FingerprintJS dependency is not compliant with Google Play Store

[ghubuser3]

Hi, we have an app that uses Checkout payments, and it also uses your Risk SDK v1.0.6 for fraud detection. It's been working well, but recently we received an email from Google telling us that "FingerprintJS SDK" is not compliant with Google's Developer Program Policies, and Google will remove our app unless we remove the non-compliant SDK.

Issue found: Violation of User Data, Permissions and APIs that Access Sensitive Information policy

We reviewed SDKs used by your app and found non-compliant version(s) of SDK(s) which facilitates the transmission of collection of users’ data without meeting the prominent disclosure guidelines and/or privacy policy guidelines. This data may include, but is not limited to:
Phone number
Installed packages (apps)
Social account information
Primary account information

We found an issue in the following area(s):
FingerprintJS SDK: Consider upgrading to a policy-compliant version of the SDK if available from your SDK provider, or removing the SDK.

About the User Data policy
You must be transparent in how you handle user data (for example, information collected from or about a user, including device information). That means disclosing the access, collection, use, handling, and sharing of user data from your app, and limiting the use of the data to the policy compliant purposes disclosed. Please be aware that any handling of personal and sensitive user data is also subject to additional requirements in the "Personal and Sensitive User Data" section.

It turns out that FingerprintJS SDK is used by the Checkout Risk Android SDK

checkout-risk-sdk-android/Risk/src/main/java/com/checkout/risk_sdk_android/FingerprintService.kt

Line 22 in 1a7426b

private val client: FingerprintJS =

Google gave us a month to upgrade or remove the dependency from our app, but since we cannot modify the Risk SDK to use a different fingerprinting tool, we have to remove Risk from our app.

Please consider upgrading FingerprintJS if there's a compliant version available, or develop your own fingerprinting tool within the Risk SDK. As it currently is, using Android Risk SDK will not allow publishing on the Play Store.

[igor1968]

The same issue for our project. The worse, we do not use Risk SDK directly, we use Frames SDK which uses Risk SDK as internal dependency:

+--- com.github.checkout:frames-android:4.2.3
| | | +--- com.github.checkout.frames-android:checkout-android:4.2.3
| | | | +--- com.checkout:checkout-sdk-event-logger-android:1.0.1
| | | | +--- com.github.checkout:checkout-risk-sdk-android:2.0.0
| | | | | +--- com.fingerprint.android:pro:2.3.4
| | | | | | +--- com.github.fingerprintjs:fingerprint-android:2.1.0

Please provide updated versions of both Frames and Risk SDK.

[ghubuser3]

@igor1968

Looks like we need to disclose to Google Play why FingerprintJS is collecting user data:

FingerprintJS docs: https://dev.fingerprint.com/docs/native-android-integration#data-safety-requirements-for-google-play
Google Data safety docs: https://support.google.com/googleplay/android-developer/answer/10787469
Google Play Console: https://play.google.com/console/app/app-content/summary

In the Google Play Console: "Monitor and Improve" on left sidebar > "Policy and programs" dropdown section > "App content" section > "Actioned" tab > "Data safety" row and click "Manage"

For example, on Data safety Step 4 "Data usage and handling" > "Device or other IDs" section" > "Edit" button > "Fraud prevention, security, and compliance" check this box

And do the same for what's shown on FingerprintJS Data usage and handling
table. After you're done with the questionnaire, save it and wait for Google to approve. Finally, on "Publishing overview" on top left sidebar > "Changes ready to publish" section > "Data safety - Complete Data safety questionnaire" > "Publish 1 change" button

Hopefully this will resolve Google's "User Data policy: Violation of User Data, Permissions and APIs that Access Sensitive Information policy" issue. But if you need to remove FingerprintJS SDK, you could use Checkout Android Frames SDK version 4.2.1 which is the version before Risk SDK was added internally to it.

implementation 'com.github.checkout:frames-android:4.2.1'

[ghubuser3]

Checkout updated their Android Risk SDK "2.1.0" yesterday that updated their FingerprintPRO dependency version: 1e9088a
Maybe this one will pass Google Play's data safety compliance review?
implementation 'com.github.checkout:checkout-risk-sdk-android:2.1.0'

Edit:
https://github.com/checkout/frames-android/releases/tag/4.2.6
implementation 'com.github.checkout:frames-android:4.2.6'

[anas-baadshah]

Did you guys resolved this issue with this upgrade? I can still see the same policy violation even after the upgrade. Any idea?

[igor1968]

Did you guys resolved this issue with this upgrade? I can still see the same policy violation even after the upgrade. Any idea?

Actually no, and provided instructions do not resolve the policy violation badge. But it is old badge, in my case it is from 22 April and link in it leads to older build that was replaced by new one with new SDK. I do not know if it is enough and what else could be done.