Understand and Follow Google’s Policies 📝

App Access 🔍

To effectively review your app, Google Play must have unrestricted access to all its components. If any part of your app is restricted, such as sections that require login credentials, you must provide clear instructions on how access can be granted. Historically, because the Play Review team operates globally and can review your app from any country, developers often had to provide exclusive login credentials and expose their infrastructure globally to avoid app rejections. This cumbersome process is no longer necessary.

💡 Gotcha #1. Region-centric review: When submitting your app to the Play Console, it’s crucial to specify if access is restricted to certain countries. For example, if your app is designed exclusively for the Indian market, make sure to include instructions that specify app access should be reviewed within the IN region in the Instruction Name field. This ensures that the Play reviewer will assess your app in the designated region only. Please note, this approach is effective only if your app supports VPN connections, enabling the reviewer to simulate access from the specified region.

Sensitive Permissions 🔐

For the past five years, I have been immersed in the FinTech industry, navigating the distinctive challenges of developing apps in this domain. Ensuring seamless business operations requires strict adherence to numerous policies and internal audits, encompassing guidelines from the RBI (India’s Apex Bank), Google Play Personal Loan Policies, and others.

If your app requires sensitive permissions like reading SMS, accessing contacts, storage, or location, you might encounter occasional hurdles in the approval process. During these times, the focus shifts to swiftly addressing the feedback and ensuring your app update goes live promptly. You’ll engage in a thorough review of Google’s guidelines, interpret their feedback, and make the necessary adjustments, working diligently to meet their standards and gain approval for your app update.

💡 Gotcha #2. Restricted permissions removal: If your app’s primary functionality involves disbursing personal loans to customers, it is crucial to stay updated with Google’s exclusive Personal Loan Policy. This policy imposes strict restrictions on accessing sensitive permissions such as READ_CONTACTS, READ_PHONE_NUMBERS, and ACCESS_FINE_LOCATION et al. Failure to comply with these guidelines will result in the rejection of your app. Therefore, ensuring adherence to these policies is essential to avoid disruptions and maintain your app’s availability on Google Play.

💡 Gotcha #3. Be clear with your sensitive permission declaration: If your app uses sensitive permissions such as SMS or Call Log, you must complete the permissions declaration form on the Play Console under the SMS and Call Log permissions section. In this form, you need to provide clear and transparent explanations for why these permissions are necessary. Additionally, support your request with a video demonstration to illustrate the legitimate use of these permissions.

Curious case of SMS Permissions Group 🧐

If your app uses any SMS-related sensitive permissions such as READ_SMS, RECEIVE_SMS, or SEND_SMS, it is crucial to be meticulous in how you convey this information in your permissions declaration form. Clearly articulate the necessity of these permissions and ensure your explanation aligns with Google Play’s guidelines. Additionally, cross-verify your use case against the exception use cases provided by Google Play on their policy page to ensure compliance.

💡 Gotcha #4. Be transparent with your rationale: If your app requests the READ_SMS permission and your use case revolves around analyzing transactional SMSs only (non-personal) for purposes such as creating a credit score using ML models, it is imperative to explicitly declare this in your rationale. Despite having app logic that filters out personal messages, Google Play cannot verify the accuracy of your claims. To avoid future rejections, you should clearly state in your rationale that your app reads all SMS messages. This transparency will help ensure your app remains compliant and reduces the risk of rejection.

💡 Gotcha #5. Provide declaration that suits your usecase: For the above use case, you must declare SMS-based money management as the core functionality in the permissions declaration form. This ensures that Google Play understands the primary purpose of accessing SMS data and helps align your app with their policy requirements.

💡 Gotcha #6. Update declaration if your usecase changes: If your app requires the SEND_SMS permission in addition to the money management use case, you must update your declaration to specify SMS-based financial transactions on the permissions declaration form. The SEND_SMS permission is typically used by apps for transaction verification via Device/SIM Binding and for providing UPI functionalities. If your app does not include these features, you should utilize the SMS Intent for sending SMS or the SMS Retriever API for reading SMS to avoid app rejections.

Data Safety Declaration 🦺

To ensure greater transparency for your app’s users, Google Play requires you to clearly declare what user data your app collects or shares and to highlight your app’s key privacy and security practices. The information you provide in your Data Safety declaration is thoroughly reviewed by Google Play and will be prominently displayed in the Data Safety section of your app’s listing on the Play Store. This helps users make informed decisions about their data privacy and security when using your app.

