Developing software can be hard work. There are so many aspects to take into consideration, from creation and market research to specific platforms and target audiences. Things can definitely begin to feel overwhelming.
Things got a bit trickier with Google's implementation of the Unwanted Software Policy.
There have been a few incidences that have encouraged this move on Google's behalf, such as malware sneaking past security defenses and infecting apps and even hidden trackers. A particularly alarming statistic published by Yale Privacy Lab found that "Over 75% of Android apps tested contain trackers that are unknown to their users."
What is Google's Unwanted Software Policy?
This policy has been designed as an offshoot of Google Safe Browsing, and aims to deter malware and other unwanted or harmful behavior that may occur when users are browsing the web.
Malware is something that every developer should be wary of. Even if your app is created with the best intentions in mind, malware can still inadvertently affect it. Malware is considered to be an application that is designed to install harmful software, like a virus, on a user's device, with the purpose of exploiting their privacy and security.
There are several different sections and requirements to the Unwanted Software Policy. Let's break each one down to what it says and requires.
Transparent Installation and Upfront Disclosure
This section relates to the software installation itself. The description of your app in the Play Store should be straightforward and easy to understand. This ensures users know exactly what they can expect if/when they download your program.
You should showcase your app as something that can provide value, but you should also be clear on that value. Essentially, you need to detail what your app will do, and this detail needs to be verifiable.
This means your app should have a "valid and verified code signature" that has been "issued by a code-signing authority". This is a great way to verify your identity as the developer and the integrity of your program's code. It's an effective way of establishing trust with your users right from the get-go, which is what every developer should aim for.
Your software shouldn't be hard to remove from any device. The steps to remove it should be simple to follow, and shouldn't try to deter the user from removal.
Here is an example of behavior that may be deemed as an attempt to deter simple removal:
After removal, all traces of the software should be gone from the device, and it shouldn't make any configuration changes once removed.
Further, you should also ensure users can deactivate or delete their account easily, and provide clear instructions on how they can do that.
This section relates to the behavior of your software. Essentially, it should do exactly what's been described, and nothing further. After installation, it shouldn't access or change any device settings unless explicit permission has been given.
The software also shouldn't spam the user or inject advertising pop-ups on the device. Also, users must be notified about any changes that are made through software updates, and be given the opportunity to make any necessary approvals or permission changes.
Some behavior that the Unwanted Software Policy frowns upon is:
Snooping involves collecting personal information from users without disclosing that collection and allowing users to approve or deny it.
If your app does need to collect personal information, you need to explain why, in easy-to-understand language. And if you need to collect sensitive information like banking or payment details, you must have proper encryption in place.
Keeping Good Company
The Unwanted Software Policy also considers "keeping good company" to be a crucial aspect. So, even if you're positive your software and related apps are following the policy, if you're associated with software and/or developers that aren't complying, you could be in trouble as well.
This is a key reason why the Unwanted Software Policy is so essential. It aims to hold all software accountable for their own individual behaviors, and is one of the most effective ways to create a safer online environment.
If your app or software is considered unwanted or potentially deceptive, warnings will be issues and it'll be up to you to make changes.
Other Rules and Regulations
CalOPPA and the GDPR affect app software developers due to the strict requirements regarding what to include in Privacy Policies.
Luckily, both regulations are relatively simple to follow.
- Show the most current date your policy is effective from
- Be conspicuously posted on both your app and any related websites
- Inform users of the personal information you will be collecting from them, as well as how and why you collect it
- Let users know if this information will be shared with any third-party apps, and the purpose behind this sharing
- Enable users to review, change or delete the personal information you've collected from them
- Detail how you respond to Do Not Track signals (the signal that users can set if they choose not to have their web/app activity tracked)
- The security measures you have in place to protect user data from being breached
- How users can control their data they share
- The lawful basis behind your processing of personal data
- Identify the Data Control and Data Protection Officers (which will likely just be yourself, as the business owner), and how users can contact these Officers
- Inform users of the eight particular rights they have under the GDPR (which are the rights to be informed, to have access, to rectify incomplete/incorrect data, to erase data, to restrict processing, to retain or reuse data, to object to the use of their data, and the right to protection against automated data processing.)
How to Comply with the Unwanted Software Policy
The Unwanted Software Policy differs from Google Play's Developer Distribution Agreement by narrowing down the app behavior it allows, and that which it will not.
As a developer, you should be aware that Google has several Software Principles that it adheres to in order to provide a safe online environment.
These principles include things like:
- Upfront disclosure which informs users of the app's specific functions
- Simple installation and removal, making it easy and obvious to users how they can both install and delete the app from their device
- Clear, transparent behavior that means the app does what it says it will, and nothing more
Enforcement of this new policy came into effect on January 30, 2018. After this, warnings began to be handed out to app developers, and continue to occur even today.
This warning system, while great for online users looking to protect their information, can create significant effects for app developers, particularly resulting in lower levels of traffic and downloads.
To avoid this impacting you, here's what you need to know.
Google has a very clear description of what they do and don't tolerate in their app software, so for full disclosure check out their policy on Privacy, Security and Deception.
This policy covers everything from the user data you'll be downloading, to the permissions required on user devices that will allow your app to work smoothly, as well as what constitutes malicious or deceptive behavior.
It gives a concise description of how you should be transparent about how you are handling user data:
It also includes basic guidelines to follow and notes that you cannot violate the Unwanted Software Policy:
There are requirements for what and how you disclose certain aspects of data collection and use that your users may not expect. These requirements include in-app disclosures that request user consent:
Google offers some examples of violations that occur frequently to help you stay on the right path to compliance:
There are a few simple steps you can take to make sure you become compliant and - more importantly - remain compliant. These steps are:
- Reviewing the Unwanted Software Policy to check if you're violating any rules (even accidentally)
- Asking for explicit consent when collecting certain types of user data
- Frequently monitoring your software through the Security Issues report for any issues that may have come up, such as malware or deceptive behavior
It's important to review this report often. Failure to do so means you won't be able to fix the issues, and Google may then deem your software as 'unwanted.'
- Describe the purpose of the app and all its functions in a "clear and unambiguous way"
- Be easily accessible for users across all devices
- Describe the information that is being collected, and detail the purpose behind this collection
- Be separate from your company's Terms of Service
If your app has been classed as unwanted software and you've received warnings to fix it, you can do so within 60 days of receiving the warning. You can also appeal the decision through Google's app verification feature.
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.
Here are some examples of popular apps and how they've implemented these requirements.
Adobe describes what types of information it collects through the website, app and desktop app. This helps with the "clear behavior" requirement.
Including Permissions details is another way to be transparent and have clear behavior. Users can see what they'll need to give the app access to when they download the app. In Netflix's case, it's quite a lengthy list of permissions, including phone, media, storage, microphone, identity, contacts and much more:
To comply with Google's Unwanted Software Policy:
- Allow users to easily remove or uninstall your app
- Don't team up with distributors or apps that don't follow security protocols