# background

In order to effectively manage the phenomenon of compulsory authorization of apps, excessive claims, and collection of personal information beyond the scope, implement the requirements of the "Network Security Law" and the "Consumer Rights Protection Law" to ensure the security of personal information. In January 2019, the Central Network Information Office, The Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation and other four ministries and commissions issued the "Announcement on Carrying out the Special Governance of the Illegal Collection and Use of Personal Information by Apps", organized and carried out the special governance of the illegal collection and use of personal information by Apps nationwide, and successively issued and improved " Approval methods for illegal collection and use of personal information, GB/T 35273-2020 Information Security Technology Personal Information Security Specifications and other standards.

According to the above specification requirements, all major application markets have strengthened the detection of applications, requiring applications to comply with relevant policies, otherwise the application will be at risk of being notified or removed from the shelves.

DCloud联合业内主流隐私合规检测厂商推出了uni隐私合规检测服务,可在线申请获取详细检测报告,详见:uni隐私合规检测

# APP cannot be launched due to compliance issues

Please read the following steps carefully to test your APP! Effectively solve listing problems

  • APP is not packaged and produced by HbuilderX3.6.1+ cloud, please hurry up and upgrade to HbuilderX3.6.1+ version. Repack!
  • APP is offline packaging, please upgrade the SDK to 3.6.1+ version and re-edit and package! Download address
  • Do not submit custom docks for platform review. Compliance issues are not handled in debug mode. requires attention!
  • The APP does not have a privacy and policy prompt box configured. Please read Android platform privacy and policy prompt box configuration method to configure your APP's privacy pop-up window.
  • Be sure to use template mode when configuring privacy popups. Otherwise, the application market will not be available. The privacy pop-up window implemented by the application itself does not work either. Be sure to use the privacy popup provided by uni and use the template mode remember!
    //androidPrivacy.json
    {
      "version": "1",
      "prompt": "template",
      "title": "服务协议和隐私政策",
      "message": "..."
     }
    
  • Fill in the privacy agreement must be combined with the actual module function. Fill in the relevant privacy terms! Can't be vague. All information collected by the module must be filled in completely. Otherwise, it will affect the listing! Please refer to the Privacy Policy Notice in the current document
  • Check if the uni native plugin is integrated. Some permissions or illegal acquisitions may be caused by uni native plugins. It is recommended to use the exclusion method to delete the plug-in and repackage the detection
  • Check whether fcm push (including fcm in unipush), google statistics, google push, google login module is integrated. Since these modules are integrated with google's gms service, the android id will be obtained in advance, which will not be able to be put on the shelves normally in China. Please exclude these function modules in the manifest.json configuration when packaging.
  • APP meets the above requirements. The listing still fails! Please provide the code call stack to the instrumentation platform. Please go to the ASK Forum with the stack information to explain the problem and @administrator feedback

# Privacy Policy Notice

  • 必须确保应用存在《隐私政策》,在应用首次启动时弹出提示并取得用户同意。

  • 一定要配置使用template模式隐私与政策提示框 详情参考

  • The purpose, method and scope of collecting user's personal information must be clearly and comprehensively explained in the "Privacy and Policy" (do not use vague and unclear words that may collect and understand user information). User personal information includes but is not limited to mac Address, device serial number, imei, imsi, software installation list, address book information, SMS information, etc.

  • If you report that you have violated regulations to obtain sensitive information, please check the Privacy Compliance Agreement of Each Functional Module of the Android Platform Privacy Agreement of each functional module. If you integrate related modules, you must write it into the app's privacy agreement.

  • 必须在《隐私政策》中必告知用户您的应用基于DCloud uni-app(5+ App/Wap2App)开发,添加如下协议:

    Our product is developed based on DCloud uni-app (5+ App/Wap2App), during the running of the application, you need to collect your device unique identification code (IMEI/android ID/DEVICE_ID/IDFA, SIM card IMSI information, OAID) to provide statistical analysis Service, and improve performance and user experience through application startup data and exception error log analysis, to provide users with better services.

# common problem

# 1. How to solve the problem of "mandatory, frequent, and excessively requesting permissions"

For permission issues, pay attention to the following aspects:

  • When there is no corresponding service or scene in the application, do not apply for the corresponding permission (for example, do not apply for the location permission when the location service is not used)
  • When the application applies for permission, if the user refuses, do not directly exit the APP and cannot use it. Do not set the permissions for "read and write mobile phone storage" and "access device information" to "always" when the app is started. For details, please refer to: [https://ask.dcloud.net.cn/article/36549](https: //ask.dcloud.net.cn/article/36549)
  • When calling the application permission related, if the user refuses, the user does not actively trigger the function, do not repeatedly call the API to trigger the pop-up application permission window, which affects the user's use
  • Do not call APIs that may trigger the permission prompt box in the page life cycle onShow, such as uni.getLocation, uni.chooseImageetc.

