Flag Secure Requirements

FLAG_SECURE is a display flag declared in an app’s code to indicate that its UI contains sensitive data intended to be limited to a secure surface while using the app. This flag is designed to prevent the data from appearing in screenshots or from being viewed on non-secure displays. Developers declare this flag when the app’s content should not be broadcast, viewed, or otherwise transmitted outside of the app or users’ device.

For security and privacy purposes, all apps distributed on Google Play are required to respect the FLAG_SECURE declaration of other apps. Meaning, apps must not facilitate or create workarounds to bypass the FLAG_SECURE settings in other apps.

VPN Service

The VPNService is a base class for applications to extend and build their own VPN solutions. Only apps that use the VPNService and have VPN as their core functionality can create a secure device-level tunnel to a remote server. Exceptions include apps that require a remote server for core functionality such as:

• Parental control and enterprise management apps.
• App usage tracking.
• Device security apps (for example, anti-virus, mobile device management, firewall).
• Network related tools (for example, remote access).
• Web browsing apps.
• Carrier apps that require the use of VPN functionality to provide telephony or connectivity services.

The VPNService cannot be used to:

• Collect personal and sensitive user data without prominent disclosure and consent.
• Redirect or manipulate user traffic from other apps on a device for monetization purposes (for example, redirecting ads traffic through a country different than that of the user).
• Manipulate ads that can impact apps monetization.

Apps that use the VPNService must: 

• Document use of the VPNService in the Google Play listing, and
• Must encrypt the data from the device to VPN tunnel end point, and
• Abide by all Developer Program Policies including the Ad Fraud, Permissions, and Malware policies.  

Exact Alarm Permission

A new permission, USE_EXACT_ALARM, will be introduced that will grant access to exact alarm functionality in apps starting with Android 13 (API target level 33). 

USE_EXACT_ALARM is a restricted permission and apps must only declare this permission if their core functionality supports the need for an exact alarm. Apps that request this restricted permission are subject to review, and those that do not meet the acceptable use case criteria will be disallowed from publishing on Google Play.

Acceptable use cases for using the Exact Alarm Permission

Your app must use the USE_EXACT_ALARM functionality only when your app’s core, user facing functionality requires precisely-timed actions, such as:

• The app is an alarm or timer app.
• The app is a calendar app that shows event notifications.

If you have a use case for exact alarm functionality that’s not covered above, you should evaluate if using SCHEDULE_EXACT_ALARM as an alternative is an option.

Impersonation

Here are some examples of common violations:

• Developers that falsely imply a relationship to another company / developer / entity / organization.

  

  ① The developer name listed for this app suggests an official relationship with Google, even though such a relationship doesn’t exist.

• Apps whose icons and titles are falsely implying a relationship with another company / developer / entity / organization.
  

  ①The app is using a national emblem and misleading users into believing it is affiliated with government.
  ②The app is copying the logo of a business entity to falsely suggest it is an official app of the business.

• App titles and icons that are so similar to those of existing products or services that users may be misled.

  
  
  ①The app is using the logo of a popular cryptocurrency website in its app icon to suggest it is the official website.
  ②The app is copying the character and title of a famous TV show in its app icon and misleading users to think that it is affiliated with a TV show.

• Apps that falsely claim to be the official app of an established entity. Titles like “Justin Bieber Official” are not allowed without the necessary permissions or rights.

• Apps that violate the Android Brand Guidelines.

Health Misinformation

Here are some examples of common violations:

• Misleading claims about vaccines, such as that vaccines can alter one’s DNA.
• Advocacy of harmful, unapproved treatments.
• Advocacy of other harmful health practices, such as conversion therapy.

Subscription Management, Cancellation & Refunds

If you sell subscriptions in your app(s), you must ensure that your app(s) clearly disclose how a user can manage or cancel their subscription. You must also include in your app access to an easy-to-use, online method to cancel the subscription. In your app’s account settings (or equivalent page), you can satisfy this requirement by including:

• A link to Google Play’s Subscription Center (for apps that use Google Play’s billing system); and/or
• direct access to your cancellation process.

If a user cancels a subscription purchased through Google Play’s billing system, our general policy is that the user will not receive a refund for the current billing period, but will continue to receive their subscription content for the remainder of the current billing period, regardless of the cancellation date. The user's cancellation goes into effect after the current billing period has passed.

