Issue found: Invalid Encryption Declaration on your Data safety form. What is the Solution?

Question

image

We’ve detected discrepancies between how your app collects and shares user data and what was declared in your app’s Data safety form. All apps are required to complete an accurate Data safety form that discloses their data collection and sharing practices - this is required even if your app does not collect any user data.

You have declared that user data is encrypted in transit in your app’s Data safety form and we’ve detected unencrypted network traffic that may carry user data off device.

Issue details

We found an issue in the following area(s):

APK 20: Policy Declaration - Data Safety Section: "http://data.altbeacon.org" APK 24: Policy Declaration - Data Safety Section: "http://data.altbeacon.org"

Google has rejected the publication twice already. What is the problem with altbeacon library and how to solve it?

There is a dependency that I use in the project:
implementation 'org.altbeacon:android-beacon-library:2.19.2'

Answer 1

Please use https instead of http because HTTPS is more secure than HTTP because it uses encryption to protect information as it is being sent between clients and servers. When an organization enables HTTPS, any information you transmit, like passwords or credit card numbers, will be difficult for anyone to intercept.

Answer 2

The problem was fixed back in 2018 in Android Beacon Library version 2.15.2.

WHAT TO DO

Double check that you are using the latest version of the Android Beacon Library. The latest release version is 2.19.5 as seen here. If your app is using recent versions of the library, it will not have this problem.

If you still see this problem, your app may include code copied from an older version of this library, either directly or as part of a different third party library it includes. Tracking down where this is happening is difficult, but you can start by searching your source code for the URL. If you do not see it, you will need to go through each of your dependencies. If you are stuck and cannot find it, you can try using the Network Profiler to debug your app and help track it down what code is making the call.

WHAT CAUSES THE ERROR?

A few years ago, the Google Play Store started requiring apps that make web service calls use https URLs rather than http URLs in order to prevent apps from exposing potentially sensitive data to eavesdroppers using unencrypted network connections. Any app making network calls using unencrypted http URLs must declare so in its Google Play Store listing. Google Play's review robots test apps under review and look for any unencrypted calls. If they find any, they will reject the submission unless your listing declares that the app makes unencrypted calls.

The library switched to using a https URL back in 2018 to be compliant with this Google Play Store policy. You can see the commit here

WHY DOES THE LIBRARY MAKE A NETWORK CALL?

The Android Beacon Library fetches an updated database of Android device models on first run so it can adjust distance estimates on a per-model basis. The network call is a simple remote fetch of data without transmitting any private information. The prior use of an http URL in this case poses very little if any security issue, but it still gets flagged by Google Play's automated tools for apps using very old library versions.

Full disclosure: I am the lead developer on the Android Beacon Library open source project, and the author of both the original code that caused this problem and the author of the fix in 2018.