App Quality Control

[lberrymage]

Accrescent will have strict quality control for apps uploaded to its repository, mostly automated. This discussion is for suggesting specific app attributes we can check for to ensure we enforce a high level of security for Accrescent apps while still making it feasible for developers to meet our standards. Here is the current list of requirements:

Automatically checked:

• Apps must have v3 and v4 signatures
• New apps and app updates must target an SDK more than or equal to the Play Store's requirements ("soft requirement")
• Existing apps in Accrescent must target an SDK more than or equal to the "soft requirement" for new apps minus 1. For example, the Play Store currently requires new apps to target SDK 30, so existing apps would be removed if they targeted an SDK less than 29.
• Apps may not exceed 150 MB in size per device configuration
• App updates may not reuse previously published version codes

Manually reviewed:

• Use of the MANAGE_EXTERNAL_STORAGE permission
• Use of the QUERY_ALL_PACKAGES permission
• Use of permissioms in the Call Log permission group
• Use of permissions in the SMS permission group

This list will be updated as requirements are tentatively approved, but it is not considered final.

Things to look at:

• Enforcing android:usesCleartextTraffic is not set to "true"
  Are there significant legitimate use cases for it? If so, are we willing to subject this to manual review?
• Invasive permissions
  Should any permissions be blacklisted? Are there any that are unnecessary for apps not updating themselves? Are there any deprecated permissions applicable to our current min target SDK(s)? Which permissions are only applicable to system apps?

[Wonderfall]

Invasive permissions

There should definitely be some kind of manual review when the MANAGE_EXTERNAL_STORAGE permission is asked, which apps can still use to opt out of scoped storage. It should only be reserved for legitimate use (like a file explorer).

Also:
https://support.google.com/googleplay/android-developer/answer/10467955?hl=en
https://support.google.com/googleplay/android-developer/answer/9888170

[lberrymage]

Agreed. We'll need to look at those links and make a review checklist of our own that's clearly communicated to developers through the future doc site. For now I'll add MANAGE_EXTERNAL_STORAGE to the "manual review" section, but I'll make a note to look through the ones mentioned in that second link as I have time.

Thanks for the suggestion!

[flawedworld]

Apps not meeting the requirements should be delisted after extended periods of time.

[ghost]

Apps requiring special, dangerous, or highly identifiable permissions like Phone, full file access, drawing over apps permission (NOT Picture-in-Picture), SMS, or other ones like ANSWER_PHONE_CALLS should require explanations and shown use-cases for the app reviewer and explanations for the end user.