Using SDKs safely and securely

Many app developers rely on third-party products and services to enable key functionality in their apps. These services are often distributed through one or more code libraries that together are commonly referred to as a software development kit (SDK).

Expectations for developers using third-party SDKs

If you include an SDK in your app, you are responsible for ensuring that their third-party code and practices are compliant with Google Play Developer Programme Policies and do not cause your app to violate policies.

Our newly created SDK requirements section is designed to help you safely and securely integrate SDKs into your apps and offers guidance on how some of our existing privacy and security requirements apply in the SDK context. In addition to providing a centralised resource for SDK requirements, we are reiterating our expectations regarding the use of SDKs in your apps when it comes to user data. For example, app developers are required to treat any data collection from within their app by an SDK as if they collected it directly.

If you include an SDK in your app, make sure that you take the following steps:

  • Only share user data collected through your app with a third party when they need it.
  • Be aware of how the SDKs in your app handle user data; know what permissions they use, what data they collect, and why.
  • Be aware of additional restrictions for sensitive use cases, such as the use of SDKs in apps targeting children.
  • Ensure that your SDK providers implement logic that reads and adheres to the app developer-collected user preference, or ensure that a mechanism exists for the app developer to accurately initialise the SDK integrated into the app according to this user-facing consent event.

Complying with Google Play Developer Programme Policies

To help you ensure that any SDK your app is using complies with Google Play Developer Programme Policies, we provide various tools and notifications which are as follows:

  • We flag known issues with popular SDKs in Play Console.
  • Google Play SDK Index helps you learn more about the most used commercial SDKs. It combines usage data from Google Play apps with information gathered through code detection to provide attributes and signals designed to help you decide whether to adopt, keep or remove an SDK from your app.
  • Google Play SDK console gives eligible SDK providers crash reporting, usage statistics and a way to communicate critical issues to app developers through Play Console and Android Studio.

Remember that your app must not use a non-compliant version of an SDK which violates Google Play Developer Programme Policies or allow an SDK to collect or share data for any purpose that is not compliant with our policies. Non-compliant SDK versions must be removed or replaced with a compliant version.

Tips:

  • If you have questions about an SDK version and its compliance with SDK policy requirements, we recommend that you contact your SDK provider.
  • If you receive an enforcement notice about an SDK-caused violation in your app that you need to address, see Resubmit your app following a policy violation for information on how to resolve it.
  • If you're an SDK provider, you can use this optional format for SDKs to publish guidance for your users regarding Google Play's Data safety section.

Policies commonly associated with SDK-caused violations

To help you ensure that any third-party code that your app is using complies with Google Play Developer Programme Policies, review the following policies in their entirety:

Note: Remember that bad SDK code could cause your app to violate a different policy not referenced in the preceding list. Remember to review and stay up to date with all policies in their entirety, as it is your responsibility as an app developer to ensure that your SDKs handle your app data in a policy-compliant manner.

SDK-related resources

Here are some resources that support the safe use of third-party SDKs in your app:

If you receive an enforcement notice about an SDK-caused violation in your app that you need to address, see My app has been removed from Google Play for information on how to resolve the issue.

If you're an SDK provider, you can use this optional format for SDKs to publish guidance for your users regarding Google Play's Data safety section.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu