App Removed from Playstore- Violation of Personal and Sensitive Information policy

I did some deeper digging with ClassyShark, and couldn’t find any ‘branch’ references in the manifest or class files:

image

I asked Google if they could tell me exactly where in my APK Branch IO SDK was included, because I’m at a loss.

This also happened to me.

My app was removed due to Branch.io last week. I upgraded to Expo v32 and resubmitted earlier this week, which Google accepted and restored to the Play Store.

Today:

After review, Vaishnava Calendar, com.mattstone.vcal, has been removed from Google Play due to a policy violation. This app won’t be available to users until you submit a compliant update.

Issue: Violation of Personal and Sensitive Information policy

We’ve identified that your app is using an SDK or library that facilitates the collection and transmission of installed packages information without meeting the prominent disclosure guidelines.

If necessary, you can consult your SDK provider(s) for further information.

Next steps: Submit your app for another review

Read through the Personal and Sensitive Information policy and make the appropriate changes to your app.
Make sure your app is compliant with the User Data policy and all other Developer Program Policies. Additional enforcement could occur if there are further policy violations.
Sign in to your Play Console and upload the modified, policy compliant APK. Make sure to increment the version number of the APK.
Submit your app.
If you’ve reviewed the policy and feel this removal may have been in error, please reach out to our policy support team. One of my colleagues will get back to you within 2 business days.

No mention of the Branch.io SDK in this message. I’ve reached out to Google for further clarification.

Okay, thanks for asking them for more info!

Sorry for this complication, it’s our goal to make building apps easy and smooth, and unfortunately we are equally confused as to why this continues to happen even after removing the Branch module from Expo builds :frowning:

Let me know what Google comes back with :+1:
-Charlie

Same issue for me this morning:

Email from Google:

Hi Developers at Glue Digital Studio,

After review, MyFootballWriter, com.myfootballwriter.gluestudio, has been removed from Google Play due to a policy violation. This app won’t be available to users until you submit a compliant update.

Issue: Violation of Personal and Sensitive Information policy

*We’ve identified that your app is using an SDK or library that facilitates the collection and transmission of installed packages information without meeting the prominent disclosure guidelines. *

If necessary, you can consult your SDK provider(s) for further information.

Next steps: Submit your app for another review

1. Read through the Personal and Sensitive Information policy and make the appropriate changes to your app.
2. Make sure your app is compliant with the User Data policy and all other Developer Program Policies. Additional enforcement could occur if there are further policy violations.
3. Sign in to your Play Console and upload the modified, policy compliant APK. Make sure to increment the version number of the APK.
4. Submit your app.

If you’ve reviewed the policy and feel this removal may have been in error, please reach out to our policy support team. One of my colleagues will get back to you within 2 business days.

And my package.json file:

{
  "name": "my-football-writer",
  "version": "2.0.0",
  "description": "Hello Expo!",
  "author": null,
  "private": true,
  "main": "node_modules/expo/AppEntry.js",
  "dependencies": {
    "axios": "^0.16.2",
    "expo": "31.0.0",
    "lodash": "^4.17.4",
    "prop-types": "^15.5.10",
    "qs": "^6.5.0",
    "react": "16.5.0",
    "react-native": "https://github.com/expo/react-native/archive/sdk-32.0.0.tar.gz",
    "react-native-elements": "^0.16.0",
    "react-native-htmlview": "^0.13.0",
    "react-native-keyboard-aware-scroll-view": "^0.3.0",
    "react-native-router-flux": "^3.40.1",
    "react-navigation": "^1.0.0-beta.11",
    "react-redux": "^5.0.5",
    "redux": "^3.6.0",
    "redux-persist": "^4.9.1",
    "redux-promise": "^0.5.3",
    "redux-thunk": "^2.2.0"
  }
}

Hey @gluedigistu, sorry about this :frowning:

Have you already followed the steps lined out here? Especially-

You’ll want to put an updated (Branch-less) apk in every release track you have in the Play Store (not just the production track!). This includes alpha or beta versions of your app. If adding a new build to all release tracks doesn’t resolve this, you may need to delete your prior releases altogether.

