70 comments

[ 3.1 ms ] story [ 113 ms ] thread
All my apps have been removed from the Google Play Store
This type of post has to appear here at least a few times a week. People have got to get wise that google are actually the bad guys here and stop basing their lives and businesses so tightly on their services.
If you want to make apps for Android, what alternative do you have? If your app isn't in the Google Play Store, it doesn't exist. It's a monopoly.
I'm confused, isn't the whole idea of an app that just loads and displays a website a security issue already? You can just swap out the content on the page to something malicious at any given point without going through store approval yah?

I'm not familiar with app store development, is this a standard way that people develop apps?

There are some services, e.g. Expo for React Native, that provide Over-The-Air update mechanisms, bypassing app store approvals.

Also, one of the main points of the WebView control is the ability to show a particular web page. If that's an issue, the platform/SDK should not provide such controls.

Additionally, even if the website itself is "trusted", it is very common for ads to be embedded.

The set of trustworthy ad providers is the empty set. I find it reasonably likely that the malware strike was correct; that's a pretty specific reason.

Like others mentioned, Expo already provides over-the-air updates for non-native stuff, and that's only gonna become more and more common. You can also package an entire web app as a PWA and deploy it to the app stores. It could even be server rendered.

But any permissions-related changes have to go through approval again

I published that damn app a few years ago. I was experimenting with Processing at the time: https://processing.org/ I thought it could be funny to use the javascript version of it https://p5js.org/ in a web page and then wrap it in a Unity app, since Unity was and is the environment I use for making apps. Yes, I know that Processing can export to Android natively (but not to iOS, by the way) Being a shitty and useless app that no one use, I should have unpublished it years ago. I have kept it updated all these years because "oh, well, one I day I will improve it, when I have time". And now this shitty and useless app has caused the destruction of all my other "real" apps. Lesson learned the hard way.
Kind of, I worked for some years in a big mobile game company and they had the same approach for rendering popups. There is a big incentive for coming up for solutions that allows to deliver new content without having to update a new build to the app stores.
If you gonna put anything on Play store be careful about open sourcing your apps because the bad guys will take your code and package them with malware and will upload them under different names and icons. So then Google in their full wisdom will flag anything that contains that code, including your benign, clean and original app
That's a terrible practice by Google and makes me rethink my android usage. They should use the original as a guide for detecting these abuses early instead of just being lazy and stamping them all bad.

How is Apple in this regard?

they have a completely different paradigm. apple has a reviewer run the app and test it(with varying levels of competence). they also have a suite of static analysis checks to see if you are using any no-no apis or other things. they have a restrictive "does this thing solve a novel problem" to avoid 1000 flashlight apps.(which doesn't seem to work that well but it's been a while since I looked at it)

google operates on the pay 15$ and then you can submit any app and if people report you enough it gets removed and your account gets flagged. they might have some static analysis tools like the oop said. but in general apple is restrictive by default and google is permissive by default.

As a lowly person who only worked for Google for ~5years:

How in the world did that get approved?? Why was age of code not one of the first things bright up in one of the many design reviews that this went through. Utterly shocking.

I'm a little confused about why you need Unity to launch a web view in full screen. It's been a minute since I've written an Android app, but isn't this like... less than a hundred lines of Java?
They mentioned also shipping on iOS so they are probably leaning heavily on unity for cross platform functionality.
Surely the Swift code can't be much more?
Not "they". He. I'm only person. And yes, I use Unity because it's cross platform. Well, at least it was cross platform, until they closed my Google Play Developer account 2 days ago :-(
(comment deleted)
It was a stupid experiment. A useless app I shoud have unpublished years ago. I used Unity because I'm familiar with Unity and didn't want to deal with Android Studio and native development stuff.
[flagged]
Care to elaborate?
Not taking GP's position, but I imagine they are considering that the author promised drawing and relaxing, but then (additionally) provided an out-of-app redirection in a web veiw to market their own separate product.

Maybe(?) one needs (recent change?) to mention, on the app page or in the app itself, that the game is supported by ads and they didn't mention this. I've never published my own app to Google Play or read their developer agreement carefully. I'm only speculating based upon the facts which have been provided.

The most important information seems to be missing from the article. The author says that all his apps are built similarly, except the one that led to the account termination which

    uses a particular asset that I bought
    on the Unity Asset Store
So which asset is it?

If that asset contains malware, then we know the reason for the ban.