You (as the content or access provider) may implement a more flexible refund policy with your users directly. It is your responsibility to notify your users of any changes to your subscription, cancellation and refund policies and ensure that the policies comply with applicable law.

Families Self-Certified Ads SDK Program

If you serve ads in your app, and the target audience for your app only includes children as described in the Families Policy, then you must only use ads SDKs that have self-certified compliance with Google Play policies, including the Ads SDK Self-Certification Requirements below.

If the target audience for your app includes both children and older users, you must make sure that ads shown to children come exclusively from one of these self-certified ads SDKs (for example, through use of neutral age screening measures). Apps in the Designed for Families program are required to only use self-certified ads SDKs.

Note that it is your responsibility to ensure that all SDK versions you implement in your app, including Self-Certified Ads SDKs, are compliant with all applicable policies, local laws, and regulations. Google does not provide any representations or guarantees as to the accuracy of the information the ads SDKs provide during the self-certification process.

The use of Families self-certified ads SDKs is only required if you are using ads SDKs to serve ads to children. The following are permitted without an ad SDK's self-certification with Google Play, however, you are still responsible for ensuring your ad content and data collection practices are compliant with Google Play's User Data Policy and Families Policy:

• In-House Advertising whereby you use SDKs to manage cross promotion of your apps or other owned media and merchandising.
• Entering into direct deals with advertisers whereby you use SDKs for inventory management.

Families Self-Certified Ads SDK Requirements

• Define what are objectionable ad content and behaviors and prohibit them in the ads SDK's terms or policies. The definitions should comply with Google Play Developer Program Policies.
• Create a method to rate your ad creatives according to age appropriate groups. Age appropriate groups must at least include groups for Everyone and Mature. The rating methodology must align with the methodology that Google supplies to SDKs once they have filled out the interest form below.
• Allow publishers, on a per-request or per-app basis, to request child-directed treatment for ad serving. Such treatment must be in compliance with applicable laws and regulations, such as the US Children's Online Privacy and Protection Act (COPPA) and the EU General Data Protection Regulation (GDPR). Google Play requires ads SDKs to disable personalized ads, interest based advertising, and remarketing as part of the child-directed treatment.
• Allow publishers to select ad formats that are compliant with Google Play's Families Ads and Monetization policy, and meet the requirement of the Teacher Approved program. 
• Ensure that when real-time bidding is used to serve ads to children, the creatives have been reviewed and privacy indicators are propagated to the bidders.
• Provide Google with sufficient information, such as submitting a test app and the information indicated in the interest form below, to verify the ads SDK's policy compliance with all self-certification requirements and respond in a timely manner to any subsequent requests for information, such as submitting new version releases to verify the ads SDK version’s compliance with all self-certification requirements.
• Self-certify that all new version releases are compliant with the latest Google Play Developer Program Policies, including Families Policy Requirements.

Note: Families Self-Certified Ads SDKs must support ad serving that complies with all relevant statutes and regulations concerning children that may apply to their publishers.

Here are mediation requirements for serving platforms when serving ads to children:

• Only use Families Self-Certified Ads SDKs or implement safeguards necessary to ensure that all ads served from mediation comply with these requirements; and
• Pass information necessary to mediation platforms to indicate the ad content rating and any applicable child-directed treatment.

Developers can find a list of Families Self-Certified Ads SDKs here.

Also, developers can share this interest form with ads SDKs who wish to self-certify.

Ads and Monetization

If you’re monetizing an app that targets children on Google Play, it’s important that your app follows the following Families Ads and Monetization Policy Requirements.

The policies below apply to all monetization and advertising in your app, including ads, cross-promotions (for your apps and third party apps), offers for in-app purchases, or any other commercial content (such as paid product placement). All monetization and advertising in these apps must comply with all applicable laws and regulations (including any relevant self-regulatory or industry guidelines).

Google Play reserves the right to reject, remove or suspend apps for overly aggressive commercial tactics.

