Search Unity

  1. How can our website serve you better? Give us your feedback. Take our survey and let us know.
    Dismiss Notice

Google Play keeps detecting collection of personal and sensitive information, rejecting my app

Discussion in 'Android' started by _Adriaan, May 7, 2020.

  1. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    10,698
    Good point. If they are indeed inspecting the binary, then you would want to use the latest 2018.4, 2019.4, and 2020.* versions of Unity.
     
    Last edited: Jun 18, 2020
  2. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    10,698
    IAP only requires Analytics during installation and in the Editor, not at runtime.
     
  3. Alima-Studios

    Alima-Studios

    Joined:
    Nov 12, 2014
    Posts:
    71
    I have one game complied with 2020.1.0b11 still alive ...
     
  4. ihgyug

    ihgyug

    Joined:
    Aug 5, 2017
    Posts:
    186
    2018.4.24 not yet available
     
  5. CanisLupus

    CanisLupus

    Joined:
    Jul 29, 2013
    Posts:
    426
    @JeffDUnity3D What do we do if we are on 2017 and don't have Pro?
    upload_2020-6-19_9-25-2.png

    One of our apps is using 2017.4.39 and was rejected even though it disables all analytics:

    upload_2020-6-19_9-25-50.png

    Meanwhile Google accepted one of our apps (which is using 2018.4.11) after disabling all analytics and HW Statistics. In 2018 we can.
     
  6. CanisLupus

    CanisLupus

    Joined:
    Jul 29, 2013
    Posts:
    426
    Also, it seems very bad that the Services tab seems to imply that Analytics are required for IAP when they aren't. We would have disabled it for most of our apps.
     
  7. JuliusM

    JuliusM

    Unity Technologies

    Joined:
    Apr 17, 2013
    Posts:
    633
    The best solution would be to upgrade to Unity 2018 once the version with the fix is released. Since you have many apps published with Unity 2017, that will likely won't be possible, so the next best thing is to disable HWstats and analytics as mentioned here https://forum.unity.com/threads/goo...rmation-rejecting-my-app.885223/#post-5997200 if you can't do that, then the only option left would be to change the target audience to be 13 years old and older.
    Also note that 3rd party plugins could also be accessing Advertisement ID, so you have to consider them as well. There is this API https://docs.unity3d.com/ScriptReference/Application.RequestAdvertisingIdentifierAsync.html which could even be used by your own scripts.
    The problem with releasing another version of 2017 is that all of our build and verification infrastructure for that version was removed once the support has ended.
     
    CL-bburrage likes this.
  8. lkmad

    lkmad

    Joined:
    Jan 28, 2016
    Posts:
    4
    Agreed.

    It has always been my impression that without Analytics, IAPs won't work. Therefore both should always be installed, and as far as I could always tell they autoenabled the moment you turned IAPs on.
     
  9. AcidArrow

    AcidArrow

    Joined:
    May 20, 2010
    Posts:
    7,955
    So which one is it?
    known.png
     
    alex31016 and CanisLupus like this.
  10. coshea

    coshea

    Joined:
    Dec 20, 2012
    Posts:
    307
    So here is an important question, it seems from the earlier posts that even if you have analytics turned off and no plugins that cause outgoing traffic, Google is scanning the apks for reference to Android Device ID and Advertisting ID. Even if you aren't using them, but they are included as part of the Unity code that we can't access, they are causing app removals.

    This was the same issue in iOS, but there was at least a solution to manually remove these references posted in the xcode project. Is there any way to do this on Android?

    Also is there any way to take your apk from Unity and scan for Android Device ID and Advertisting ID yourself somehow?
     
  11. JuliusM

    JuliusM

    Unity Technologies

    Joined:
    Apr 17, 2013
    Posts:
    633
    It shouldn't be mentioned in the known issues section.
    Screenshot 2020-06-19 at 16.08.20.jpg
     
  12. JuliusM

    JuliusM

    Unity Technologies

    Joined:
    Apr 17, 2013
    Posts:
    633
    This was an issue for iOS, but it's not an issue for Android. The detection happens when the Android ID or Advertising ID is accessed.
     
  13. CL-bburrage

    CL-bburrage

    Joined:
    Sep 7, 2018
    Posts:
    3
    @JuliusM @JeffDUnity3D Confirmed that the HW Stats fix worked for one of our 2017 LTS apps (we threw in the Analytics manifest fix too just in case). The app was approved for publishing this morning! So we will work on all the others.

    Thank you both so much!

    Indeed planning a step-wise upgrade to 2018 LTS and work up the chain.
     
