Jekyll2024-01-21T11:37:21+00:00/feed.xmlSylvia van OsHello, I'm Sylvia. I like to hack on things.Your app is not compliant with Google Play Policies: A story from hell2021-12-24T00:00:00+00:002021-12-24T00:00:00+00:00/blog/2021/12/24/google_play_hell<p><em>Last updated: 2022-02-10</em></p>
<h1 id="the-current-state-of-my-apps">The current state of my apps</h1>
<p>For those who don’t know me, I am a Linux system administrator who codes a lot, mostly as a hobby. During my hobbies I wrote a few Android apps too, my most known one being <a href="https://catima.app">Catima</a>.</p>
<p>Catima is only available on Google Play and F-Droid and will probably remain exclusive to these platforms for the forseeable future.</p>
<p>But why isn’t Catima on other app stores, like the Samsung Galaxy Store, Amazon AppStore or Huawei App Gallery, one may ask. Is there something wrong with those stores? The answer may surprise you:</p>
<p><strong>The reason Catima isn’t on alternative app stores isn’t because there is something wrong with them, it’s because there is something wrong with Google Play</strong>.</p>
<p><em>Note: With this I meant that Google Play was taking way too much of my time and energy to also publish to other stores. Luckily, the situation seems to have died down for now and I may reconsider publishing to other stores. That would however require me being convinced that that store isn’t as bad as <a href="https://twitter.com/SylvieLorxu/status/1359461643768516608">the</a> <a href="https://twitter.com/SylvieLorxu/status/1374251557735256065">Huawei</a> <a href="https://twitter.com/SylvieLorxu/status/1377208451227598849">AppGallery</a>.</em></p>
<h1 id="what-is-wrong-with-google-play">What is wrong with Google Play</h1>
<p>Everyone knows Google Play. It is pre-installed on every Android device bought in stores, so it is the way to reach as many users as possible. That, however, is pretty much where the good parts end.</p>
<p>Unlike F-Droid, publishing on Google Play is not free but requires a one-time payment of 50 Euros to register a developer account. This account can then be used to publish as many apps with as you want, so the cost is not insane given the amount of users you reach, but still worth mentioning.</p>
<p>The real problem with Google Play, however, is not the money. <strong>It is the incompetence of their support and moderation staff</strong>.</p>
<h1 id="the-beginning-of-the-end">The beginning of the end</h1>
<p>On October 2nd 2021, I received an email titled: <a href="https://github.com/TheLastProject/Catima/issues/439#issue-1014074229">“Action Required: Your app is not compliant with Google Play Policies”</a>.</p>
<p><img src="/assets/images/blog/2021-12-24-google_play_hell/135721623-9df9ad54-81f3-4dac-8410-658413e47b9e.png" alt="The initial e-mail" /></p>
<p>I was confused, because I actually always do read the rules and was pretty sure I wasn’t breaking any policy.</p>
<p>After several mails back and forth, I started to get a hunch: <strong>Google was using Google Translate incorrectly</strong>.</p>
<p>You see, Google doesn’t accept apps saying they’re free in the title (most likely to keep the app list clean, as this info is already readable on other places), and if you naively throws the Dutch word “vrij” (meaning “free as in freedom”) into Google Translate, you get “free” in English. While the word “free” in English is ambigious, it is possible to use it to refer to things as being at no cost, which would break the policy.</p>
<p>Google never truly explained which word they had a problem with, just kept repeating vague statements like “your app’s title in nl_NL and no_NO locales currently contains text that indicates price and promotional information”, but this was my best guess as to what was wrong. After 4 full days of trying to teach Google staff how a dictionary worked, <a href="https://github.com/TheLastProject/Catima/issues/439#issuecomment-935645288">I caved in and changed the Dutch and Norwegian titles</a>. Not even 24 hours later, I got another email.</p>
<p><strong>“Action Required: Your app is not compliant with Google Play Policies”</strong></p>
<h1 id="the-relentless-gut-punching">The relentless gut-punching</h1>
<p>The new compliance email did not focus on just Dutch and Norwegian, it marked 9 new languages:</p>
<p><img src="/assets/images/blog/2021-12-24-google_play_hell/136173470-2f77fa5b-da67-4a19-99ef-bb69c7ee5449.png" alt="The second email" /></p>
<p>Annoyed, <a href="https://github.com/TheLastProject/Catima/commit/ddccbad0202aaa88a567ee5bc931840ed0231331">I changed all those translations and hoped for it to end</a>.</p>
<p>Again, not even 24 hours later, I got another email:</p>
<p><img src="/assets/images/blog/2021-12-24-google_play_hell/136180398-e6051aa6-4765-4aac-bc54-b6a2cdadd8c0.png" alt="The third email" /></p>
<p>Fine, small change, so <a href="https://github.com/TheLastProject/Catima/commit/017034a78804eb092917086376192796587e373e">I’ll just update the Chinese translation</a>.</p>
<p>At this point, we’re on October 7th and I got a promising email: “Your update is live in the store”:</p>
<p><img src="/assets/images/blog/2021-12-24-google_play_hell/136434121-02f7a4f4-1729-4587-8b6e-8be3360c0290.png" alt="Translations approved" /></p>
<p>While this was less than ideal, it seemed like the end of this hell, and like I could move on to focus on actually making the app better.</p>
