Andotp: Removed from the Google Play Store

Created on 11 Oct 2019  路  32Comments  路  Source: andOTP/andOTP

andOTP was recently removed from the Google Play Store for violating their payment terms.
This is most likely due to the fact that we offer in-app donation links that DO NOT use Googles In-App billing, which is against their terms.

As a first step to get it back on Google Play I will try to provide a build flavor without donation links.
The second step would be to (maybe) include Google Play In-App billing in that flavor, but I'm not sure I want to do that.

Please share your opinions on this!

help wanted question

Most helpful comment

@dlemire60 As a security professional, you should strongly distrust apps through the Play Store. Google has engaged in a massive marketing campaign to convince you that it is safe, but it is definitely not. Stories about multi-million install malware campaigns operated through the Play Store are common, and "Play Protect", Google's supposed security platform, is... well, kinda a joke: https://www.av-test.org/en/antivirus/mobile-devices/

@flocke Avoid giving Google 30% of your donations. Ideally, discourage using the Play Store as the installation vector for the app, and push people towards F-Droid or sideloading directly from the legitimately trustable source of the app: Your own page or GitHub.

All 32 comments

Well, that's a bummer. My thoughts:

  • andOTP has quickly become my favorite TOPT app. I've used it twice in my first half-hour at work today (once to log in to GH to comment here)
  • as a security professional, I'm cautious with my software sources and I _strongly_ prefer getting apps through the Play Store. It's not perfect but it does offer some security protections that I'd rather have than not, plus I consider automatic updating super important.
  • I don't know what the concerns are with using Google's In-App billing, so I can't comment on the pluses & minuses of that. Maybe you can provide some info or a relevant link?

I think my bottom line is that I'd probably continue to use andOTP if I had to get it somewhere other than the Play Store, but it's really not my preference.

I just introduced two different build flavors in be994a0093d470dea1341b1c8a86d1cc6ea10252. One called fdroid that continues to show the donate options in the About screen and one called play without them. I hope that fixes the problem, I will try to release a new version to Google Play soon.

Edit: And I haven't looked into the pros and cons of Google Play Billing yet, so I can't comment on that currently. Maybe I will add it to the play flavor at some point, but without any donation options we should be able to get it back into the Play Store soon.

@flocke I would say to keep things simpler just keep 1 flavour, remove the donation links, keep our site links so that people can still go to our sites and find donation links themselves, and also add donation links onto github readme

Very sorry to hear that, will ask around and see if I can also get any help or advice for you. I would suggest @RichyHBM 's approach.

As pointed out by someone on HN, Google In-App Billing apparently doesn't support donations: https://play.google.com/about/monetization-ads/.

Here are some examples of products not currently supported by Google Play In-app Billing:

  • One time-payments, including peer-to-peer payments, online auctions, and donations.

@flocke, please share the exact messages you received, this issue may set a precedent for other open source apps, so it's important to document it.

WireGuard is in the same situation, and the topic is getting attention on HN: https://news.ycombinator.com/item?id=21268389

@dlemire60 As a security professional, you should strongly distrust apps through the Play Store. Google has engaged in a massive marketing campaign to convince you that it is safe, but it is definitely not. Stories about multi-million install malware campaigns operated through the Play Store are common, and "Play Protect", Google's supposed security platform, is... well, kinda a joke: https://www.av-test.org/en/antivirus/mobile-devices/

@flocke Avoid giving Google 30% of your donations. Ideally, discourage using the Play Store as the installation vector for the app, and push people towards F-Droid or sideloading directly from the legitimately trustable source of the app: Your own page or GitHub.

@flocke something you could add to github is a .github/FUNDING.yml page.
https://help.github.com/en/articles/displaying-a-sponsor-button-in-your-repository

@dlemire60 As a security professional, you should strongly distrust apps through the Play Store. Google has engaged in a massive marketing campaign to convince you that it is safe, but it is definitely not. Stories about multi-million install malware campaigns operated through the Play Store are common, and "Play Protect", Google's supposed security platform, is... well, kinda a joke: https://www.av-test.org/en/antivirus/mobile-devices/

I have to agree here for 100%. F-Droid can also reliably update your apps automatically if the privilege extension is installed.

