05 August 2020

Parental control app Boomerang repeatedly blocked from Play Store, losing business


Apple isn’t the only one accused of kicking out competitive solutions from its App Store. Google did the same — for over a month at least — or so alleges parental control app maker Boomerang. The company’s product competes with Google’s own Family Link solution for controlling screen time and children’s use of mobile devices. The company claims Google repeatedly removed its application from the Play Store for a variety of issues, including violations of Google’s “Deceptive Behavior Policy” which relates to users’ inability to easily remove the application from their Android device.

The issue itself is complicated and an indication of how poor developer communication processes can make an existing problem worse, leading developers to complain of anti-competitive behaviors.

Like Apple, Google also has a set of rules developers have to agree to in order to publish apps on the Google Play store. The difficulty is that those rules are often haphazardly or unevenly enforced, requests for appeals are met with no replies or automated responses and, at the end of the day, there’s no way for a developer to reach a human and have a real discussion.

You may recall a similar situation involving screen time apps hit a group of screen time app makers last year. Apple then had suddenly removed a host of third-party screen time and parental control apps, shortly after introducing its own Screen Time solution within iOS 12. The company’s move was brought up during last week’s antitrust hearings in Congress, where Apple CEO Tim Cook insisted Apple’s decision was due to the risk to user privacy and security these apps caused.

The case with Boomerang is not that different. A developer gets kicked out of the Play Store and seems to have no way to escalate the appeal to an actual human to discuss the nuances of the situation further.

The Boomerang Ban

For starters, let’s acknowledge that it makes sense that the Play Store would have a policy against apps that are difficult to uninstall, as this would allow for a host of malware, spam and spyware applications to exist and torment users.

However, in the case of a parental control solution, the reality is that parents don’t want their kids to have the option to simply uninstall the program. In fact, Boomerang added the feature based on user feedback from parents.

Google itself puts its Family Link controls behind a parental PIN code and requires parents to sign into to their Google account to remove the child’s account from a device, for instance.

Boomerang’s app required a similar course of action. In “Parent Mode,” parents would toggle a switch that says “prevent app uninstallation” in the app’s Settings to make the protection on the child device non-removable.

Image Credits: Boomerang

But despite the obvious intended use case here, Boomerang’s app was repeatedly flagged for the same “can’t uninstall app” reason by the Play Store’s app review process when it submitted updates and bug fixes.

This began on May 8th, 2020 and took over a month to resolve. The developer, Justin Payeur, submitted the first appeal on May 11th to test if the ban had just been triggered by Google’s “app review robots.” On May 13th, the app was re-approved without any human response or feedback to the appeals message he had sent to Google.

But then on June 30th, Boomerang was again flagged for the same reason: “can’t uninstall app.” Payeur filed a second appeal, explaining the feature is not on by default — it’s there for parents to use if they choose.

On July 6th, Boomerang had to inform users of the problem, as they had become increasingly frustrated they couldn’t find the app on Google Play. In a customer email that didn’t mince words, Boomerang wrote: “Google has become evil.” Complaints from users said that if the app didn’t offer the “prevent uninstall” feature, it wouldn’t be worth using.

On July 8th, Boomerang received a reply from Google with more information, explaining that Google doesn’t allow apps that change the user’s device settings or features outside the app without user’s knowledge or consent. Specifically, it also cited the app’s use of the “Google Accessibility Services API” in a manner that’s  in violation with the Play Store terms. Google said the app wouldn’t be approved until it remove functionality that prevented a user from removing or uninstalling the app from their device.

This requirement, though rooted in user security, disadvantages parental control apps compared with Google’s own Family Link offering. As Google’s help documentation indicates, removing a child’s account from an Android device requires parents to input a passcode — it can’t simply be uninstalled by the end user (the child).

Boomerang later that day received a second violation notification after it changed the app to be explicitly clear to the end user (the child) that the Device Administrator (a parent) would have permission to control the device, mimicking other apps Boomerang said were still live on Google Play.

After two more days pass with no reply from the Appeals team, Boomerang requested a phone call to discuss. Google sent a brief email, saying it was merging the two active Appeals into one but no other information about the Appeal was provided.

On July 13th, Boomerang was informed Google was still examining the app. The company replied again to explain why a parental control app would have such a feature. The same day, Boomerang was alerted that older versions of its app in its internal testing area in the Play Console were being rejected. These versions were never published live, the company says. The rejections indicated Boomerang was “degrading device security” with its app.

The next day, Boomerang informed its user base that it may have to remove the feature they wanted and emailed Google again to again point out the app now has clear consent included.

Image Credits: Boomerang; Email complains of “material impact” to business 

Despite not having made any changes, Google informs Boomerang on July 16th it’s in violation of the “Elevated Privilege Abuse” section of the Google Play Malware policy. On July 19th, the company removed the additional app protection feature and on July 21st, Google again rejected the app for the same violation — over a feature that had now been removed.

Despite repeated emails, Boomerang didn’t receive any message from Google until an automated email arrived on July 24th. Again, Google sent no response to the emails where Payeur explains the violating feature had now been removed. Repeated emails through July 30th were also not responded to.

After hearing about Boomerang’s issues, TechCrunch asked Google on July 27th to explain its reasoning.

The company, after a few follow-ups, told TechCrunch on August 3rd that the issues with Boomerang — as later emails to Boomerang had said — were related to how the app implemented its features. Google does not allow apps to engage in “elevated privilege” abuse. And it doesn’t allow apps to abuse the Android Accessibility APIs to interfere with basic operations on a device.

Google also said it doesn’t allow any apps to use the same mechanism Boomerang does, including Google’s own. (Of course, Google’s own apps have the advantage of deep integrations with the Android OS. Developers can’t tap into some sort of “Family Link API,” for example, to gain a similar ability to control a child’s device.)

“We recognize the value of supervision apps in various contexts, and developers are free to create this experience with appropriate safeguards,” a Google spokesperson said.

More broadly, Boomerang’s experience is similar to what iOS parental control apps went through last year. Like those apps, Boomerang too bumped up against a security safeguard meant to protect an entire app store from abusive software. But the blanket rule leaves no wiggle room for exceptions. Google, meanwhile, argues its OS security is not meant to be “worked around” like this. But it has also at the same time offered no official means of interacting with its OS and own screen time/parental control features. Instead, alternative screen time apps have to figure out ways to basically hack the system to even exist in the first place, even though there’s clear consumer demand for their offerings.

Boomerang’s particular case also reveals the complexities involved with of having a business live or die by the whims of an app review process.

It’s easy enough to argue that the developer should have simply removed the feature and moved on, but the developer seemed to believe the feature would be fine — as evidenced by prior approvals and the approval received upon at least one of its appeals. Plus, the developer is incentivized to fight for the feature because it’s something users said they wanted — or rather, what they demanded, to make the app worth paying for.

Had someone from Google just picked up the phone and explained to Boomerang what’s wrong and what alternative methods would be permitted, the case may not have dragged on in such a manner. In the meantime, Boomerang likely lost user trust, and its removal definitely impacted its business in the near-term.

Reached for a follow-up, Payeur expressed continued frustration, despite the app now being re-approved for Play Store distribution.

“It took Google over a month to provide us with this feedback,” he said, referencing the forbidden API usage that was the real problem. “We are currently digesting this”  he said, adding how difficult it was to not be able to talk to Google’s teams to get proper communication and feedback over the past several weeks.

Boomerang has begun collecting the names of other similarly impacted apps, lile Filter Chrome, Minder Parental Control, and Netsanity. The company says other apps can reach out privately to discuss, if they prefer.

 

 

 


Read Full Article

No comments:

Post a Comment