<p>After “only” 5 days, the issue was “resolved” by pure guessing on my side. Well, mostly at least. There was just some last annoyances on <a href="/assets/images/blog/2021-12-24-google_play_hell/140650588-0be275bd-7cda-46ed-893e-ecef5ccb2ccd.png">November 7th</a> and <a href="/assets/images/blog/2021-12-24-google_play_hell/142705625-64eaa677-f78c-4f5b-a8a9-8b2e79a9ad90.png">November 20th</a>, until something truly interesting happened.</p>
<h1 id="google-accidentally-proves-my-theory">Google accidentally proves my theory</h1>
<p>On November 23rd, I got another mail. Another “Action Required”. This one, though, was somewhat different.</p>
<p><img src="/assets/images/blog/2021-12-24-google_play_hell/142989964-b7fb84c0-c053-4d58-81f3-a4a7c5d06119.jpg" alt="The nonsensical mail" /></p>
<p>Yes, you read that right. Google was upset that I used the word “Free” in my app titles. The only problem? I <a href="/assets/images/blog/2021-12-24-google_play_hell/142989934-d05f6fc0-2dfd-4955-934b-780501213019.png">never</a> <a href="/assets/images/blog/2021-12-24-google_play_hell/142989953-672361c8-a7b2-4827-a932-3a164f4fec6e.png">used</a> <a href="/assets/images/blog/2021-12-24-google_play_hell/142989955-d5cd3aeb-4bb5-416f-800c-816711f6419d.png">them</a>. This proved my theory: <strong>Google was using Google Translate to translate the app titles instead of reviewing them with native speakers</strong>.</p>
<p>I’ll be honest, I pretty much had a mental breakdown that day. It was just… too insane for words.</p>
<h1 id="one-last-punch-in-the-gut-a-stupid-google-play-console-bug">One last punch in the gut: a stupid Google Play Console bug</h1>
<p>I got one last such e-mail on December 17th, this time talking about the Bulgarian translation. I <a href="https://github.com/TheLastProject/Catima/commit/d84ce6ff8207752561ad7385de667cbcc0aa0182">removed it</a>, thinking this was hopefully finally the end.</p>
<p>Sadly, a bug in the Google Play Console causes all fields of all languages to be revalidated if you make any change. Because Google recently <a href="https://android-developers.googleblog.com/2021/04/updated-guidance-to-improve-your-app.html">lowered the title length from 50 to 30 characters</a> and not all Catima translators have changed their translations yet, I literally cannot edit the “non-compliant” title, as all fields of all languages need to follow the rules at the moment you hit save, even if you are not making changes to that specific field or language.</p>
<p><img src="/assets/images/blog/2021-12-24-google_play_hell/FG0nEC0WYAUiU39.png" alt="Google Play Console bug" /></p>
<p>As I write this, I have just received another email from Google after I told them I literally cannot comply due to this bug telling me to… make sure all my titles are 30 characters or shorter.</p>
<p><strong>Despite all I tried, it’s now almost 3 full months later, and I am still “not compliant”</strong>.</p>
<h1 id="further-reading">Further reading</h1>
<p>If you want to see all my frustration, take a look at <a href="https://github.com/TheLastProject/Catima/issues/439">Catima GitHub issue #439</a> and <a href="https://twitter.com/SylvieLorxu/status/1471875608636444675">all these tweets</a>.</p>
<hr />
<h1 id="other-google-review-team-mess-ups">Other Google Review team mess-ups</h1>
<p>On January 16th, 2022, Google rejected an app update because of a lack of login info. Despite the fact that Catima is completely offline and Catima accounts literally do not exist.</p>
<p><img src="/assets/images/blog/2021-12-24-google_play_hell/2022-16-01.jpg" alt="Email stating Google rejected my app due to a lack of login info" /></p>
<p>On January 18th, the resubmission was approved 10 minutes after I received another email (which couldn’t have been automatic as it was 2 days later) telling me the following: “We’re reaching out in response to your recent appeal regarding Play Console Requirements policy. If your app was missing valid log-in credentials and you are now ready to provide them, you can resolve this issue on your own without waiting to hear back from a policy support agent.”. Not very sensical, but for now, Catima is approved again.</p>
<p>This happened again on <a href="https://twitter.com/SylvieLorxu/status/1488022557748076545">January 31st</a>, just 2 weeks later. This time the appeal was approved the very next day.</p>Last updated: 2022-02-10Making spam manageable2021-09-26T00:00:00+00:002021-09-26T00:00:00+00:00/blog/2021/09/26/making_spam_manageable<p><em>This blog entry was originally posted to <a href="https://sue.nl/making-spam-manageable-by-using-email-aliases/">sue.nl</a></em></p>
<p><strong>Nowadays, spam and data breaches seem to be the default. In this article I will explain how to use email aliases to help cut down on spam more effectively and how email aliases avoid the pitfalls of “the + sign trick”.</strong></p>
<h1 id="the-what-and-why">The what and why</h1>
<p>An alias is an alternative email address that also gets delivered to your mailbox. There are different implementations of this. Some aliases can be replied from, some not. Some people implement “aliases” by simply using multiple mailboxes, others use the + sign trick (yourname+service@example.com), or they forward it. In this post, we will be using a mechanism which sends emails – sent to any of the aliases – to our main mailbox, but which still allows us to respond using the alias itself to hide our main mailbox’ address.</p>