I don't think it's fair to share this info, at least for now. My appeal to Google is still in process and I can't blame the asset. May be (I hope so) this is a terrible mistake by Google. Obviously I have provided the link of the asset in my appeal. Anyway the app that caused my account to be removed has been published for years, with this asset, without problems.
Has anyone gone to arbitration over this?
I have made an appeal and am waiting for a response.
It is also likely Google themselves has been compromised. Those reviewer accounts could have been hacked and thus this kind of spurious behavior. Think of it similar to website defacing, instead of deface, you get random suspension or termination of random app developers. You don't always hear about Google being hacked, but it had happened in the past way more frequently then what were reported. Google biggest issue they have near non existence of customers support engineers there (probably not a glamorous job / career). They rely too much on automated responses with a bunch of if-else like their Diagflow (perhaps now upgraded with Bard). Don't depend on Google store. Support HarmonyOS and Samsung store. Give alternative a stronger support to force Google from monopolistic behavior to market competition. Microsoft over the years demonstrate this is possible. Rely on market and not some dont-do-evil mantra.
This is actually one of the least likely reasons.

As they teach in first-year medical school: "If you see hoof prints on the ground [in North America], think 'horse', not 'zebra'."

I've seen this tale too many times to believe it. Nine times out of ten, the "asset" will be something that is shady at best. (Especially when it's from a completely new HN account)
Could you please clarify what you are accusing me of? I have been a reader of Hacker News for years. This is the first time I'm posting because it's the first time I have something interesting to share. What's wrong with this?
Using Virustotal to check for malicious code seems like a good first pass but no guarantee. That asset could easily contain some naughty tracking code that isn't considered malicious enough, or is new enough not to be detected. We can surmise that Unity likely scans assets with commercial solutions, so if malware makes it through to the asset store, we can assume Virustotal wouldn't detect it.
> If you have done something so terribly wrong to cause your account to be terminated, and to remove all your apps, you would expect at least an email properly written by a human being, with evidences of the mistake you have done.

This is precisely why I have zero interest in developing anything for Android or iOS.

I simply don't understand why anyone would spend countless hours of their life developing apps for platforms which are happy to completely annihilate all of that effort in an instant, without even an inkling of justification for doing so, and no way to appeal.

That's pure insanity to me.

The barrier to entry is so low, actual malicious developers could create thousands of accounts. Adding a human touch to all those closures would be untenable. They firet need to raise the bar. But then android loses its beginner friendliness.
Maybe those platforms should take a little cut from any income they make from apps to pay for more oversight and developer support… Oh
And how does that help if the app is free, ad supported or supported by subscriptions outside of the store?
My apps were paid or ad supported with Admob, that is owned by Google. So, in both cases, I was sharing my income with Google.
I’m in no way shape or form defending Google here, FWIW
iOS App Store manages a human touch just fine.

Google just has a weird need to try to automate everything to the point where finding an actual human with enough privileges to overrule the AI model is getting impossible.

> The barrier to entry is so low, actual malicious developers could create thousands of accounts

It costs $25/acct, so that would add up pretty quickly.

They definitely have the money for doing it, they just don’t want to. They rather completely screw over the developers who have little choice in what App Store to target. They should not be allowed to gatekeep like this without properly paying to support developers.
Don’t lump iOS into this. I develop for that and while they do sometimes do things wrong, I’ve always had a human to reach out to by default - no searching around
Agreed but I also agree with the general sentiment that apple and google have way too much power here, especially compared to developing for the web
I also relate to that.

I’ve developed for years to Android, since the Eclipse days through the latest horror of Gradle and Android Studio.

Then I’ve switched back (after years with Android devices) back to iOS devices as my daily drivers and started developing for iOS on my spare time.

So far, the Play Store over the years got worsen, it requires a lot of reviewing and updating all sort of forms. Yet, the response seems to be more prompt and more understandable.

With Play Store… it’s mostly automated responses with cryptic messages I need to take long to to figure out what I should do to resolve.

I just hope I won’t get into those horrible (but possible lock-outs when you’re just a small humble developer)

Google at least allows you to sideload.
Also, many of us started Android long ago and developed deep expertise. The platforms are so complex, its almost impossible to master all of it. So its a huge investment. Google, as a company, has changed drastically since the Froyo days. Technically this could be a "sunk cost fallacy" but its not easy switching stacks and getting jobs with newbie knowledge of new stack.

But if I were to decide today, I would probably choose something else.

“I have no idea why anyone would create applications for devices that 90% of the world have in their pockets. It’s almost like people have a weird addiction to food and shelter and exchange labor for money to support their addiction”

“As an aside, I also don’t see why people watch TV. I haven’t owned a TV in 20 years”

I'm not insane. Making apps is my passion and my side hustle. Until two days ago, I believed that account termination occurred for very serious reasons. I have appealed and am waiting for a response.
You are in good company. PowerSchool (formerly owned by Apple) had their Schoology app removed from the Play store last week. I don't know they details, but they are big enough I'd kind of expect them to get at least a conversation from Google instead of just removing their app.

What has happened now is that other applications have been released with the same name and students & parents are downloading those apps and typing their names and passwords into them. Whatever security Google thought they were achieving by removing the app seems unlikely to have been greater than the risk they created by the removal.