@flocke Avoid giving Google 30% of your donations. Ideally, discourage using the Play Store as the installation vector for the app, and push people towards F-Droid or sideloading directly from the legitimately trustable source of the app: Your own page or GitHub.

I wouldn't push for side-loading. While the idea of moving away from google is certainly right, many people can't distinguish between "legitimate" sources and dangerous ones once they know how to install apk's. Therefore I'd purely focus on F-Droid. On Android Pie the installation of third-party apps is even limited to single applications (e.g. F-Droid) and therefore is a more secure alternative to sideloading from github IMHO.

As someone who makes app and sells apps in Google Play store, may I make the following suggestion?

Since Google is pretty serious with his Play store rule and regulation, we as developers need to abide by rules.

You may still implement in-app billing. For the in-app item, do not use "donation" term. Try to offer a good-to-have feature like "unlocking additional app color theme". With such, you can comply to Google's rules and regulations, and able to get your monetary reward.

Also, in your in-app pricing, remember take consideration into 30% Google cut and Government tax.

@flocke I am using the beta version of andOTP, which is/was only available in the Google Play Store. Would it be possible for you to publish it in F-Droid as well? Then I wouldn't care about the Play Store version. Don't let Google threaten or intimidate you!

@yccheok Why should Google get 30% of good will for applications that are jumping through hoops to deal with Google beuracracy?

@luger19 it's already available in f-droid: https://f-droid.org/de/packages/org.shadowice.flocke.andotp/

@yccheok Why should Google get 30% of good will for applications that are jumping through hoops to deal with Google beuracracy?

It really depend on the objective of andOTP. If reaching more users is andOTP's goal, then they can consider distributing via Google Play store.

Why paying 30% cut? Because Google able to offer which other app stores cannot - user traffic. I have tried distribute app via other app stores. None of them can compete with Google's in term of downloading traffic.

But if this not not andOTP's goal, and they don't mind to get significant less end users, they can choose not to do so.

@flocke Keep in mind that when you add Google Play Billing the Google Play Store page will show your address information since Google is legally required to show this when users are doing business with developers.

@luger19 @mbiebl andOTP is already on F-Droid but F-Droid doesn't support other channels such as beta or alpha. It's not possible to have separate versions of the same app on F-Droid if I remember correctly.

My suggestion is that you put your APK out there and let people install it themselves, till you resolve any issues.

As much as I hate myself for saying this, donating to app devs using the Play store is sooo easy that I sometimes buy apps on the Play store that are also available on F-droid because it is just such an easy way to donate. In the Netherlands an Ideal QRcode or "payment request" would be just as easy (basically one tap paying) but it's only a thing here. I might do BTC (always some in the wallet app on the phone) but other payment platforms like Credit Card or PayPal are often too much trouble to go through for me. I'm sorry.

A separate app called "andOTP donate" in the Play store could be an option? Is that allowed?

@luger19 @mbiebl andOTP is already on F-Droid but F-Droid doesn't support other channels such as beta or alpha. It's not possible to have separate versions of the same app on F-Droid if I remember correctly.

ah, ok. It should be possible I guess to provide a beta version via a separate app-id, like org.shadowice.flocke.andotp.beta. Admittedly, not as convenient as alpha/beta channels.

@flocke Keep in mind that when you add Google Play Billing the Google Play Store page will show your address information since Google is legally required to show this when users are doing business with developers.

@luger19 @mbiebl andOTP is already on F-Droid but F-Droid doesn't support other channels such as beta or alpha. It's not possible to have separate versions of the same app on F-Droid if I remember correctly.

The Tusky developer has managed to release a beta version in another repo (https://releases.nailyk.fr/repo) (so to speak another app). With andOTP this would probably work too.

The Tusky developer has managed to release a beta version in another repo (https://releases.nailyk.fr/repo) (so to speak another app). With andOTP this would probably work too.

This. Due to the F-Droid review process, the main repo takes weeks to get an update deployed. You wouldn't want alpha or beta versions there, without quick turnaround.

Is it true that versions such as https://github.com/andOTP/andOTP/releases/tag/v0.6.3-beta1 are the most current beta versions at the time, which have also been released in the Google Play Store? That would be nice.

