Privacy and Security

We’re committed to protecting user privacy and providing a safe and secure environment for our users. Malicious apps that abuse or misuse any network, device or personal data are strictly prohibited.

User Data

You must be transparent in how you handle user data (e.g. information provided by a user, collected about a user and collected about a user’s use of the app or device), including by disclosing the collection, use and sharing of the data, and you must limit use of the data to the description in the disclosure. If your app handles personal or sensitive user data, there are additional requirements described below. This policy establishes Google Play’s minimum privacy requirements; you or your app may need to comply with additional restrictions or procedures if required by an applicable law.


Personal and Sensitive Information

Privacy Policy & Secure Transmission

If your app handles personal or sensitive user data (including personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data and sensitive device data) then your app must:

  • Post a privacy policy in both the designated field in the Play Console and from within the Play distributed app itself.
  • Handle the user data securely, including transmitting it using modern cryptography (for example, over HTTPS).

The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app collects, uses and shares user data, including the types of parties with whom it’s shared.

Prominent Disclosure Requirement

If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.

Your in-app disclosure:

  • Must be within the app itself, not only in the Play listing or a website;
  • Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
  • Must describe the type of data being collected;
  • Must explain how the data will be used;
  • Cannot only be placed in a privacy policy or Terms of Service; and
  • Cannot be included with other disclosures unrelated to personal or sensitive data collection.

Your app’s request for consent:

  • Must present the consent dialogue in a clear and unambiguous way;
  • Must require affirmative user action (e.g. tap to accept, tick a tick-box, a verbal command, etc.) in order to accept;
  • Must not begin personal or sensitive data collection prior to obtaining affirmative consent;
  • Must not consider navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
  • Must not utilise auto-dismissing or expiring messages.

Here are some examples of common violations:

  • An app that doesn’t treat a user’s inventory of installed apps as personal or sensitive user data and doesn’t comply with the Privacy Policy, Secure Transmission and Prominent Disclosure requirements.
  • An app that doesn’t treat a user’s phone or contact book data as personal or sensitive user data and doesn’t comply with the Privacy Policy, Secure Transmission and Prominent Disclosure requirements.

EU-US Privacy Shield


Additional Requirements

In addition to the requirements above, the table below describes requirements for specific activities.

Activity Requirement
If your app handles financial or payment information or government identification numbers Then it must never publicly disclose any personal or sensitive user data related to financial or payment activities or any government identification numbers.
If your app handles non-public phone book or contact information We don't allow unauthorised publishing or disclosure of people's non-public contacts.
If your app contains anti-virus or security functionality, such as anti-virus, anti-malware or security-related features Then it must post a privacy policy that, together with any in-app disclosures, explain what user data your app collects and transmits, how it’s used and the types of parties with whom it’s shared.

Was this article helpful?

Thank you for your answer!

Device and Network Abuse

We don’t allow apps that interfere with, disrupt, damage or access in an unauthorised manner the user’s device, other devices or computers, servers, networks, application programming interfaces (APIs) or services, including but not limited to other apps on the device, any Google service or an authorised operator network.

Apps on Google Play must comply with the default Android system optimisation requirements documented in the Core App Quality guidelines for Google Play.

Here are some examples of common violations:

  • Apps that block or interfere with another app displaying ads.
  • Game cheating apps that affect the gameplay of other apps.
  • Apps that facilitate or provide instructions on how to hack services, software or hardware, or circumvent security protections.
  • Apps that access or use a service or API in a manner that violates its terms of service.
  • Apps that attempt to bypass system power management that are not eligible for whitelisting.

Was this article helpful?

Thank you for your answer!

Malicious Behaviour

We don’t allow apps that steal data, secretly monitor or harm users or are otherwise malicious.

An app distributed via Google Play may not modify, replace or update itself using any method other than Google Play’s update mechanism. Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine and has limited access to Android APIs (such as JavaScript in a WebView or browser).

The following are explicitly prohibited:

  • Viruses, trojan horses, malware, spyware or any other malicious software.
  • Apps that link to or facilitate the distribution or installation of malicious software.
  • Apps or SDKs that download executable code, such as dex files or native code, from a source other than Google Play.
  • Apps that introduce or exploit security vulnerabilities.
  • Apps that steal a user’s authentication information (such as usernames or passwords) or that mimic other apps or websites to trick users into disclosing personal or authentication information.
  • Apps that install other apps on a device without the user’s prior consent.
  • Apps designed to secretly collect device usage, such as commercial spyware apps.

Apps that monitor or track a user’s behaviour on a device must comply with these requirements:

  • Apps must not present themselves as a spying or secret surveillance solution.
  • Apps must not hide or cloak tracking behaviour or attempt to mislead users about such functionality.
  • Present users with a persistent notification and unique icon that clearly identifies the app.
  • Apps and app listings on Google Play must not provide any means to activate or access functionality that violate these terms, such as linking to a non-compliant APK hosted outside Google Play.
  • You are solely responsible for determining the legality of your app in its targeted locale. Apps determined to be unlawful in locations where they are published will be removed.

Check out our App Security Improvement Program to find out about the most recent security issues flagged to developers on Google Play. Vulnerability and remediation details are available in each campaign's support page link.

Was this article helpful?

Thank you for your answer!