Using SDKs safely and securely

Many app developers rely on third-party products and services to enable key functionality in their apps. These services are often distributed through one or more code libraries that together are commonly referred to as a software development kit (SDK).

Expectations for developers using third-party SDKs

If you include an SDK in your app, you are responsible for ensuring that their third-party code and practices are compliant with Google Play Developer Program Policies and do not cause your app to violate policies.

Our newly created SDK Requirements section is designed to help you safely and securely integrate SDKs into your apps and offers guidance on how some of our existing privacy and security requirements apply in the SDK context. In addition to providing a centralized resource for SDK requirements, we are reiterating our expectations regarding the use of SDKs in your apps when it comes to user data. For example, app developers are required to treat any data collection from within their app by an SDK as if they collected it directly.

If you include an SDK in your app, make sure to take the following steps:

• Only share user data collected through your app with a third party when they need it.
• Be aware of how the SDKs in your app handle user data; know what permissions they use, what data they collect, and why.
• Be aware of additional restrictions for sensitive use cases, such as the use of SDKs in apps targeting children.
• Ensure your SDK providers implement logic that reads and adheres to the app developer-collected user preference, or ensure that a mechanism exists for the app developer to accurately initialize the SDK integrated into the app according to this user-facing consent event.

Complying with Google Play Developer Program Policies

To help you ensure that any SDK your app is using complies with Google Play Developer Program Policies, we provide various tools and notifications which are as follows:

• We flag known issues with popular SDKs in Play Console.
• Google Play SDK Index helps you learn more about the most used commercial SDKs. It combines usage data from Google Play apps with information gathered through code detection to provide attributes and signals designed to help you decide whether to adopt, keep, or remove an SDK from your app.
• Google Play SDK Console gives eligible SDK providers crash reporting, usage statistics, and a way to communicate critical issues to app developers through Play Console and Android Studio.

Remember that your app must not use a noncompliant version of an SDK which violates Google Play Developer Program Policies or allow an SDK to collect or share data for any purpose that is not compliant with our policies. Noncompliant SDK versions must be removed or replaced with a compliant version.

Tips:

• If you have questions about an SDK version and their compliance with SDK policy requirements, we recommend that you contact your SDK provider.
• If you receive an enforcement notice about an SDK-caused violation in your app that you need to address, see Resubmit your app following a policy violation for information on how to resolve it.
• If you're an SDK provider, you can use this optional format for SDKs to publish guidance for your users regarding Google Play's Data safety section.

Policies commonly associated with SDK-caused violations

To help you ensure that any third-party code your app is using complies with Google Play Developer Program Policies, review the following policies in their entirety:

• User Data
• Permissions and APIs that Access Sensitive Information
• Device & Network Abuse
• Malware
• Mobile Unwanted Software
• Families Self-Certified Ads SDK Program
• Ads
• Deceptive Behavior
• Google Play Developer Program Policies

Note: Remember that bad SDK code could cause your app to violate a different policy not referenced in the preceding list. Make sure to review and stay up to date with all policies in their entirety as it is always your responsibility as an app developer to ensure that your SDKs handle your app data in a policy-compliant manner.

SDK-related resources

Here are some resources that support the safe use of third-party SDKs in your app:

• Using third-party SDKs in your app
• SDK best practices for user safety
• Google Play Academy's training on SDK best practices
• Understand app privacy & security practices with Google Play's Data safety section
• Google Play SDK Index
• Best Practices for Prominent Disclosure & Consent

If you receive an enforcement notice about an SDK-caused violation in your app that you need to address, see My app has been removed from Google Play for information on how to resolve the issue.

If you're an SDK provider, you can use this optional format for SDKs to publish guidance for your users regarding Google Play's Data safety section.