    JuliusM likes this.
  14. chriszul

    chriszul

    Joined:
    Feb 13, 2018
    Posts:
    33
    My company had 3 apps removed from play store yesterday with this exact message.
    Updating our apps to Unity 2020.1.b12 did not work, app updates were still rejected.
    I am trying a build with the runtime analytics deactivation code today - but your response is not clear which RuntimeInitializeLoadType to use to properly deactivate analytics? @JeffDUnity3D

    https://docs.unity3d.com/ScriptReference/RuntimeInitializeLoadType.html
     
  15. SlimeProphet

    SlimeProphet

    Joined:
    Sep 30, 2019
    Posts:
    50
    This is a bummer. We moved to Unity because the devs of our prior engine couldn't keep it up to date with Apple's and Google's requirements. I thought Unity would be too big to fail like this.

    Does Unity have a history of this kind of problem, of having apps rejected and pulled because of failure to meet platform requirements?
     
  16. chriszul

    chriszul

    Joined:
    Feb 13, 2018
    Posts:
    33
    @JeffDUnity3D
    I'm using unity 2020.1.b12, and my app has IAP so I used your above code snippet to make sure all analytics are turned off. It's called using both of RuntimeInitializeLoadType.BeforeSplashScreen
    and
    RuntimeInitializeLoadType.SubsystemRegistration

    This latest build of my app since the app was taken down has also been rejected by the play store saying the app collects personal information from children. The app collects no information and google have repeatedly ignored queries about what data they are detecting.

    We're not willing to say that we collect PII from children as that is not true and for a kid's app is incredibly bad and would require verifiable consent from a parent. This is an extremely serious issue. Please update on any ideas as to how we can modify our app to prevent any and all access to PII in our app which the Unity engine is doing!
     
  17. Swah

    Swah

    Joined:
    May 13, 2015
    Posts:
    51
    @JeffDUnity3D thanks for helping us figure this out. One of our app for kids was removed from the store as well.

    We sent a new version which also got rejected. It is on 2017.4.40f1, has Unity IAP and therefore Analytics is enabled in the editor. We disable HW statistics and analytics at runtime as soon as we can:

    [RuntimeInitializeOnLoadMethod(RuntimeInitializeLoadType.BeforeSceneLoad)]
    static private void OnBeforeFirstSceneLoads()
    {
    /// prevent the transmission of any personal information such as IP address to Unity servers.
    /// We can't remove unity analytics entirely, because it is required for Unity's IAP package.
    Analytics.enabled = false;
    Analytics.initializeOnStartup = false;
    Analytics.limitUserTracking = true;
    Analytics.deviceStatsEnabled = false;
    PerformanceReporting.enabled = false;
    }

    Note that Analytics.limitUserTracking is set to true, as opposed to what Jeff wrote earlier in this post.

    Is there anything else we can try under Unity 2017 to get accepted by Google? @CL-bburrage mentions a manifest fix, I'm assuming that can't work for apps with IAP / Analytics?
     
  18. Aca

    Aca

    Joined:
    Apr 22, 2014
    Posts:
    8
    After being rejected because my app gathered data from children (Unity 5.6.0f3) I moved my project to 2019.4.1f1 and resubmitted the app to the play store again and I just received email from them that my app is again rejected... But this time they saying that my privacy policy is wrong but I'm using https://unity3d.com/legal/privacy-policy

    Are there any privacy-policy which I can use for the app for 3+ children? I can't write privacy-policy on my own.

    Also I have tried _Adriaan solution and it didn't worked too.

     

    Attached Files:

  19. chriszul

    chriszul

    Joined:
    Feb 13, 2018
    Posts:
    33
    So as it turned out, I did have to disclose in the play console that we collect personal data, as we do actually use device id for data security. I had the app updated to 2020.1.b12 and all analytics turned off too, so it's unclear which thing was causing the problem really, maybe all of them. But it's ok and republished now so thanks for the pointers @JeffDUnity3D .
     
  20. zapposh

    zapposh

    Joined:
    Nov 12, 2016
    Posts:
    115
    Same problem here. Premium game that uses or collects nothing external removed from Google Play, out of the blue.
    From the above messages this issue does not seem to be fixed. ETA for 2019.4.x? (not upgrading to an unstable beta)
     
  21. Aca

    Aca

    Joined:
    Apr 22, 2014
    Posts:
    8
    I can confirm that my app is accepted with Unity 2019.4.1f1 but also I'm using my own privacy policy now. Unity 2019.4.1f1 and https://unity3d.com/legal/privacy-policy together violate Families Policy requirements.
     
    musicmachine likes this.
  22. lkmad

    lkmad

    Joined:
    Jan 28, 2016
    Posts:
    4
    When is 2018.4.24 going to be released with the fix? They just kicked out two more of my games.
     