There's at least one support thread for this issue that links to a troubleshooting tool: https://support.google.com/googleplay/android-developer/thre...

The use of the unity asset to launch a web browser to load code to run a very basic drawing tool seems like a very likely reason that Google says this policy was violated.

Such an app could easily include the source files for such a basic web app or could have actually just been a web app.

There are two possible explanations for implementing a web app like this. One benign inexperience/laziness/incompetence and the other is a malicious intent to target specific users with a different payload in certain circumstances.

While this developer isn't being malicious, removing this sort of app does appear to be the right call by google.

The problem here arises from how the lack of transparency impacts people who are trying to learn. We need gatekeepers, but we also need those gatekeepers to be sufficiently transparent that we don't keep out newbies but educate them.

Sorry, but something is fishy there.

The guy has a medium account named RT. Usually people use their real names in medium. He has exactly 1 post and that is this post here.

He doesn't really explain what the app does, only that it's called draw and relax. A quick search reveals, nothing. If it was on the play store there would be some reference to it.

Idk what is going on but this is quite sus

My real name is Raffaele Tasso. I have written an article on Medium only because I neeeded a place where to write. I didn't use my real name there because it's a platform that I don't know, and where I really have no interest in writing again. These are the apps that I have published on App Store: https://apps.apple.com/it/developer/raffaele-tasso/id1308055... I would be glad to give you the links to my Google Play apps, but as I have already explained they don't exist anymore.
You can find the app if you use a non-google search engine (e.g. duckduckgo), and the publisher's name matches the medium username.
It's funny to read comments here after just reading the piece on Critical Ignoring. "Low-quality and misleading information online can hijack people’s attention, often by evoking curiosity, outrage, or anger."

So many commentators taking this and every other Play Store complaints at face value with zero critical thought/analysis. Don't let yourselves be highjacked by low quality information. The linked article has few details.

English is my not native language and I have spent hours writing the article that has "few details". I was hoping to find some good advices for other members of hacekernews. Comments like this make me feel even more frustrated.
With respect, you should definitely post more details about your apps, even if just to link to the APKs, but screenshots etc. go a long way.

I hope the case is resolved and Google takes notice and reviews policy.

> The name of my app was “Draw and relax”.

So you can still find the apk here:

https://apkpure.com/draw-and-relax/com.raffaeletasso.paint/d...

Uploading it to Virustotal indeed does not trigger anything, however, the sandbox execution shows plenty of weird domains and URLs. Those all might be harmless, but still, I guess if just one is fishy, this could be enough to get your app banned? I guess most of that stuff is related to ads, but who knows...

I don't know how apkpure.com works. Are you sure their apks are original? May be they inject their own code and ads?
They claim they don't, that is where the 'pure' part comes from. I vaguely recall this claim being tested, which is easy if you have the original apk to test against.
You said you have uploaded your own apk's to VirusTotal. Did you check the Sandbox runs? They provide lots of information regarding your application's behavior. Note that even if for instance Zenbox does not mark your application as malicious, this is just a rough heuristic and by no means saying that this application is fine. You need to look at the results in detail and look why your application is triggering these things. Google will never in detail tell you what triggered the ban, because they keep this stuff secret as to not give the wrong people hints on how to game the system.
I agree this sucks. But why not create a separate account for each app? I know some ios app developers do this so if they want to transfer ownership of an app, it’s a lot easier if you have a separate account.

On the other hand, yes I know that there are some things that you are allowed to do between applications if they are all owned by the same entity.

If I were a customer who contracted out development of a mobile app. I would insist on owning the Google account and having the source code. He said what if this had been work for a client.

Similarly, when I worked for a startup that was positioning itself for an exit (acquisition), I pushed through taking our AWS account out of our MSPs organization and us owning it even at the cost of volume discounts

I'm not sure if it's allowed to create multiple Google Play Developer accounts related to the same person. Even if this is allowed, Google could in such situations close all of them, right? I'd like to hear comments from people who have experience with this.
Some of the people who do it on iOS set up a separate LLC.
My apps are not remunerative enough to justify that.
Seems to me Google is trying to discourage free apps by making the process so painful that only people making money off them will jump through the hoops.

Having to upgrade the target API, mentioned in the article, is a good example. If you have 50 apps, just updating that is quite an effort. I started updating some of mine, but after the first few I hit one that required quite a bit of effort. At which point I just said "I'm done". My apps can expire from the store. I'm focusing more on web apps instead.

The reason I picked Android over iOS, and probably the same for a lot of people, was that it was the more open and free (as in freedom) platform. But Google is eroding away at any such advantages it had in that area.

I agree with you. I have updated almost 30 Android apps in these days, only to upgrade the target API, including the useless app that caused my account to be removed. If I ever get my account back, I will unpublish all my abandoned apps that have no value, and focus on what remains.