App removed from Google Play due to policy violation with Branch

Hi all,

Thank you @ongilgil, @adamjnav for your help. Nothing works for us.

I’m going crazy with this story. I rebuilt the application 5 times, upload, deploy… No problem… I deleted the old apk. Remove BETA, TEST. I have condition of use page accessible in our application, google play and our website.

I am waiting for 7 days. I contacted google support last Thursday, no response. During this time our service is inaccessible for our customer.

Silence… without any feedback from google impossible to understand where come from the problem. I do not know what to do.

Here is the mail we received last week :

Hi Developers at ****************,

After review, ****************, ****************(Version Code:2), has been removed from Google Play due to a policy violation. This app won’t be available to users until you submit a compliant update.

Issue: Violation of Personal and Sensitive Information policy

We’ve identified that your app is using an SDK or library that facilitates the collection and transmission of installed packages information without meeting the prominent disclosure guidelines.

If necessary, you can consult your SDK provider(s) for further information.

Next steps: Submit your app for another review

Read through the Personal and Sensitive Information policy and make the appropriate changes to your app. Your app is using the Branch IO SDK, which is uploading users Installed Packages information to https://api.branch.io/v1/applist without a prominent disclosure. Prior to the collection and transmission, it must prominently highlight how the user data will be used, describe the type of data being collected and have the user provide affirmative consent for such use. Make sure to also post a privacy policy in both the designated field in the Play Developer Console and from within the Play distributed app itself.
Make sure your app is compliant with the User Data policy and all other Developer Program Policies. Additional enforcement could occur if there are further policy violations.
Sign in to your Play Console and upload the modified, policy compliant APK. Make sure to increment the version number of the APK.
Submit your app.
If you’ve reviewed the policy and feel this removal may have been in error, please reach out to our policy support team. One of my colleagues will get back to you within 2 business days.

Best,

Lori

Google Play Review Team

After resending your apk and deleting the troubled version, be sure to resubmit your app.:

In order to show your app on Google Play, please submit your app again:

1. Sign in to your Play Console.
2. Select your app.
3. Select Store presence > Store listing .
4. Click Submit update or Resubmit app .

If the submit button is grayed out, you can make a minor change to your store listing to activate the button. For example, add a space after your app title and then delete it. Once the button turns blue, you can submit your update.

If you’re an AdMob publisher, please contact the AdMob team to re-enable ad serving.

For those who still seem to be affected, can you please:

• Ensure you have put an updated (Branch-less) apk in every release track for your app, not just the production track

• Check to make sure you don’t have any old builds containing branch in your alpha, beta and internal tracks

Hi everyone, Alex from the Branch team here .

I’d like to apologize for this confusion and clarify the situation with a bit of background.

Branch is a mobile measurement and deep linking platform. We exist to do two things: 1) help developers offer awesome, seamless user experiences (e.g., deferred deep linking and referral programs), and 2) provide accurate measurement so developers are able to see how their user acquisition campaigns (ads, email, social media, smart banners, etc.) are performing.

Early in 2015, Branch introduced an analytics functionality that would read the package names of other apps installed on the device, intending to provide metrics around this to developers. Gathering this data was common practice for many apps and not a violation of Play Store policies. We sunset this product in early 2016 and updated our API to silently drop this data whenever it was sent by the SDK. However, the code itself remained in the Android SDK.

Google informed us in 2017 that, even though Branch is not storing or using the data, this API endpoint should be removed and that apps using older versions of the Branch SDK should be updated to the current version to remain in compliance. We removed the API endpoint and worked with app developers to encourage SDK updates. Google recently reached out and wants to take more aggressive action on apps that still contain non-compliant SDK versions in older APKs.

Basically, there are two situations that cause Google to flag an app in the way you’ve been observing in this thread:

1. Your app is still using an old version of the Branch SDK in the current release (< v2.11.0 of the native Branch Android SDK, which was < v2.0.0 of the Branch React Native wrapper, which appears to be < v28.0.0 of the Expo SDK)
2. The version of the Branch SDK in your current release is safe, but older APK versions still exist in the Play Store Console that contain a non-compliant SDK version.

For developers using Expo, this appears to be more complicated for two reasons:

1. It appears the Expo SDK contained a non-compliant version of the Branch SDK until mid-2018.
2. Due to Expo’s automatic module handling (which as noted above, has now been temporarily updated to exclude the Branch module), you might not have even realized that the Branch SDK is in older APK versions on the Play Store.

Fortunately, resolving this is pretty straight-forward: once 1) the current release of your app is updated and 2) older APKs are removed (in this case, I believe that would mean removing any app build created with a version of Expo SDK older than v28.0.0), you should have no further issue from Google.

I’ve been in touch with the Expo team to make sure we have a path forward for getting the Branch module back in ExpoKit. In the meantime, please feel free to reach out to support@branch.io with any specific questions or concerns.

Thank you for your support. I have updated the branch sdk for android to the latest (3.1.0) and I am in the process to redeploy the app, is there any need to update my privacy policy to mention branch ?

Is there anyone who has his app removed, then reinstated it successfully ?

@andolad After my app was removed, I received an email from google play support stating that "We’ve identified that your app is using an SDK or library that facilitates the collection and transmission of installed packages information without meeting the prominent disclosure guidelines. "

Capture983×504 17 KB

Google then reinstated it successfully after I updated Branch sdk on it, and republished it on all release track where apps with older versions of Branch existed

I’m using import { Linking } from 'react-native'. Looks like it shouldn’t count. But my app were removed twice
May be Link is using Branch?

I was able to reinstate my app. I was on a very old version (v24.0.0) of Expo and had a lot of trouble trying to upgrade the project to the newest version. Eventually I decided to rebuild the whole app on top of a fresh v32.0.0 and eject after that. My app has now been back online for a couple of weeks so looks like that did the trick.

Thanks to everybody sharing their experiences and tips in this thread, and especially to the Expo and Branch crew for the support!

No, it definitely does not use Branch.

Hi team,
Our app also got removed from play store. To fix this we removed compile 'io.branch.sdk.android:library:2.6.1' from build.gradle after following this article. We republished our app on April 29 and it got removed again because we didn’t remove older versions. On May 3 we republished after removing older versions and just yesterday we received another removal email from play store.

We are not able to rectify the issue and need help.

Thanks,

Hey @nishantn41,

Did Google specifically say in the rejection that it was due to Branch? I would try and get clarification from them. Some users have had their apps rejected, only to resubmit and have them accepted without any changes made.

Also- jsut want to make sure you followed the rest of the Expokit instructions in that article? As in updating your expokit version and reinstalling?

Thanks!

Hi @charliecruzan,
In the last email that we received they have not specifically said that it is due to Branch but in previous email they have said that.
This is what we have received this time.

Issue: Violation of Personal and Sensitive Information policy
We’ve identified that your app is using an SDK or library that facilitates the collection and transmission of installed packages information without meeting the prominent disclosure guidelines.

Also, our app was using SDK 26 previously. Just after we received last email on May 16 we have updated to SDK 30. will that make any difference?
Is there any way to identify which SDK has caused violation if they have not directly stated?

Thanks,

That seems to be the same email that most developers in this situation are receiving. And that shouldn’t be the difference (SDK versions).
However I strongly recommend upgrading to SDK 31 or (preferably) 32, as we will soon be deprecating support for any version =< 31. This still keeps ~6 months of backward compatibility, but that no longer equates to 6 SDK versions. You can read more about that decision here.

You can follow the upgrade instructions here. Please be aware of the breaking change made to import statements as described in the blog post!

Yes +1 thank you!!!

will expo include Branch sdk in ver 33? We use turtle for build .apk with Branch support, everything ok in store presense(we have 2 applications).

It will not be included (at least not during the initial release) of SDK33.

Just ran into this issue with our app as well. Removed from the Play store, received an email mentioned Branch IO which I’d never heard of or use so was pretty confused. Found out we still had an old build published in the Alpha test track that was the culprit. After I removed that and published a new build (no changes, currently on SDK 32), it was published successfully to the store.

hi all, my app is also removed from Google Play due to policy violation, can it be because of sentry ?, i have already upgrade the app to 32 SDK, it doesn’t help…

This shouldn’t be due to Sentry (if you suspect that though, you could always ask Google for clarification)