    ElasticSea, AcidArrow and ihgyug like this.
  23. jerome-lacoste

    jerome-lacoste

    Joined:
    Jan 7, 2012
    Posts:
    185
    Question: did you have to answer Yes to the question: "Does your app collect any personal and sensitive information?"

    Or was adjusting your privacy policy sufficient?

    Thanks

    upload_2020-6-25_12-7-55.png
     
    Shin_Toasty likes this.
  24. dorusoftware

    dorusoftware

    Joined:
    Jul 5, 2012
    Posts:
    281
    How this page works?

    https://unity3d.com/unity/whats-new/2019.4.1

    It says in the "
    Known Issues in 2019.4.1f1"

    that

    Android: APK cannot be published to Google Play because Unity doesn't meet the Families Policy Requirements (1246484)

    but on clicking on the bug link it stated

    Fixed in 2020.2.0a14, 2020.1.0b12, 2019.4.1f1, 2018.4.24f1

    So is it fixed or not? What page have the precedence, the bug tracker page or the known issues page? I don't want to download this version just to have a new lts version in two days available.
     
  25. Aca

    Aca

    Joined:
    Apr 22, 2014
    Posts:
    8
  26. CanisLupus

    CanisLupus

    Joined:
    Jul 29, 2013
    Posts:
    426
    For the record, updating to Unity 2019.4.1f1 didn't solve our problem, even though all analytics are disabled. This is probably because we are calling SystemInfo.deviceUniqueIdentifier to identify repeated usages of our app licenses so we don't count them as being used in a different device (even though we hash the value and only use the first 5 bytes, they don't know that).

    However, Google has accepted 2 of our apps that also target kids, have analytics disabled, and use this identifier. Those apps in fact use Unity 2018.4.11f1, which doesn't have the fix. Why? Right now we think this is due to those apps implementing a privacy policy acceptance screen on start.

    So what we're going to do now is implement that screen in the failing apps and see if they like it. It has been IMPOSSIBLE to get any response out of them. They take weeks to reply and when they do they say they can't say what our app is sending via the network and that they can't do anything. Incredibly frustrating.
     
  27. AcidArrow

    AcidArrow

    Joined:
    May 20, 2010
    Posts:
    7,955
    Maybe the change to have the game always access user data was a recent Unity change.
     
  28. CanisLupus

    CanisLupus

    Joined:
    Jul 29, 2013
    Posts:
    426
    Possible, but we changed too many things in those apps to be sure of what fixed it. Hopefully tomorrow we'll know if adding a privacy policy screen to the other apps was enough for Google.
     
  29. CanisLupus

    CanisLupus

    Joined:
    Jul 29, 2013
    Posts:
    426
    Update: No, adding a privacy policy screen was not enough for them. They still won't tell us what is wrong, and this is infuriating.

    UPDATE 2: We have two apps that are very similar, same target audience, same permissions, same settings on play store, uploaded with same Unity version, analytics disabled, privacy policy screen on startup, no personal information collection, both use the SystemInfo.deviceUniqueIdentifier but hashed and only the first 5 bytes of that hash. -----> One was rejected and the other wasn't. They do whatever they want in the reviews and there's no way to TALK to them. The back and forth from the form is a joke. It's ridiculous!
     
    Last edited: Jul 6, 2020
  30. coshea

    coshea

    Joined:
    Dec 20, 2012
    Posts:
    307
    But my point is, if you aren't using analytics or any plugins that do, you are still getting rejected, as per Adrian post above and also this thread

    https://forum.unity.com/threads/cop...-and-advertising-id-even-in-empty-app.879124/

    So is Unity accessing the androidid and ad id, even if you aren't using it, in the same way that the code was active on iOS even if not used?
     
  31. www_3dart_es

    www_3dart_es

    Joined:
    May 24, 2013
    Posts:
    213
    Hello, I had an app compiled with Unity 2018.3.8 from around 1 year ago and it was approved for Google Designed for Families since this date.

    Yesterday I received an email saying that it was removed due to policy violations:

    Issue with your app
    We detected that your app collects personal and sensitive information from children, but this was not disclosed in your Play Console.