<h1 id="multiple-benefits">Multiple benefits</h1>
<p>Using aliases instead of one single mail address has multiple benefits.</p>
<p>First of all, it allows you to know where the email is coming from.</p>
<p>By using a different alias on every website, you will be able to tell where someone found the email address they are contacting you from. This enables you to tell if the spammer found your email address on your website, or if they somehow got access to the email address you gave to that one online store – that just seemed slightly sketchy but not sketchy enough to not give it a try. Being able to tell the source is very useful. It makes it visible if any of the places you gave your alias to are leaking your personal information or using it for something they shouldn’t be using it for. It ensures that you can hold the companies you do business with accountable. It also enables you to more easily tell apart well-designed scam emails. After all, it would make no sense for GitHub to be sending that “unexpected login” alert to the email you gave to Twitter. It would thus be very obvious that this is a scam email.</p>
<p>Secondly, in some configurations, the alias could forward the email to multiple recipients. That way, you and your team lead could both be kept into the loop on a specific subject. This is one of the ways aliases are often used within Sue, allowing employees to keep their main email account to themselves but still easily and automatically share relevant emails.</p>
<p>Most importantly though, it allows for a separation. Instead of getting hundreds of spam mails to your real email address, spam will end up in just a single alias. When the spam arrives, you just throw away that single alias. That way you can finally cut off the spam without cutting off everyone else.</p>
<h1 id="avoid-the--sign-trick">Avoid the + sign trick</h1>
<p>Some readers may wonder, why not just use the + sign trick as it is supported by many providers natively? Sadly, the + sign trick has a few important issues that makes it a weak alternative to aliases. Firstly, many services incorrectly reject email addresses with the + symbol in them, marking them as invalid email addresses. However, even if the + sign trick is allowed (because the format is so standardized) spammers can easily turn yourname+service@example.com into yourname@example.com, removing all separation and easily spamming your main address. The + sign trick is therefore not a viable alternative to aliases when it comes to spam protection.</p>
<h1 id="implementing-it">Implementing it</h1>
<p>Frankly, there are many ways one could go about this. For my personal usage I have gone with the Open Source service SimpleLogin. If SimpleLogin is not your vibe, there are alternatives such as AnonAddy. Alternatively, you could also set it up yourself or by using tools of your domain’s hosting provider if these exist. In this post I will talk about SimpleLogin, simply because I have more experience with that specific provider. The setup we will be going with is one secret email and many aliases, one per service, using our own domain. We will add a bit of secrecy to each service’s email, to avoid impersonation. Our end goal is to have all our email arrive in a secret mailbox, but never let this secret mailbox be known to anyone. We will be making use of SimpleLogin’s official instance, but it is possible to instead self-host the platform.</p>
<p>First things first we need to notice that SimpleLogin is not an email provider, but a forwarding service. They will not store our actual emails, so we will need a destination mailbox. This can be on a custom domain, but an email from a free provider such as Outlook or Gmail will work just fine too. After we have our destination mailbox set up, we can create an account on SimpleLogin. We can either create aliases on some of the domains they have provided for free, or opt for more control by using our own domain name. Do note that custom domains are not free on the official instance, so you will have to buy their premium membership or self-host.</p>
<p>Now we can start creating aliases. For example, I would personally create a new Custom Alias for Twitter using a random prefix. This would become something like twitter.zed81@example.com and set up our main mailbox as the destination mailbox. The random prefix (zed81 in this case) allows us to prevent this email from being guessed. We then give this email address to Twitter instead of our main mailbox. If we respond to an email sent to us by Twitter, SimpleLogin will ensure the email is translated correctly to use the alias as sender information so Twitter will still not know our main address. Simple, yet effective.</p>
<h1 id="summarizing">Summarizing</h1>