💡 Gotcha #7. Ensure clear & compliant account deletion process: In this section, if your app requires users to create an account, you must also provide clear steps for data and account deletion. The account deletion URL must link to an exclusive web page, not a deep link within your app’s Need Help section. This ensures a straightforward and transparent process for users wishing to delete their accounts and data, aligning with Google Play’s data privacy requirements.

Financial Services Declaration 🏦

Suppose your app’s core functionality involves disbursing personal loans in India. In that case, you must comply with specific requirements and provide supplementary documentation as part of the Financial Features declaration within the Play Console. Upon Google’s request, you must furnish additional information or documents demonstrating your compliance with relevant regulatory and licensing requirements. For more details, please refer to the financial services declaration here.

💡 Gotcha #8. Compliance Requirements for RBI-Licensed Personal Loan Apps: If you are licensed by the Reserve Bank of India (RBI) to disburse personal loans, you must submit a copy of your license for our review. If your app functions solely as a platform facilitating money lending by registered Non-Banking Financial Companies (NBFCs) or banks, you must clearly indicate this in your declaration. Additionally, you must prominently disclose the names of all associated NBFCs and banks in your app’s store description, ensuring this information is also visible on the respective NBFC’s or bank’s official websites.

💡 Gotcha #9. Developer Account: Additionally, you must ensure that the developer account name on Play Console matches the registered business name provided in your Financial Services declaration and license. This alignment is crucial to prevent potential rejections in the future.

Useful Tips and Tricks ✨

💡 Gotcha #10. Update all tracks: If your app is rejected due to Play Policy violations, particularly for the usage of sensitive permissions, it is important to review the affected versions on the Play Console. You must submit a new version of the app and upload it across all tracks (Open, Closed, Alpha, Internal, Production) to ensure compliance. Even if a track is paused or inactive, it must be updated with the new app version. Currently, Google Play does not offer the option to delete unnecessary tracks for which a feature request has been raised.

💡 Gotcha #11. Comply with re-submissions: Furthermore, for any app rejection due to policy violations, you must submit your updated app version to 100% for review in one go. Failing to do so will leave the affected version accessible to users, leading to additional rejections. You can cross-verify the affected versions of your app by navigating to App Content -> SMS and Call Log Permissions -> View app bundles and APKs

💡 Gotcha #12. Avoid updates when the app is in review: To avoid further rejections, it is essential to submit the updated app across all channels from the outset. If you attempt to make updates while the app is already under review, the initial submission will still be considered, as Play Console does not incorporate updates made during the review process (a feature request for this has been raised). Therefore, if your initial submission does not cover all channels or is not sent out to 100% for review, the app version will likely be rejected.

💡 Gotcha #13. Prefer Managed Publishing: Always opt for Managed Publishing on the Play Console. This feature enables you to better manage your backend and app deployments, addressing all the issues mentioned above more effectively. Additionally, it provides clear visibility into what is being submitted for review, whether it’s the app itself, store information, or app content.

Gotcha #14. Update the version code: If your app is rejected, it is currently mandatory to upload a new version with an updated version code. This means the entire release process must be followed: the build pipeline must run, and the updated version must be uploaded across all tracks. Even if your app’s content is driven by the backend (Backend-For-Frontend) and there has been no code modification, a new version with a different version code is still required. A feature request has been raised with the Play Experience team to address this.

💡 Gotcha #15. Avoid automation failures: If you have automated your build process to upload .aab files to the Play Console and encounter an existing app rejection, your CI/CD pipeline for uploading the next updated version will fail. In such cases, you will need to manually upload your .aab file.

💡 Gotcha #16. Do not shy in taking help: Policies continually evolve as regulations change. This means that app approvals previously secured may not be valid for future updates, leading to unexpected rejections. When this happens and you are uncertain about the details in the rejection email from Play, your first course of action should be to raise a support ticket or contact support via phone.

Conclusion 🔄

Dealing with app rejections can be challenging, as it directly impacts your business. You want your app up and running as soon as possible, and I hope the insights provided in this article will help you resolve issues more quickly. Google’s commitment to enhancing user privacy and security ensures a safe and trusted experience for everyone. Therefore, it is essential to stay updated with the latest Play Policy Updates, which are available in the Policy Center. I will continue to update this article with new insights and tips as they arise. Until then, keep building 🚀

Do you have more tips and tricks up your sleeve? Share your insights and suggestions in the comments so the entire developer community can benefit and expedite the app approval process. 🤝

This article is previously published on proandroiddev.com