    About the Families Policy Requirements
    Apps that include children in the target audience must comply with all Families Policy Requirements, which requires that you disclose the collection of any personal and sensitive information in your app, including through APIs and SDKs called or used in your app.

    Publishing status: Removed
    Your app has been removed due to this policy issue. This app won’t be available to users until you submit a policy-compliant update.


    I am using UNITY ADS and UNITY ANALITICS in my app.

    I noticed that in UNITY DASHBOARD -> PROYECT SETTINGS there is a new "Google Designed for Families" option that wasn´t there when I first submit my app last year. It is disabled. I enabled it and submit again, and it was rejected again.

    What I need to check more to be compliant with the Designed for families program at this date?

    Thanks in advance.
     
  32. lkmad

    lkmad

    Joined:
    Jan 28, 2016
    Posts:
    4
    This has worked for me: https://forum.unity.com/threads/goo...n-rejecting-my-app.885223/page-2#post-6021617
     
  33. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    10,698
    You can confirm yourself what is being sent over the wire by using Charles Proxy. Add the attached CharlesProxy.unitypackage to your project so you don't need to export to Android Studio, remove it prior to release https://support.unity3d.com/hc/en-us/articles/115002917683-Using-Charles-Proxy-with-Unity
     
  34. MergeVR

    MergeVR

    Joined:
    May 7, 2014
    Posts:
    8
    Is there a rough eta for version 2018.4.24f1?
     
  35. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    10,698
    It looks like mid July
     
  36. JuliusM

    JuliusM

    Unity Technologies

    Joined:
    Apr 17, 2013
    Posts:
    633
    First of all note that people are talking about many different Unity versions and things have changed overtime. In Unity 2017 we had hardware statistics option which was collecting advertisingID, however that was fully controlled by the analytics in later Unity versions. There are multiple things that could be using advertisingID: analytics, ads, scripts through our API or reflection, 3rd party plugins. It's not just "an issue caused by analytics" which would go away by disabling them - the analytics in this case was a product that should not have accessed adsID and that was fixed. If your app was removed form the playstore and disabling analytics fixed the issue, then using a previously mentioned Unity versions is a solution. With new Unity versions analytics can be enabled even when targeting kids category. In all other cases - either the thing that accesses adsID should not be used or the app should not target kids category. I'm not sure how specifying privacy policy affects those cases, but that might be a solution as well.
    When we were verifying the analytics fix, we have created a default empty project with analytics enabled - built an apk and sent it to Google. They have confirmed that the apk was not accessing adsID. So if your project gets rejected even when analytics or ads are not used - there should be some other things using it. The core Unity product does not use adsID.
    Unity was accessing adsID when analytics were enabled, but without them an empty project does not access adsID even before the recent fix. Of course if you are using ads, then it would be expected that adsID could be used. However I'm not familiar with the ads package, so I don't know if they really use it and if they have options to limit its usage.
    For iOS the code was in the codebase but it wasn't called. That code was detected during the code analysis. For Android we also have the code for accessing adsID in our lib (for Unity 2018 and 2019, but it was removed in 2020) to accommodate this API https://docs.unity3d.com/ScriptReference/Application.RequestAdvertisingIdentifierAsync.html however it does not cause any problems if it's not getting called. AdsID usage is detected when the Java API is called for it. It's not detected by the code analysis or when / if it is transmitted over the network.
     
  37. AcidArrow

    AcidArrow

    Joined:
    May 20, 2010
    Posts:
    7,955
    Please add a checkbox that makes our games not collect or access anything at all, thanks.
     
  38. ihgyug

    ihgyug

    Joined:
    Aug 5, 2017
    Posts:
    186
    Google clearly mentions the device ID as personal information, so the last updates most likely just by-pass their auto-checks (which probably looks for the advertising ID more than the device ID).
    They always had these policies but only lately they seem to enforce them, which makes me believe that in the future even the device ID will give trouble. I wish they would give a warning prior to removing apps, and that unity/google would cooperate better to fix these important issues before they affect you.

    And to those having issues using this policy : "https://unity3d.com/legal/privacy-policy", you better change it as they clearly want the policy to mention your game and to be overall "personal" (there are plenty of free solutions out there if you don't have a website or your website isn't ready yet).

    Anyway, stating that your app collects personal information (even if you don't do it "willingly") and using your own policy is likely to be a stable fix for long, if your target is not primarily children (you are not enrolled in the family programme).