Format requirements

Monetization and advertising in your app must not have deceptive content or be designed in a way that will result in inadvertent clicks from child users. The following are prohibited:

• Disruptive monetization and advertising, including monetization and advertising that take up the entire screen or interfere with normal use and do not provide a clear means to dismiss the ad (for example, Ad walls).
• Monetization and advertising that interfere with normal app use or game play that are not closeable after 5 seconds.
• Monetization and advertising that do not interfere with normal app use or game play may persist for more than 5 seconds (for example, video content with integrated ads).  
• Interstitial monetization and advertising displayed immediately upon app launch.
• Multiple ad placements on a page (for example, banner ads that show multiple offers in one placement or displaying more than one banner or video ad is not allowed).
• Monetization and advertising that are not clearly distinguishable from your app content.
• Use of shocking or emotionally manipulative tactics to encourage ads viewing or in-app purchases.
• Not providing a distinction between the use of virtual game coins versus real-life money to make in-app purchases.

Ads SDKs

If you serve ads in your app and your target audience only includes children, then you must use only Families self-certified ads SDKs. If the target audience for your app includes both children and older users, you must implement age screening measures, such as a neutral age screen, and make sure that ads shown to children come exclusively from Families self-certified ads SDKs. Apps in the Designed for Families program are required to only use self-certified ad SDKs.

Please refer to the Families Self-Certified Ads SDK Program policy page for more details on these requirements and to see the current list of self-certified ads SDKs.

If you use AdMob, refer to the AdMob Help Center for more details on their products.

It is your responsibility to ensure your app satisfies all requirements concerning advertisements, in-app purchases, and commercial content. Contact your ads SDK provider(s) to learn more about their content policies and advertising practices.

In-app purchases

Google Play will re-authenticate all users prior to any in-app purchases in apps participating in the Designed for Families program. This measure is to help ensure that the financially responsible party, and not children, are approving purchases.

Stalkerware

Code that collects personal or sensitive user data from a device and transmits the data to a third party (enterprise or another individual) for monitoring purposes.

Apps must provide adequate prominent disclosure and obtain consent as required by the User Data policy.

Guidelines for Monitoring Applications

Apps exclusively designed and marketed for monitoring another individual, for example parents to monitor their children or enterprise management for the monitoring of individual employees, provided they fully comply with the requirements described below are the only acceptable monitoring apps. These apps cannot be used to track anyone else (a spouse, for example) even with their knowledge and permission, regardless if persistent notification is displayed. These apps must use the IsMonitoringTool metadata flag in their manifest file to appropriately designate themselves as monitoring apps.

Monitoring apps must comply with these requirements:

• Apps must not present themselves as a spying or secret surveillance solution.
• Apps must not hide or cloak tracking behavior or attempt to mislead users about such functionality.
• Apps must present users with a persistent notification at all times when the app is running and a unique icon that clearly identifies the app.
• Apps must disclose monitoring or tracking functionality in the Google Play store description.
• Apps and app listings on Google Play must not provide any means to activate or access functionality that violate these terms, such as linking to a non-compliant APK hosted outside Google Play.
• Apps must comply with any applicable laws. You are solely responsible for determining the legality of your app in its targeted locale.

Child Endangerment

Apps that do not prohibit users from creating, uploading, or distributing content that facilitates the exploitation or abuse of children will be subject to immediate removal from Google Play. This includes all child sexual abuse materials. To report content on a Google product that may exploit a child, click Report abuse. If you find content elsewhere on the internet, please contact the appropriate agency in your country directly. 

We prohibit the use of apps to endanger children. This includes but is not limited to use of apps to promote predatory behavior towards children, such as:

• Inappropriate interaction targeted at a child (for example, groping or caressing).
• Child grooming (for example, befriending a child online to facilitate, either online or offline, sexual contact and/or exchanging sexual imagery with that child).
• Sexualization of a minor (for example, imagery that depicts, encourages or promotes the sexual abuse of children or the portrayal of children in a manner that could result in the sexual exploitation of children).
• Sextortion (for example, threatening or blackmailing a child by using real or alleged access to a child’s intimate images).
• Trafficking of a child (for example, advertising or solicitation of a child for commercial sexual exploitation).

We will take appropriate action, which may include reporting to the National Center for Missing & Exploited Children, if we become aware of content with child sexual abuse materials. If you believe a child is in danger of or has been subject to abuse, exploitation, or trafficking, please contact your local law enforcement and contact a child safety organization listed here.

In addition, apps that appeal to children but contain adult themes are not allowed, including but not limited to:

• Apps with excessive violence, blood, and gore.
• Apps that depict or encourage harmful and dangerous activities.

