App removed from Google Play due to policy violation with Branch

#1

Hi! My project is running on ejected ExpoKit and published to Google Play. I’m distributing it only to a few of my customers using Alpha releases.

Today my app was removed from Google Play with the following explanation:

Your app is using the Branch IO SDK, which is uploading users Installed Packages information to https://api.branch.io/v1/applist without a prominent disclosure. Prior to the collection and transmission, it must prominently highlight how the user data will be used, describe the type of data being collected and have the user provide affirmative consent for such use. Make sure to also post a privacy policy in both the designated field in the Play Developer Console and from within the Play distributed app itself.

This is the first time I’ve heard of branch.io and definitely haven’t used the features at least directly. How can I get my back to the store and make sure it doesn’t get removed again?

3 Likes
Branch IO Dependency - Issue: Violation of Personal and Sensitive Information policy on Play Store
#2

Hey @kaivosukeltaja,

I believe this will be remedied by adding a Privacy Policy as mentioned here https://docs.expo.io/versions/v32.0.0/distribution/app-stores/#privacy-policy

Cheers,
Adam

#3

I had exactly the same problem this morning - also the first time I’d heard of branch.io.

1 Like
#4

Hey Adam, thanks for the reply!

I already have a Privacy Policy in place but it does not cover whatever the Branch API is doing. Since I don’t know what is being sent to branch.io I have no idea what I should add to the Privacy Policy. Google claims the SDK is uploading Installed Packages information - is that the case? How can I highlight what data is being sent and how it’s being processed? How can I have the user provide consent for this? Would it be easier to just remove the whole SDK from my app or will everything break?

Cheers,
Niko

1 Like
#5

We are having the same problem. Our app was removed from Google Play for the same reason as described. We have a privacy policy in store and app.
Is there a way to remove the dependency to branch.io? Do we need to add something to the privacy policy?

Any suggestions would be greatly appreciated!

1 Like
#6

My apologies for the initial misunderstanding. :confused: We’re investigating this internally. Thanks for the reports everybody and sorry for this inconvenience!

@kaivosukeltaja @johnfredadams @fortumappse Can you all let me know what SDK version your projects are running and also can you confirm that your projects are ejected and using ExpoKit?

#7

SDK 32 - mine was a standard build (not ejected + modified). I use the expo CLI to build. In my case I discovered that the link to my privacy policy had expired, so that might just be the issue. My only other possible explanation is this line of code:

Linking.canOpenURL("inbox-gmail:")

But could that really be it?

#8

It might, but it sounds like Kaivo has a privacy policy in place so unless his expired as well, I doubt it. Thanks for the heads up though.

#9

This just happened with our app being removed from play store too. We did have a privacy policy set.

1 Like
#10

I’m on SDK 24 - it’s an old project but I added it to Google Play pretty recently, about 4 months ago. The app has been ejected because it needs to write to a directory that can be accessed over USB.

As an answer to your question in another post: my privacy policy is not expired but I don’t have the privacy policy available from inside my app. That’s probably not the only reason for the removal as they specifically mentioned branch.io and want to policy to cover that.

#11

Same issue.

  • Standard build as well. (not ejected).
  • Also used the CLI to build.
  • SDK 27.0.0.
  • Deployed in May of 2018.

(This was a toy app to learn the expo deploy process.) Just received a removal notice 4 days ago.

#12

@adamjnav I can see that branch is preinstalled in a managed app and is being required. Is there a config for turning it off since I’m not personally using branch in my app?

#13

Hey all,

After some internal deliberation, we’ve come to the conclusion that this is not anything done incorrectly on your end but simply a change in Google’s policy. As Angeleah mentioned above the Branch module is bundled with binaries built via expo build. We do this for most modules to enable developers to be able to make use of them by pushing an OTA update rather than having to build a new binary… so even if you are not explicitly using the Branch module, the native code is still present in your app and that seems to be enough for Google to flag it.

We’ve deemed the best path forward is to remove the Branch module from being bundled in with .apk files built via expo build:android so that developers can get their apps back in the Play Store ASAP. We’ve just rolled out an update to our SDK32 builders and will be pushing an update out later today for the remaining supported SDK version builders (26-31). If your app is running a version older than that, you will have to update to an officially supported version. Once your version builder is updated, you’ll just need to build a new binary via expo build:android and submit it to the play store. Remember you can pass the --no-publish flag to the build command if you do not want to push any JS changes.

We’ll also be pushing out updates to ExpoKit versions, in which case you’ll have to change the ExpoKit version in your package.json and run yarn add or npm install and then build a new .apk file in Android Studio.

If your app is a Managed project and you explicitly use the Branch module, you’ll need to eject and use ExpoKit and make sure your privacy policy discloses how you are using the data collected by the Branch SDK. There could also be an instance where your app is explicitly using Branch and was not removed in which case you’ll be fine up until you need to push a new .apk version to the Play Store at which you’ll have to eject and use ExpoKit. We understand this is far from an ideal solution and we’ll be working towards getting a more elegant solution in place as soon as we can.

I’ll continue posting updates in this thread.

Cheers,
Adam

8 Likes
pinned globally #14
#15

For the record, we are using:

  • Standard build (not ejected)
  • SDK 32

We have a privacy policy.

#16

Just following up that the updates to our remaining supported SDK (#s 26-31) version builders was deployed last night.

As @adamjnav mentioned above: once your version builder is updated, you’ll just need to build a new binary via expo build:android and submit it to the play store. Remember you can pass the --no-publish flag to the build command if you do not want to push any JS changes.

If your app is running a version older than that, you will have to update to an officially supported version.

We’ll be back here on this thread when ExpoKit versions are also updated.

Cheers,
Jess

1 Like
#17

Does use of Link.open(url) counts as use of Branch module?

#18

Hey @simb4,

A good rule of thumb is if you have this import { DangerZone } from 'expo'; let { Branch } = DangerZone; in your code, you’re making use of the Branch module.

2 Likes
#19

Hi everyone,

Update on our current state in addressing this:

  • SDK 26-32 (all supported + current) version builders were updated on Monday night.
  • turtle-cli has also been updated
  • ExpoKit on SDKs 30, 31, and 32 has been updated
  • Read our blog post for more background and instructions for turtle-cli and ExpoKit SDK30-32 users.

For ExpoKit on SDK 26-29, we’re still in the process of backporting these changes and releasing ExpoKit patches.

—————————

Question for this thread!

It would help us keep investigating better solutions/workarounds to this if you can tell us what your android.permissions setting is in app.json. [cc @kaivosukeltaja @johnfredadams @fortumappse @angeleah]

Thanks,
Jess

1 Like
App removed from Play Store due to a policy violation
#20

@jess do you think it could be because of the InstallListener receiver? I had that in my AndroidManifest.xml