<p>Using email aliases is really not as complicated as it may sound, but they are an amazing tool to keep spam under control. I personally followed this approach for roughly a full year now and don’t see myself going back any time soon. I hope this blog post has convinced you of the benefits as well. If you have not yet, give it a try yourself!</p>This blog entry was originally posted to sue.nl Nowadays, spam and data breaches seem to be the default. In this article I will explain how to use email aliases to help cut down on spam more effectively and how email aliases avoid the pitfalls of “the + sign trick”. The what and why An alias is an alternative email address that also gets delivered to your mailbox. There are different implementations of this. Some aliases can be replied from, some not. Some people implement “aliases” by simply using multiple mailboxes, others use the + sign trick (yourname+service@example.com), or they forward it. In this post, we will be using a mechanism which sends emails – sent to any of the aliases – to our main mailbox, but which still allows us to respond using the alias itself to hide our main mailbox’ address. Multiple benefits Using aliases instead of one single mail address has multiple benefits. First of all, it allows you to know where the email is coming from. By using a different alias on every website, you will be able to tell where someone found the email address they are contacting you from. This enables you to tell if the spammer found your email address on your website, or if they somehow got access to the email address you gave to that one online store – that just seemed slightly sketchy but not sketchy enough to not give it a try. Being able to tell the source is very useful. It makes it visible if any of the places you gave your alias to are leaking your personal information or using it for something they shouldn’t be using it for. It ensures that you can hold the companies you do business with accountable. It also enables you to more easily tell apart well-designed scam emails. After all, it would make no sense for GitHub to be sending that “unexpected login” alert to the email you gave to Twitter. It would thus be very obvious that this is a scam email. Secondly, in some configurations, the alias could forward the email to multiple recipients. That way, you and your team lead could both be kept into the loop on a specific subject. This is one of the ways aliases are often used within Sue, allowing employees to keep their main email account to themselves but still easily and automatically share relevant emails. Most importantly though, it allows for a separation. Instead of getting hundreds of spam mails to your real email address, spam will end up in just a single alias. When the spam arrives, you just throw away that single alias. That way you can finally cut off the spam without cutting off everyone else. Avoid the + sign trick Some readers may wonder, why not just use the + sign trick as it is supported by many providers natively? Sadly, the + sign trick has a few important issues that makes it a weak alternative to aliases. Firstly, many services incorrectly reject email addresses with the + symbol in them, marking them as invalid email addresses. However, even if the + sign trick is allowed (because the format is so standardized) spammers can easily turn yourname+service@example.com into yourname@example.com, removing all separation and easily spamming your main address. The + sign trick is therefore not a viable alternative to aliases when it comes to spam protection. Implementing it Frankly, there are many ways one could go about this. For my personal usage I have gone with the Open Source service SimpleLogin. If SimpleLogin is not your vibe, there are alternatives such as AnonAddy. Alternatively, you could also set it up yourself or by using tools of your domain’s hosting provider if these exist. In this post I will talk about SimpleLogin, simply because I have more experience with that specific provider. The setup we will be going with is one secret email and many aliases, one per service, using our own domain. We will add a bit of secrecy to each service’s email, to avoid impersonation. Our end goal is to have all our email arrive in a secret mailbox, but never let this secret mailbox be known to anyone. We will be making use of SimpleLogin’s official instance, but it is possible to instead self-host the platform. First things first we need to notice that SimpleLogin is not an email provider, but a forwarding service. They will not store our actual emails, so we will need a destination mailbox. This can be on a custom domain, but an email from a free provider such as Outlook or Gmail will work just fine too. After we have our destination mailbox set up, we can create an account on SimpleLogin. We can either create aliases on some of the domains they have provided for free, or opt for more control by using our own domain name. Do note that custom domains are not free on the official instance, so you will have to buy their premium membership or self-host. Now we can start creating aliases. For example, I would personally create a new Custom Alias for Twitter using a random prefix. This would become something like twitter.zed81@example.com and set up our main mailbox as the destination mailbox. The random prefix (zed81 in this case) allows us to prevent this email from being guessed. We then give this email address to Twitter instead of our main mailbox. If we respond to an email sent to us by Twitter, SimpleLogin will ensure the email is translated correctly to use the alias as sender information so Twitter will still not know our main address. Simple, yet effective. Summarizing Using email aliases is really not as complicated as it may sound, but they are an amazing tool to keep spam under control. I personally followed this approach for roughly a full year now and don’t see myself going back any time soon. I hope this blog post has convinced you of the benefits as well. If you have not yet, give it a try yourself!