We also don’t allow apps that promote negative body or self image including apps that depict for entertainment purposes plastic surgery, weight loss, and other cosmetic adjustments to a person's physical appearance.

Families Policy Requirements

If one of the target audiences for your app is children, you must comply with the following requirements. Failure to satisfy these requirements may result in app removal or suspension.

1. App content: Your app's content that is accessible to children must be appropriate for children. If your app contains content that is not globally appropriate, but that content is deemed appropriate for child users in a particular region, the app may be available in that region (limited regions) but will remain unavailable in other regions.
2. App functionality: Your app must not merely provide a webview of a website or have a primary purpose of driving affiliate traffic to a website, regardless of ownership of the website. 
   • We are constantly exploring ways to enable new experiences for kids app developers. If you are interested in joining our Trusted Web App pilot for education apps, please submit your interest here.
3. Play Console answers: You must accurately answer the questions in the Play Console regarding your app and update those answers to accurately reflect any changes to your app. This includes but is not limited to, accurately disclosing your app’s interactive elements on the Content Rating Questionnaire, such as:
   • Your app's users can interact or exchange information;
   • Your app shares user-provided information with third parties; and
   • Your app shares the user’s physical location with other users.
4. Ads: If your app displays ads to children or to users of unknown age, you must:
   • Only use Google Play certified ad SDKs to display ads to those users;
   • Ensure ads displayed to those users do not involve interest-based advertising (advertising targeted at individual users who have certain characteristics based on their online browsing behavior) or remarketing (advertising targeted at individual users based on previous interaction with an app or website); 
   • Ensure ads displayed to those users present content that is appropriate for children;
   • Ensure ads displayed to those users follow the Families ad format requirements; and
   • Ensure compliance with all applicable legal regulations and industry standards relating to advertising to children.
5. Data practices: You must disclose the collection of any personal and sensitive information from children in your app, including through APIs and SDKs called or used in your app. Sensitive information from children includes, but is not limited to, authentication information, microphone and camera sensor data, device data, Android ID, and ad usage data. You must also ensure that your app follows the data practices below:
   • Apps that solely target children must not transmit Android advertising identifier (AAID), SIM Serial, Build Serial, BSSID, MAC, SSID, IMEI, and/or IMSI.
   • Apps that target both children and older audiences must not transmit AAID, SIM Serial, Build Serial, BSSID, MAC, SSID, IMEI, and/or IMSI from children or users of unknown age.
   • Device phone number must not be requested from TelephonyManager of the Android API.
   • Apps that solely target children may not request location permission, or collect, use, and transmit precise location.
   • Apps must use the Companion Device Manager (CDM) when requesting Bluetooth, unless your app is only targeting device Operating System (OS) versions that are not compatible with CDM.
6. APIs and SDKs: You must ensure that your app properly implements any APIs and SDKs.
   • Apps that solely target children must not contain any APIs or SDKs that are not approved for use in primarily child-directed services. This includes, Google Sign-In (or any other Google API Service that accesses data associated with a Google Account), Google Play Games Services, and any other API Service using OAuth technology for authentication and authorization.
   • Apps that target both children and older audiences must not implement APIs or SDKs that are not approved for use in child-directed services unless they are used behind a neutral age screen or implemented in a way that does not result in the collection of data from children. Apps that target both children and older audiences must not require users to sign-in or access app content through an API or SDK that is not approved for use in child-directed services. 
7. Augmented Reality (AR): If your app uses Augmented Reality, you must include a safety warning immediately upon launch of the AR section. The warning should contain the following:
   • An appropriate message about the importance of parental supervision.
   • A reminder to be aware of physical hazards in the real world (e.g., be aware of your surroundings).
   • Your app must not require the usage of a device that is advised not to be used by children. (e.g., Daydream, Oculus).
8. Social Apps & Features: If your apps allows users to share or exchange information, you must accurately disclose these features in the content rating questionnaire on the Play Console. 
   • Social Apps: A social app is  an app where the main focus is to enable users to share freeform content or communicate with large groups of people. All social apps that include children in their target audience must provide an in-app reminder to be safe online and to be aware of the real world risk of online interaction before allowing child users to exchange freeform media or information. You must also require adult action before allowing child users to exchange personal information. 
   • Social Features: A social feature is any additional app functionality that enables users to share freeform content or communicate with large groups of people. Any app that includes children in their target audience and has social features, must provide an in-app reminder to be safe online and to be aware of the real world risk of online interaction before allowing child users to exchange freeform media or information. You must also provide a method for adults to manage social features for child users, including, but not limited to, enabling/disabling the social feature or selecting different levels of functionality. Finally, you must require adult action before enabling features that allow children to exchange personal information. 
   • Adult action means a mechanism to verify that the  user is not a child and does not encourage children to falsify their age to gain access to areas of your app that are designed for adults (i.e. an adult PIN, password, birthdate, email verification, photo ID, credit card, or SSN).
   • Social apps where the main focus of the app is to chat with people they do not know must not target children. Examples include: chat roulette style apps, dating apps, kids-focused open chat rooms, etc.
9. Legal compliance: You must ensure that your app, including any APIs or SDKs that your app calls or uses, is compliant with the U.S. Children's Online Privacy and Protection Act (COPPA), E.U. General Data Protection Regulation (GDPR), and any other applicable laws or regulations.

