The app landscape is constantly changing, and with it, app market owners have to adapt their policies to keep up. Google today announced a bunch of Google Play Store policies that will be enacted in the coming months, ranging from minor to quite significant. Some changes will actually only be noticed by developers, but some, such as subscription cancellations, should be immediately apparent to users.
If you have an app that may violate any of these policies, Google says that all new and existing apps will receive a grace period of at least 30 days from July 27, 2022 (unless otherwise noted) to comply with the following changes.
Changes to the Google Play Store policies
USE_EXACT_ALARM authorization restriction (effective July 31, 2022)
The first policy change that will come into effect will affect developers aiming for API level 32 or Android 13. Google has introduced the
USE_EXACT_ALARM authorization with Android 13 beta 2. For the app to be approved for distribution on the Google Play Store, it must meet the following criteria.
- Your app is an alarm clock app or a clock app.
- Your app is a calendar app that shows notifications for upcoming events.
Google previously said that this policy change would happen when it announced the USE_EXACT_ALARM permission.
Limitation of health disinformation and representation (effective from 31 August 2022)
The first policy change that will go into effect and affect all users will limit the spread of health disinformation and aim to prevent impersonation. What is considered a breach of health disinformation is as follows:
- Misleading claims about vaccines, such as that vaccines can alter one’s DNA.
- Advocacy of harmful and unapproved treatments.
- Advocacy of other harmful health practices, such as conversion therapy.
Regarding representation, the following is considered a violation of the new representation policy:
- Developers who falsely imply a relationship with another company / developer / entity / organization.
- Apps whose icons and titles falsely imply a relationship with another company / developer / entity / organization.
- App titles and icons so similar to existing products or services that users may be misled.
- Apps that mistakenly claim to be the official app of an established entity. Titles such as “Justin Bieber Official” are not permitted without the necessary permissions or rights.
- Apps that violate the Android brand guidelines.
Better interstitial ads and simpler subscription cancellation (effective September 30, 2022)
Have you ever dealt with an interstitial ad that seemed out of nowhere, or stayed on for too long? Google is now limiting how developers can use them in their apps to improve the user experience. Google says developers may not show ads to users in the following unexpected ways.
- Full-screen interstitial ads of all formats (video, GIF, static, etc.) are not allowed and appear unexpectedly, typically when the user has chosen to do something else.
- Ads that appear during the game at the beginning of a level or the beginning of a content segment are not allowed.
- Full-screen video interstitial ads that appear before an app’s loading screen (splash screen) are not allowed.
- Full-screen interstitial ads of all formats that cannot be closed after 15 seconds are not allowed. Activated full-screen interstitials or full-screen interstitials that do not interrupt user actions (for example, after the score screen in a game app) can persist for more than 15 seconds.
As for the simpler canceling of subscriptions, it must now be easy for a user to cancel the subscription. It must be visible in the app’s account settings (or equivalent page) including the following:
- A link to the Google Play Subscription Center (for apps that use the Google Play billing system); and / or
- direct access to your cancellation process.
Restrictions on stalkerware, apps using VPNService and apps must comply with FLAG_SECURE
Apps that can be used to track people will always be controversial, but some believe they can serve as an effective parenting tool. Others may want to use them so that their family members can keep an eye on them while they are out, particularly in cases where they may be in a dangerous or unsafe place. However, these tools are often misused, and Google is making some changes to reduce it. You must also declare an “IsMonitoringTool” metadata flag, and your monitoring apps must also adhere to the following:
- Apps must not present themselves as a secret spying or surveillance solution.
- Apps must not hide or mask tracking behavior or attempt to mislead users about such functionality.
- Apps must present users with a persistent notification at all times when the app is running and a unique icon that clearly identifies the app.
- Apps must disclose tracking or tracking functionality in the Google Play Store description.
- Apps and app cards on Google Play must not provide any means to activate or access features that violate these terms, such as linking to a non-compliant APK hosted outside of Google Play.
- Apps must comply with all applicable laws. You are solely responsible for determining the legality of your app in its target language.
In the case of apps that use VPNService, a long time ago Google cracked down on ad-blocking apps on the Play Store, including those that used VPNService essentially to filter ad servers only. Now the company says that only apps that use VPNService and have VPN as their core feature can create a secure, device-level tunnel to a remote server. There are exceptions though, and those include:
- App for parental control and business management.
- App usage monitoring.
- Device security apps (e.g. antivirus, mobile device management, firewall).
- Network-related tools (for example, remote access).
- Web browsing app.
- Operator apps that require the use of VPN functionality to provide telephony or connectivity services.
Using VPNService should not be used to perform the following operations:
- Collect personal and sensitive data of users without obvious disclosure and consent.
- Redirect or manipulate user traffic from other apps to a device for monetization purposes (for example, by redirecting ad traffic through a country other than the user’s country).
- Manipulate ads that can impact app monetization.
Finally, apps must now comply with FLAG_SECURE. Apps don’t even have to facilitate or create workarounds to bypass FLAG_SECURE settings in other apps. FLAG_SECURE is what prevents some content from appearing in screenshots or on untrusted displays. Apps that qualify as an accessibility tool are exempt from this requirement, as long as they do not stream, save, or cache FLAG_SECURE protected content for access off the user’s device.
Google represses deceptive apps
It’s great to see Google cracking down on deceptive apps and limiting the capabilities of stalkerware and the like. However, there will of course also be regular apps caught in the crossfire, and generally there will always be when changes like these come into play. For example, will DuckDuckGo now be in trouble, as the app has a VPN capable of killing ads at the device level?
Deceptive apps come in all shapes and sizes, and it’s difficult to selectively implement criteria that don’t affect even perfectly reasonable apps. We’ll be sure to keep an eye on and see if more changes might be on the horizon for some of our favorite apps!
Through: Mishaal Rahman