Thank you guys for all you comments, I barely have time to catch up here. The current plan is to continue to publish on Google Play using a different build flavor that doesn't display the donation links and keep the donation links for F-Droid and the APKs published on Github. That way I hope to be able to re-upload it to Google Play this Friday already. After that I can still decide if I want to add Google Play Billing, but I am leaning more towards not adding it.

@luger19 There is no current beta, v0.6.3-beta1 was the latest, but v0.6.3 has already been released as the newer stable version.
Sadly F-Droid doesn't make it easy to publish beta versions. While stable release get picked up and built automatically I have to submit a PR on F-Droids data repo for each beta version manually. For v0.6.3-beta1 the PR was never merged before the stable version was released. In the future I am thinking about setting up my own F-Droid repo specifically for beta releases. That way I could manually upload them there as soon as they get released.

@flocke Thank you.
just as an idea: replace donation link with text like "If you would like to support this project please follow wiki and read Financial help topic". Since you are not using In-App billing (which is prohibit donations by TOS) and there is no links to donation page directly this should be sufficient.

@iyesin What I am currently thinking about is reworking the About section a bit. Currently I have a section "Support development" with two links to "report bugs" and "translate". Maybe I rework it to be just one link called "Support development" that leads to a section in the Readme on Github where I keep things like "report bugs", "translate" and "donate".

As an F-Droid contributor, but also a person who deals with average users (family members, friends, etc.) I think that for an app to be accessible for the average user, the only option is to distribute it through the PlayStore.

It is very difficult to get an average user to install F-Droid (non intuitive way of installing it, various questions related to the security warning, etc.) and when I install F-Droid on their device, they never update installed apps because it is a two step process.

I would also strongly recommend against making the apk downloadable. It is a security nightmare with non technical users downloading random executable files form the internet including backdoored versions of FOSS software.

I know that some FOSS projects have chosen to distribute their apps for free on F-Droid, but have their apps available for a fee on the PlayStore or with additional features available as in-app purchase.

Did anybody explore dummy "premium features"/in-app purchases like supporter badges? That wouldn't be a donation, but purchasing that badge.

I know that some FOSS projects have chosen to distribute their apps for free on F-Droid, but have their apps available for a fee on the PlayStore or with additional features available as in-app purchase.

SimpleMobileTools is one such example. All apps are available for free on F-Droid, but are paid on Google Play. There's even an app that you can purchase just as a thank you to developer, although I guess it is more a remnant from the time when all SMT apps were free also on Google Play - the switch to current model happened approx. a year ago.

I have to say I find this model fair - if you prefer getting your apps the easy way (Google Play), why not spare some a buck or two for an app that's worth it? If you do not mind to spend some time getting F-Droid installed on your phone, then you get your FOSS app for free.

@chesio @mimi89999 The problem with that model is that Google is getting a third of the money then. The idea that Google should get a third of donor money because they've decided to be anticompetitive and block alternative payments is offensive, and no open source community should tolerate or enable it.

@ocdtrekkie That's right, but there doesn't seem to be any alternative.

@mimi89999 There is: Simply don't accept donations via the Play Store while we all wait for someone in the federal government to realize how horrifically illegal Google's policy is. Ask users for donations whenever they interact with the project outside of the Google Play nightmare, and encourage people to go get the app from a safer, more legitimate source like F-Droid.

andOTP is finally back on the Play Store. This was achieved by using a specific build flavor for the Play Store which does not show any donation links.

I'm not sure if this is the best place to post this but my daughter and I felt strongly about this and wanted to help in some way. We have created a petition and maybe we can get some signatures to lobby Google about donation links or similar. Would anyone who can please sign and maybe share with your communities via whatever channel and network?

https://www.ipetitions.com/petition/hey-google-support-donations-to-foss

Even if it doesn't directly have an effect maybe over time these types of joined up voices will see Google change for the better.

@tabroughton, thank you for taking action, we need more people like you and your daughter!

Here's the HN submission of the petition: https://news.ycombinator.com/item?id=21378231

Was this page helpful?
0 / 5 - 0 ratings

Related issues

aph3rson picture aph3rson  路  6Comments

krc picture krc  路  4Comments

mbiebl picture mbiebl  路  4Comments

BoFFire picture BoFFire  路  4Comments

D0mm4S picture D0mm4S  路  4Comments