Privacy-First Access Patterns Now Mandatory on Google Play
Google Play is requiring all apps targeting Android 17 and above to implement privacy-preserving interfaces for contact and location data. Apps that request contacts for features like sharing or inviting must now use the Android Contact Picker or similar privacy-focused alternatives. Full READ_CONTACTS access will be restricted to apps that cannot function without it, and developers will need to submit a declaration justifying this need.
For location data, apps performing discrete, temporary actions โ such as finding a nearby store or tagging a photo โ must implement the new streamlined location button. This one-tap interface replaces complex permission dialogs and gives users clearer control over how much information they share. Apps requiring persistent, always-on precise location must file a Play Developer Declaration explaining why the new button or coarse location does not suffice.
To ease the transition, Android Studio will surface Play policy insights by October 2026, helping developers proactively identify if their app should adopt these features. Pre-review checks in Play Console โ available starting October 27 โ will flag potential wiki:compliance-guidelines issues before submission, reducing rejection friction.
Content Moderation Enforcement Accelerates Across Both Platforms
Apple's threat to remove the Grok app over nonconsensual sexualized deepfakes illustrates how platform policy enforcement is intensifying around harmful AI-generated content. After U.S. senators urged action, Apple privately demanded that xAI submit a content moderation plan. The company rejected an initial fix as insufficient, warning that Grok would be pulled unless further changes were made. Only after additional back-and-forth did Apple approve a revised submission.
This enforcement pattern is visible across content categories. Apple removed the Freecash app after months of data harvesting and misleading marketing, despite the app reaching the number two position on U.S. App Store charts in January 2026. The app promised users up to $35 per hour for watching TikTok content but was instead collecting sensitive data โ race, religion, health, biometrics โ and pushing users to install mobile games for tiny payouts. Apple cited violations of guidelines prohibiting scam practices and misleading marketing. The app had been downloaded 5.5 million times across both stores in January alone.
Similarly, a Tech Transparency Project report found that both Apple and Google were directing users toward "nudify" apps โ tools that create non-consensual sexual images โ through autocomplete and search results. The group identified 18 apps on the App Store and 20 on Google Play, with a combined 483 million downloads and $122 million in revenue. Some were rated "E" for Everyone, making them accessible to children. Apple removed 15 apps after the report surfaced, but the underlying issue persists: new violating apps reappear within months of removal.
Authentication and Demo Account Requirements Clarified
Developers integrating third-party authentication methods โ Google Sign-In, Apple Sign-In โ continue to navigate wiki:app-review requirements around demo accounts for testing. While the guidelines require full access during review, the specifics of providing demo credentials for OAuth-based flows remain a common question. Developers must ensure that review teams can access account-based features without friction, but are not required to implement a separate username/password system solely for review purposes. Providing a demo Google or Apple account is permissible, though some developers opt for a dedicated demo mode to simplify the process.
Official Account Transfer Feature Reduces Fraud Risk
Google Play is launching an official account transfer feature in Play Console to secure ownership changes during business sales and mergers. Starting May 27, all account ownership transfers must use this feature. Unofficial transfers โ sharing login credentials or buying/selling accounts on third-party marketplaces โ will no longer be permitted. Every transfer will include a mandatory seven-day cool-down period, giving teams time to cancel unauthorized takeover attempts.
What to Do Now
Developers should begin auditing contact and location usage in apps targeting Android 17. If your app requests contacts for sharing or invites, migrate to Contact Picker and remove READ_CONTACTS. If precise location is used for one-time actions, implement the location button. For persistent access requirements, prepare to file a Play Developer Declaration before October.
On the content moderation front, review how user-generated content is surfaced in your app. Ensure that filtering, reporting, and blocking mechanisms are robust and that age-gating is enforced for content exceeding the app's rating. Apps that rely on generative AI for content creation should implement safeguards against nonconsensual or exploitative outputs. wiki:app-store-policy enforcement is no longer deferential to high-traffic apps โ chart position does not protect apps that violate guidelines.
For apps using third-party authentication, confirm that your app review process workflow includes a functioning demo account or demo mode with full feature access. Reviewers must be able to test all account-based functionality without friction.
Finally, if you are planning ownership changes, begin using the official account transfer feature in Play Console. The seven-day cool-down is designed to protect your business, but it also means transfers cannot happen instantly โ plan accordingly.