# 2. Offline packaged apk! Submit market review and be reported to obtain user information in advance

For offline packaging, please use SDK version 3.6.1+. And configure the uni-app privacy agreement pop-up window. Do not implement the privacy pop-up window through native capabilities by yourself, otherwise the logic of obtaining user information inside the SDK will not be properly restricted. Resulting in non-compliance with compliance detection!

# 3. How to solve the problem of "Forcing users to use the directed push function"

In the "Privacy Policy", keywords such as "recommendation", "customization" and "personalization" are changed to "provide, display, notify, send,,," and other words. If it does involve personalized services, please use the app Add a personalized push switch in the settings

# 4. How to solve the problem before the user clicks "Agree" in the "Privacy Policy", the APP and SDK should not do anything, including that the SDK cannot be initialized, and the APP or SDK cannot collect user information (including but not limited to IMEI, IMSI, device MAC address, software list, device serial number, androidID)

  • Please make sure that the APK is produced based on version 3.6.1+!
  • Make sure the Privacy and Policy Toolbox is configured to use the "template" mode!
  • Private links cannot exist js codes such as obtaining user information and positioning information. If so, please remove it!
  • Available through Xiaomi phone system is MIUI12 device. Install your app. Then check whether App Details-->App Behavior Record has obtained permission information before clicking "Agree".
  • If your app is packaged offline, be sure to turn off the debug switch, and modify syncDebug in the project dcloud_control.xml to false
  • If the above conditions are met, then check whether the app integrates a third-party SDK or a uni native plug-in. Please consult the relevant SDK provider platform for compliance issues. Please update the SDK or find uni native plugins to update related SDK compliance operations.
  • All matches, please resubmit for platform testing.

# 5. How to solve the problem of "The user does not agree to force quit the application"

This problem may be caused by the user selecting the "Disagree" button after the privacy pop-up is displayed and the app exits. Please modify as follows.

# 6. Offline packaging and integration of third-party SDK

If you rewrite DCloudApplication, you need to pay attention to the compliance operation of the third-party SDK initialized in the Application. Prevent the user information obtained before the privacy pop-up window is activated and cannot be listed

# 7. The app is put on the application market, and the solution for detecting and integrating ads is rejected

  • Check whether the third-party advertisement is checked when using HX cloud package! If checked, please add the advertising privacy statement to the privacy agreement. Please remove it and repackage it on the shelf if you tick it by mistake.
  • Offline packaging to detect whether the relevant third-party advertising SDK is integrated! If integrated, please add an advertising privacy statement to the privacy agreement. Please remove and recompile the apk if it is wrongly integrated.

# 8. The app did not check the third-party advertising module, but it was rejected when it was put on the Huawei Market.

  • Please use HX3.6.1+ to repackage

# 9. The Huawei Market Detection app cannot be put on the market because it applies for obtaining the user's personal information before the user agrees to the privacy policy.

We have received a lot of feedback from developers, and other app markets have been successfully launched. However, when Huawei tested it, the listing was rejected. The guess is that Huawei AppGallery still detects the previously submitted apk after submitting the new apk test, resulting in the failure of the test. In this case, please contact Huawei AppGallery technical support, tell him that the new version has been modified, and have Huawei AppGallery re-test and review.

  • If you are a VIVO mobile device, just ignore it. This is a VIVO system mechanism problem. Apps not installed in the vivo app market will pop up a notification authorization pop-up window by default. Not app-initiated authorization. Does not affect the privacy policy
  • Check the integrated uni-app native plugin, it may be that the native plugin triggers the permission request. You can temporarily remove the plugin to troubleshoot this problem.

# 11. The Android application vulnerability caused the problem of not being able to be listed

  • Please use HX3.6.1+ to repackage the cloud
  • Reinforce the apk. Tencent Cloud is recommended

Security Vulnerability Reference Document

# 12. Your application has the behavior of obtaining sensitive information of the user's software installation list

# 13. There is an unreasonable behavior in the application to obtain relevant permissions for SMS records

  • Please use HX3.6.1+ package
  • Check if the "Messaging" module is used. Messaging will involve SMS-related permissions. Delete the configuration if it is not needed.
  • Check if uni native plugin is used. It may be the permissions carried by the native plugin. It is recommended to use the exclusion method to remove plugins during detection.

# 14. Your app obtains the user's MAC information in the background state, and it is not in the in-app privacy policy

  • Check if UniPush is integrated
  • If you integrate UniPush, please update the terms of the Getui Privacy Agreement! The focus is to supplement the description of MAC information Reference
  • If UniPush is not integrated, please obtain the java call stack from the testing platform. Get the java call stack and post a consultation on the ask forum

# 15. Read personal information without permission to obtain ANDROID ID

  • Check whether fcm push (including fcm in unipush), google statistics, google push, google login module is integrated.
  • If it is integrated, it cannot be put on the domestic shelves! The reason is that integrating these modules will import Google's GMS service into the installation package. The startup will get the android id and it will not be listed.
  • Check the uni-app project to remove the above modules in manifest.json and repackage them
  • No integration of these modules to get the call stack from the instrumentation platform. Get the java call stack and post a consultation on the ask forum

# 16. How to package custom DCloudApplication offline and initialize other third-party SDKs to deal with compliance issues

