Privacy, Security, and Deception

We’re committed to protecting user privacy and providing a safe and secure environment for our users. Apps that are deceptive, malicious, or intended to abuse or misuse any network, device, or personal data are strictly prohibited.

User Data

You must be transparent in how you handle user data (e.g., information provided by a user, collected about a user, and collected about a user’s use of the app or device), including by disclosing the collection, use, and sharing of the data, and you must limit use of the data to the description in the disclosure. If your app handles personal or sensitive user data, there are additional requirements described below. This policy establishes Google Play’s minimum privacy requirements; you or your app may need to comply with additional restrictions or procedures if required by an applicable law.


Personal and Sensitive Information

Privacy Policy & Secure Transmission

If your app handles personal or sensitive user data (including personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data, and sensitive device data) then your app must:

  • Post a privacy policy in both the designated field in the Play Console and from within the Play distributed app itself.
  • Handle the user data securely, including transmitting it using modern cryptography (for example, over HTTPS).

The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app collects, uses and shares user data, including the types of parties with whom it’s shared.

Prominent Disclosure Requirement

If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.

Your in-app disclosure:

  • Must be within the app itself, not only in the Play listing or a website;
  • Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
  • Must describe the type of data being collected;
  • Must explain how the data will be used;
  • Cannot only be placed in a privacy policy or terms of service; and
  • Cannot be included with other disclosures unrelated to personal or sensitive data collection.

Your app’s request for consent:

  • Must present the consent dialog in a clear and unambiguous way;
  • Must require affirmative user action (e.g. tap to accept, tick a check-box, a verbal command, etc.) in order to accept;
  • Must not begin personal or sensitive data collection prior to obtaining affirmative consent;
  • Must not consider navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
  • Must not utilize auto-dismissing or expiring messages.

Here are some examples of common violations:

  • An app that doesn’t treat a user’s inventory of installed apps as personal or sensitive user data and doesn’t comply with the Privacy Policy, Secure Transmission, and Prominent Disclosure requirements.
  • An app that doesn’t treat a user’s phone or contact book data as personal or sensitive user data and doesn’t comply with the Privacy Policy, Secure Transmission, and Prominent Disclosure requirements.

EU-U.S. Privacy Shield


Additional Requirements

In addition to the requirements above, the table below describes requirements for specific activities.

Activity Requirement
If your app handles financial or payment information or government identification numbers Then it must never publicly disclose any personal or sensitive user data related to financial or payment activities or any government identification numbers.
If your app handles non-public phonebook or contact information We don't allow unauthorized publishing or disclosure of people's non-public contacts.
If your app contains anti-virus or security functionality, such as anti-virus, anti-malware, or security-related features Then it must post a privacy policy that, together with any in-app disclosures, explain what user data your app collects and transmits, how it’s used, and the types of parties with whom it’s shared.

Was this article helpful?

Thank you for your answer!


Permission requests should make sense to users, and should be limited to the critical information necessary to implement your app.

Don't request access to information that you don't need. You may only request access to the user data that is necessary to implement existing features or services in your application. Don't attempt to "future proof" your access to user data by requesting access to information that might benefit services or features that have not yet been implemented.

Request permissions in context where possible. Request access to user data in context (via incremental auth) whenever you can, so that users understand why you need the data.

Was this article helpful?

Thank you for your answer!

Device and Network Abuse

We don’t allow apps that interfere with, disrupt, damage, or access in an unauthorized manner the user’s device, other devices or computers, servers, networks, application programming interfaces (APIs), or services, including but not limited to other apps on the device, any Google service, or an authorized carrier’s network.

Apps on Google Play must comply with the default Android system optimization requirements documented in the Core App Quality guidelines for Google Play.

Here are some examples of common violations:

  • Apps that block or interfere with another app displaying ads.
  • Game cheating apps that affect the gameplay of other apps.
  • Apps that facilitate or provide instructions on how to hack services, software or hardware, or circumvent security protections.
  • Apps that access or use a service or API in a manner that violates its terms of service.
  • Apps that attempt to bypass system power management that are not eligible for whitelisting.

Was this article helpful?

Thank you for your answer!

Malicious Behavior

We don’t allow apps that steal data, secretly monitor or harm users, or are otherwise malicious.