Health Content and Services

We don't allow apps that expose users to harmful health content and services. 

If your app contains or promotes health content and services, you must ensure your app is compliant with any applicable laws and regulations.

Prescription Drugs

Unapproved Substances

Here are some examples of common violations:

• All items on this non-exhaustive list of prohibited pharmaceuticals and supplements.

• Products that contain ephedra.

• Products containing human chorionic gonadotropin (hCG) in relation to weight loss or weight control, or when promoted in conjunction with anabolic steroids.

• Herbal and dietary supplements with active pharmaceutical or dangerous ingredients.

• False or misleading health claims, including claims implying that a product is as effective as prescription drugs or controlled substances.

• Non-government approved products that are marketed in a way that implies that they're safe or effective for use in preventing, curing, or treating a particular disease or ailment.

• Products that have been subject to any government or regulatory action or warning.

• Products with names that are confusingly similar to an unapproved pharmaceutical or supplement or controlled substance.

Health Misinformation

Here are some examples of common violations:

• Misleading claims about vaccines, such as that vaccines can alter one’s DNA.
• Advocacy of harmful, unapproved treatments.
• Advocacy of other harmful health practices, such as conversion therapy.

COVID-19 Restrictions

Medical Functionalities

Payments - Clinical Services

Health Connect Data

Illegal Activities

Here are some examples of common violations:

• Facilitating the sale or purchase of illegal drugs.
• Depicting or encouraging the use or sale of drugs, alcohol, or tobacco by minors.
• Instructions for growing or manufacturing illegal drugs.

We don’t allow apps that contain false or misleading information or claims, including in the description, title, icon, and screenshots.

Here are some examples of common violations:

• Apps that misrepresent or do not accurately and clearly describe their functionality:
  • An app that claims to be a racing game in its description and screenshots, but is actually a puzzle block game using a picture of a car.
  • An app that claims to be an antivirus app, but only contains a text guide explaining how to remove viruses.
• Apps that claim functionalities that are not possible to implement, such as insect repellent apps, even if it is represented as a prank, fake, joke, etc.
• Apps that are improperly categorized, including but not limited to the app rating or app category.
• Apps that falsely claim affiliation with a government entity or to provide or facilitate government services for which they are not properly authorized.
• Apps that falsely claim to be the official app of an established entity. Titles like “Justin Bieber Official” are not allowed without the necessary permissions or rights.

(1) This app features medical or health-related claims (Cure Cancer) that is misleading.
(2) This apps claim functionalities that are not possible to implement (using your phone) as a breathalyzer.

Inappropriate Ads

Here are some examples of common violations:

① This ad is inappropriate (Teen) for the content rating of the app (Everyone)
② This ad is inappropriate (Mature) for the content rating of the app (Teen)
③ The offer of the ad (promoting the download of a Mature app) is inappropriate for the content rating of the game app in which the ad was displayed (Everyone)

We don’t allow apps that display interstitial ads repeatedly to distract users from interacting with an app and performing in-app tasks.

We don't allow apps that capitalize on or are insensitive toward a sensitive event with significant social, cultural, or political impact, such as civil emergencies, natural disasters, public health emergencies, conflicts, deaths, or other tragic events. Apps with content related to a sensitive event are generally allowed if that content has EDSA (Educational, Documentary, Scientific, or Artistic) value or intends to alert users to or raise awareness for the sensitive event.