Side note- is there any particular reason you’re using the Expo SDK 32 pinned react-native version, but Expo SDK 31?

Google “accepted my appeal” and said previous APK versions are what triggered the violation for Branch IO SDK. The APKs they referenced were not active, or part of any releases in any tracks, so I’m not sure how they could have triggered a violation, but there you have it.

The Play Store console also doesn’t provide any way to remove the old APKs, so hopefully this doesn’t continue to be an issue.

1 Like

@pstahleybg- hope this means you were able to get your app through? :pray:

Thanks for reaching out to them for clarification!

I too am facing this issue. I received a notification from the play store notifying me that my app was removed from the app store. Google explained:

“Your app is using the Branch IO SDK, which is uploading users Installed Packages information to https://api.branch.io/v1/applist without a prominent disclosure. Prior to the collection and transmission, it must prominently highlight how the user data will be used, describe the type of data being collected and have the user provide affirmative consent for such use.”

I read the forums and followed the instructions. I use expo 32.0.6 so the fix was as simple as building and re-deploying. The beta and alpha track have nothing on them:

After submitting the updated app without Branch IO my application was accepted, only to be removed again a few days later. The play store was more vague this time:

“We’ve identified that your app is using an SDK or library that facilitates the collection and transmission of installed packages information without meeting the prominent disclosure guidelines.”

I did not find any usage of branch functionality within my own app, and to be absolutely sure I downloaded the apk from the play store and could not find any mention of branch in the file. I appealed to the Google Play Store and received this response:

"During review, we found that your app is using an SDK(BranchIO SDK) or library that facilitates the collection and transmission of installed packages information without meeting the prominent disclosure guidelines.

If necessary, you can consult your SDK provider(s) for further information."

I am not sure how to proceed. Please let me know if there is any step that I have missed or any additional step I should take to resolve the issue.

Hey @charliecruzan

I don’t have any channels other than the production channel with APK files in them. I did have an app which used the branch API but I updated Expo to a more recent version (hence the issue with the Expo SDK version - I tried to do it all in a rush).

I’ll try reaching out to Google and see if they can manually approve it.

@jacksonkontny-i11,

Best route to proceed is asking Google for clarification, seems from comments such as this one that at least sometimes after submitting an appeal, apps that were rejected are then approved. But I would search through APKs for any usage of Branch before asking for an appeal (as done above).

It’s tough to say anything for sure since the rejection message gives so few details :confused:

@charliecruzan
Thanks for the response. To be clear, I did search through the APK for any usage of Branch before asking for an appeal. Here are the build artifacts on the play store:
image

I downloaded the latest build artifact (version 31) and an grepped (case insensitive) for branch:

$ ls -la
total 65M
drwxr-xr-x   6 jacksonkontny staff 192 May 17 11:03 .
drwx------+ 15 jacksonkontny staff 480 May 17 11:03 ..
-rw-r--r--   1 jacksonkontny staff 16M May 17 11:00 30-1.apk
-rw-r--r--   1 jacksonkontny staff 16M May 17 11:00 30.apk
-rw-r--r--   1 jacksonkontny staff 16M May 17 11:00 31-1.apk
-rw-r--r--   1 jacksonkontny staff 16M May 17 11:00 31.apk

$ grep -ri branch ./*
Binary file ./30-1.apk matches
Binary file ./30.apk matches

You can see above that branch exists in the old version, but not the new version. Specifically the old version has a reference to:
fabric/io.branch.sdk.android.library.properties

Let me know if there is anything else I should look into, or anything else I am missing.

@jacksonkontny-i11, as our blogpost regarding branch states:

If adding a new build to all release tracks doesn’t resolve this, you may need to delete your prior releases altogether.