An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play’s update mechanism. Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine and has limited access to Android APIs (such as JavaScript in a webview or browser).

The following are explicitly prohibited:

  • Viruses, trojan horses, malware, spyware or any other malicious software.
  • Apps that link to or facilitate the distribution or installation of malicious software.
  • Apps or SDKs that download executable code, such as dex files or native code, from a source other than Google Play.
  • Apps that introduce or exploit security vulnerabilities.
  • Apps that steal a user’s authentication information (such as usernames or passwords) or that mimic other apps or websites to trick users into disclosing personal or authentication information.
  • Apps may not depict unverified or real world phone numbers, contacts, addresses, or personally identifiable information of non-consenting individuals or entities.
  • Apps that install other apps on a device without the user’s prior consent.
  • Apps designed to secretly collect device usage, such as commercial spyware apps.

Apps that monitor or track a user’s behavior on a device must comply with these requirements:

  • Apps must not present themselves as a spying or secret surveillance solution.
  • Apps must not hide or cloak tracking behavior or attempt to mislead users about such functionality.
  • Present users with a persistent notification and unique icon that clearly identifies the app.
  • Apps and app listings on Google Play must not provide any means to activate or access functionality that violate these terms, such as linking to a non-compliant APK hosted outside Google Play.
  • You are solely responsible for determining the legality of your app in its targeted locale. Apps determined to be unlawful in locations where they are published will be removed.

Check out our App Security Improvement Program to find out about the most recent security issues flagged to developers on Google Play. Vulnerability and remediation details are available in each campaign's support page link.

Was this article helpful?

Thank you for your answer!

Deceptive Behavior

We don't allow apps that attempt to deceive users or enable dishonest behavior. Apps must provide accurate disclosure of their functionality and should perform as reasonably expected by the user. Apps must not attempt to mimic functionality or warnings from the operating system or other apps. Any changes to device settings must be made with the user's knowledge and consent and be easily reversible by the user.


Misleading Claims

We don’t allow apps that contain false or misleading information or claims, including in the description, title, icon, and screenshots.

Here are some examples of common violations:

  • Apps that misrepresent or do not accurately and clearly describe their functionality:
    • An app that claims to be a racing game in its description and screenshots, but is actually a puzzle block game using a picture of a car.
    • An app that claims to be an antivirus app, but only contains a text guide explaining how to remove viruses.
  • Developer or app names that misrepresent their current status or performance on Play. (E.g. “Editor’s Choice,” “Number 1 App,” “Top Paid”).
  • Apps that feature medical or health-related functionalities that are misleading or potentially harmful.
  • Apps that claim functionalities that are not possible to implement.
  • Apps that are improperly categorized.

Unauthorized Use or Imitation of System Functionality

We don’t allow apps or ads that mimic or interfere with system functionality, such as notifications or warnings. System level notifications may only be used for an app’s integral features, such as an airline app that notifies users of special deals, or a game that notifies users of in-game promotions.

Here are some examples of common violations:

  • Apps or ads that are delivered through a system notification or alert:

    ① The system notification shown in this app is being used to serve an ad.

For additional examples involving ads, please refer to the Ads policy.


Deceptive Device Settings Changes

We don’t allow apps that make changes to the user’s device settings or features outside of the app without the user’s knowledge and consent. Device settings and features include system and browser settings, bookmarks, shortcuts, icons, widgets, and the presentation of apps on the homescreen.

Additionally, we do not allow:

  • Apps that modify device settings or features with the user’s consent but do so in a way that is not easily reversible.
  • Apps or ads that modify device settings or features as a service to third parties or for advertising purposes.
  • Apps that mislead users into removing or disabling third-party apps or modifying device settings or features.
  • Apps that encourage or incentivize users into removing or disabling third-party apps or modifying device settings or features unless it is part of a verifiable security service.

Enabling Dishonest Behavior

We don't allow apps that help users to mislead others, including, but not limited to, apps that generate or facilitate the generation of ID cards, social security numbers, passports, diplomas, credit cards and driver's licenses.

Any claim that an app is a "prank", "for entertainment purposes" (or other synonym) does not exempt an app from application of our policies.

Was this article helpful?

Thank you for your answer!