helpful technology products to billions of users worldwide. Some of these are: 

  • Enhanced fraud protections with SafetyNet: Beyond the ‘one device - one account’ safeguards offered by UPI, Google Pay is secured with Google Pay advanced fraud models and backed by Google’s authentication platform, ensuring world class protections against fraud attacks and faster identification and suspension of fraudsters.
  • Secure access: The PIN entry screens in Google Pay have been secured against remote desktop attacks since the early days of app’s launch, keeping our users safe, even when widespread scams have affected other digital payments users.
  • Blocking fraudsters from getting on to Google Pay: Our exhaustive risk relations check at the onboarding stage prevents known bad actors from recreating their accounts on the app.
  • Scam protections: Since its launch, Google Pay uses machine learning-based scam prevention models, and also displays explicit ‘scam’ or ‘stranger’ warnings if a user receives a request from someone suspicious or not in their contacts.
             

    • Explicit language and prominent warnings during collect requests: Collect requests as a flow are unique to UPI and thus might be new to several users. For this reason, Google Pay displays very clear and prominent warnings to the user about what it entails at each step.

      Additionally, to help our users fully understand each step on the app, we have now launched notifications and SMS alerts to clarify the direction of flow of money: Google Pay will now send app notifications as well as SMS to inform users each time they receive a collect request to highlight that approving the request will deduct money from the users’ bank accounts. 

      We are mindful that at Google Pay, users are entrusting us with their most sensitive asset - their money. We are conscious of the responsibility that comes with this trust. The above security features, and a lot more ongoing work in this direction, are a small example of how we keep our users safe. 

      As we make this journey together, there are steps that our users can also take to keep their money secure. Just as we learnt to handle cash carefully, the world of digital payments requires care and mindfulness as well, to ensure we keep our money safe. Some of these are:
      • Just as you keep your ATM card PIN private, your UPI PIN needs to be safeguarded in the same way. This code is only for your use, to securely access your UPI-linked bank account, via Google Pay. The same applies to your phone PIN.
      • Google Pay customer care representatives will never ask for your PIN or ask you to authorise a money transfer, while troubleshooting. If anyone contacts you with such a request, always decline.
      • UPI places incredible power in the hands of the user and money can only leave your account if you authorise it. Only approve transfer requests from people you trust, or for transactions that you have initiated. If you don’t remember initiating a transaction, decline.
      • Please pay attention to ‘scam’ and ‘stranger’ warnings that appear on Google Pay, in case an unknown contact requests for a money transfer. Read these signals carefully and only transact with people you trust. 
      • Be alert to the direction of the money flow. Receiving money never requires your UPI PIN, only sending money does. If you need to enter your UPI PIN, you are authorising a payment.
      • If you ever need any kind of support or help, our 24/7 support is available to help, who you can contact safely from within the app. Do not call unverified numbers present on the web. 
        These simple tips, along with Google Pay’s security infrastructure, can ensure that your experience on digital payments stays seamless, and you can leverage its many conveniences to the fullest. This journey is an ongoing one as we continue to learn and evolve the product, and look forward to your feedback to make Google Pay even more helpful in your daily life. 

        Posted by Ambarish Kenghe, Director, Product Management, Google Pay