That’s the only other step that seems likely to help, aside from reaching out to Google for clarification

@charliecruzan Thanks again for working with me. Would you mind elaborating on how we should go about deleting our prior releases altogether? We only have the production release. Are you suggesting we release an ‘empty’ apk, and then re-release the apk with “branch” removed?

The responses from Google Play Store have been vague and delayed, but I will continue to solicit more information from them.

No, sorry if I’m not being clear, I don’t have much experience with the Google Play store.

I wasn’t sure if it was possible that the archived artifact (v 30) which you confirmed does have Branch was causing the rejection. Would be odd, but it was just an idea :thinking:

Thank you sir. I’ll reach out to google, and in the meantime will see if I can get some clarification on what is meant in the blog post.

Hi @jacksonkontny-i11 - our most updated understanding is that it’s important to

(1) explain that the Branch module was bundled in with your apk as part of the Expo build process but (critically) unused, and you have since re-built your release to exclude the Branch module since you don’t want or need to use it, and deleted all other intsances

(2) make sure the above is true.

We’ve seen a case or two similar to yours where the old inactive apks (which I believe you’re not able to touch) had the Branch module, but explaining the situation and that they’d fixed it going forward resolved the issue.

Cheers,
Jess

1 Like

Thank you all so much for the suggestions. Updating the alpha and beta tracks of my app to the latest apk and ensuring that no other old apk was still active in the “Release Management -> Artifact library” section fixed the issue and the app was back in the the Play Store in under an hour.

2 Likes

Glad to hear that, @seekshiva! Hopefully others will follow suit and we can finally get back to some semblance of order and peace.

Hi all,

We are also facing the same issue. Which version of Branch SDK are you all using?

Thanks,
Meghana

@jess @charliecruzan

Thank you for your help. We have been approved to resubmit by the google play store! It took several appeal attempts, so for those of you that get rejected on your first appeal, do not lose hope. Here is the specific appeal thread that worked for me, so you all can follow it and hopefully find success in your appeal on the first try…

Unfortunately I don’t have access to the very first appeal I sent through the play store. Suffice to say I let the Play Store know about the issue with expo and that I resolved it, and that my app no longer uses the Branch IO SDK. They responded with a typical rejection template, including this message to help identify the issue:

"During review, we found that your app is using an SDK(BranchIO SDK) or library that facilitates the collection and transmission of installed packages information without meeting the prominent disclosure guidelines. "

I responded to their team, using specific wording recommended by @jess:

BEGIN EMAIL

The Branch module was bundled in with my apk as part of the Expo build process but unused, and I have since re-built my release to exclude the Branch module since I don’t want or need to use it. Can you confirm that it is specifically the latest version of the application that is causing the rejection? If a previous version is causing the rejection, can you help me remove all references to the previous version, as I no longer want to expose that version to our users.

To elaborate on why I believe that Branch IO do not exist on version , I downloaded the apk for the latest version of our app as well as a previous version and looked for the BranchIO SDK. I also grepped (case insensitive) for branch within those files:

$ ls -la

total 65M

drwxr-xr-x   6 jacksonkontny staff 192 May 17 11:03 .

drwx *------+ 15 jacksonkontny staff 480 May 17 11:03 ..*

-rw-r *--r--   1 jacksonkontny staff 16M May 17 11:00 30-1.apk*

-rw-r *--r--   1 jacksonkontny staff 16M May 17 11:00 30.apk*

-rw-r *--r--   1 jacksonkontny staff 16M May 17 11:00 31-1.apk*

-rw-r *--r--   1 jacksonkontny staff 16M May 17 11:00 31.apk*

 

$ grep -ri branch . */**

*Binary file ./30-1.apk matches*

*Binary file ./30.apk matches*

You can see above that branch exists in the old version, but not the new version. Specifically the old version has a reference to:

fabric/io.branch.sdk.android.library.properties"

END EMAIL

Whether or not I just got lucky or this email has the magic combination of key words to get past the play store gate keepers is hard to say, but if you’re getting rejected by the Play Store, responding to their rejection with a message like this is worth a shot.

1 Like