    Still gonna update to 2018.4.24 when it's ready, as not collecting something you don't use is always a nice thing ;)
     
  39. musicmachine

    musicmachine

    Joined:
    May 11, 2017
    Posts:
    2
    Bafflingly, my app has gone from 'Removed' to 'Published' again, without me changing it. I've uploaded a new version, but it's still at the alpha stage, I don't know if that's related. No explanation from Google. Has anyone else had this happen?
     
  40. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    10,698
    I've heard they may check archive versions too, did you remove any previous versions?
     
  41. musicmachine

    musicmachine

    Joined:
    May 11, 2017
    Posts:
    2
    Not as far as I know. I wonder if it's a bug on their side, that they check the new version, and that automatically re-approves the removed one? I've emailed them for an explanation, I'll post here if I hear anything.
     
  42. dorusoftware

    dorusoftware

    Joined:
    Jul 5, 2012
    Posts:
    281
    that will be a great solution.
     
    alex31016 and AcidArrow like this.
  43. Swah

    Swah

    Joined:
    May 13, 2015
    Posts:
    51
    @JuliusM thanks for the detailed answer.

    You mention disabling Unity Analytics to get around the problem in older versions. Since we can't remove the analytics package from the project (we're using IAP), the only option in unity 2017 would be to disable analytics in code. My previous post explains how I have tried to do that, but the app is still getting rejected. GP says we're accessing both advertisingID and device ID.

    Can you confirm there is no viable way to use Unity IAP and be in GP's kid category using Unity 2017, or if there is something else I can try beside updating to 2018 when it is released?
     
  44. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    10,698
    Would you be able to obtain a Charles Proxy capture? I suspect that IAP may be sending a transaction event, even if Analytics is disabled at runtime. A Charles capture would confirm. It could be another component sending information too. You should be able to test without publishing to Google by installing directly to your Android device via USB. Add the CharlesProxy.unitypackage attached to the article prior to testing, remove it prior to release https://support.unity3d.com/hc/en-us/articles/115002917683-Using-Charles-Proxy-with-Unity
     
  45. Swah

    Swah

    Joined:
    May 13, 2015
    Posts:
    51
    @JeffDUnity3D thanks for the follow-up. I was able to confirm through Charles that no events are sent to unity servers when starting the app. Before implementing the various analytics disabling variables I was definitively seeing calls to Unity through Charles.

    We use Unity IAP to confirm if the user has already bought the app when we first start it. I do see calls to google servers but I see nothing going out to unity. There's the slim chance that Unity IAP sends more data when making an actual purchase (something I can't test easily here). I doubt that's the case though and that Google Play automatic test includes automatically making purchases.

    My hypothesis is that Unity Analytics or IAP calls SystemInfo.deviceName (and maybe the equivalent for ads) in Unity 2017 and that there is no way for developers to prevent this at runtime.
     
  46. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    10,698
    It's easy to test an IAP purchase. A real purchase would only be .99 cents :) and you can also configure test users so the credit card doesn't get charged. You need to confirm with an actual purchase https://docs.unity3d.com/Manual/UnityIAPGoogleConfiguration.html
     
  47. Swah

    Swah

    Joined:
    May 13, 2015
    Posts:
    51
    @JeffDUnity3D: I was able to confirm there is at least one event sent to Unity when making a purchase:
    upload_2020-7-1_13-12-37.png
    As you can see I don't have the proper certificate installed so I can't see the details of the call. I have limited time today to do another build / test. Will getting the details of this call help you at all, or should it just not be sent at all given my efforts to disable analytics at runtime?

    It seems like the root cause of the problem could be either A) Unity making calls to android APIs in methods like SystemInfo.deviceName, or B) unity sending ad ID / deviceID in some instances. We could likely eliminate B) with further testing, but I don't see how I could investigate A) myself.
     
  48. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    10,698
    That call is concerning, I have let the IAP team know.
     
  49. Swah

    Swah

    Joined:
    May 13, 2015
    Posts:
    51
    Ok great to know, thank you for following up on this. Let me know if you need more information.

    So at this stage I'm either waiting to hear if Unity 2017 can be fixed to not send this call, or for the latest 2018 version. The ideal for me and I'm sure several other developers would be to stay on 2017 if at all possible.
     
  50. Shin_Toasty

    Shin_Toasty

    Joined:
    Jun 15, 2017
    Posts:
    46
    Just adding my experience to the thread. Once I changed No to Yes as shown here


    I resubmitted and 2 days later my game is now back on the play store. It was made with 2019.1.9f1 Personal and doesn't actually collect any information, but by confessing my sins thusly I was absolved. I decided it was best to just get my game back out there rather than create a new build.
     
    alex31016 likes this.
unityunity