  • We recommend changing the third-party SDK integration method to native plug-in integration into offline packaging. By initializing the SDK through the UniAppHookProxy lifecycle callback, you don't need to care about compliance issues.
  • If you are a developer, you must initialize the third-party SDK in the Application. You can add initialization logic in the Application's onCreate callback. But the premise is that it needs to be called after super.onCreate(). And use SDK.isAgreePrivacy(Context) to get the current privacy agreement state special handling.
public class MyApplication extends DCloudApplication {
	@Override
	public void onCreate() {
		super.onCreate();
		if(SDK.isAgreePrivacy(getBaseContext())) {
			//Initialize the third-party SDK normally
		} else {
			//Initialize the third-party SDK to provide an initialization function to avoid privacy compliance. If not, do not initialize
		}
	}
}

# 17. Please provide the 64-bit version software package before submitting it for review

  • If using uni native plugin. Need to see if the plugin supports arm64-v8a! Please check the plugin details page if it is supported. If there is no plugin details page, please consult the plugin developer to provide information or replace other plugins.

# 18. The application launch will actively apply for mobile phone storage permission and access device information permission, which will affect the application launch

# 19. Not agreeing to the privacy agreement chromium SDK obtains Wifi information and MAC address through GetConnectionInfo in advance

  • You can change the hrefLoader configuration of androidPrivacy.json system Provide system browser to display privacy terms and fix the problem Specific Reference Document

# 20. Repeated pop-up window about denying permission

HX3.6.1+ version You can configure manifest.json to configure checkPermissionDenied = true to verify that the permission has been denied and no longer apply. (Only for the official api active permission application behavior, the third-party SDK, uni native plug-in, plus.android.requestPermissions are not restricted)

"app-plus": {
	...
	"checkPermissionDenied" : true,
}

# 21. The APP has the behavior of collecting sensors

  • If there are any of the following behaviors in the app, please supplement the privacy policy according to the purpose of using the sensor and repackage it with HX3.6.4+ version.
    1. Using the sensor-related API
    2. Integrate map positioning related modules
    3. Use plus.navigator.isSimulator
  • If there is no above-mentioned behavior in the app, but the app market reports that the app has sensor collection behavior, please use the HX3.6.4+ version to repackage and put it on the shelf.

# 22. When Xiaomi is on the shelves, there is an act of collecting OAID before the user agrees to the privacy policy

  • If the app supports non-consent mode, and the app market reports that the user has collected OAID before agreeing to the privacy policy, please supplement the relevant privacy policy about OAID and use the HX3.6.8+ version to repackage and put it on the shelf.

# 23. Permission application pops up when the application starts

  • Refer to [Application startup will actively apply for mobile phone storage permissions, access to device information permissions will affect the application store](https://uniapp.dcloud.net.cn/tutorial/android-store.html#_18%E3%80%81%E5 %BA%94%E7%94%A8%E5%90%AF%E5%8A%A8%E4%BC%9A%E4%B8%BB%E5%8A%A8%E7%94%B3%E8%AF %B7%E6%89%8B%E6%9C%BA%E5%AD%98%E5%82%A8%E6%9D%83%E9%99%90%E3%80%81%E8%AE%BF %E9%97%AE%E8%AE%BE%E5%A4%87%E4%BF%A1%E6%81%AF%E6%9D%83%E9%99%90%E5%BD%B1%E5 %93%8D%E5%BA%94%E7%94%A8%E4%B8%8A%E6%9E%B6) for configuration.
  • Check whether there is an API that requires permission such as plus.device.getInfo called in advance or actively called plus.android.requestPermissions to apply for permission, if so, you need to adjust the timing of calling the relevant API to trigger the relevant business Call it in the scene, don't call it in advance.

# 24、应用存在频繁自启动或关联启动的行为

  • 如果应用市场反馈的调用栈文件中有此信息io.dcloud.xx.xx.xx.DownloadReceiver,使用HBuilderX 3.6.18+ 重新打包提审即可。
  • 目前已知部分原生插件也同样有此隐私合规问题,开发者可根据调用栈文件中提供的信息大致判断出哪个原生插件有问题,这种情况需要联系插件作者进行整改。
  • 如果是非上述情况,可发帖或联系官方进行进一步排查。

# 25、华为上架被拒,集成XX等SDK但未在隐私政策中明示

  • com.netease是由于移动安全联盟OAID使用了网易加固SDK导致的误报,3.7.6版本已调整移动安全联盟OAID版本以规避此问题,请使用HBuilderX 3.7.6重新打包上架。
  • 官方模块中集成的SDK,参考Android平台各功能模块隐私合规协议补充好相应的隐私政策。
  • 原生插件中集成的SDK,参考插件文档补充好相应的隐私政策。

# Can't understand the document and don't know how to modify it?

Paid technical services can be activated. Reference: https://ask.dcloud.net.cn/article/13015

There may be differences in the compliance review details of the major application markets. If developers encounter relevant problems, please give feedback in time, and we will summarize and organize them in time for your reference

# 相关参考

On This Page