Apple is not the only one accused of bringing competitive solutions out of its app store. Google has been doing the same thing – at least for over a month – and therefore claims the maker of parental control apps, Boomerang. The company's product competes with Google's own Family Link solution to control screen time and children's use of mobile devices. The company claims Google has repeatedly removed its application from the Play Store to address a number of issues, including violations of Google's "Deceptive Behavior Policy" related to the inability of users to simply remove the application from their Android -Remove device.
The problem itself is complicated and an indication of how bad developer communication processes can aggravate an existing problem, causing developers to complain about anti-competitive behavior.
Like Apple, Google has a number of rules that developers must agree to before they can publish apps to the Google Play Store. The difficulty is that these rules are often enforced arbitrarily or unevenly, requests for objections without answers or automated answers are answered, and ultimately there is no way for a developer to reach a person and have a real discussion.
You may recall a similar situation where screen time apps met a group of screen time app makers last year. Shortly after Apple launched its own Screen Time solution for iOS 12, Apple suddenly removed a variety of third-party screen time and parental controls apps. The company's move was raised during last week's Congress antitrust hearings, which Apple CEO Tim Cook insisted Apple's decision was based on the risk to users' privacy and security that these apps caused.
The Boomerang case is not that different. A developer is kicked out of the Play Store and doesn't seem to have a way to escalate the appeal to an actual person to further discuss the nuances of the situation.
The boomerang ban
First of all, let's acknowledge that it makes sense for the Play Store to have a policy against apps that are difficult to uninstall, as this would enable a variety of malware, spam, and spyware applications and torture users.
However, in the case of a parental control solution, parents do not want their children to be able to simply uninstall the program. In fact, Boomerang added the feature based on parent feedback.
Google itself places its Family Link controls behind a PIN code for parents and asks parents to log in to their Google account, for example to remove the child's account from a device.
The Boomerang app required a similar approach. In "higher-level mode", parents switch a switch in the app's settings that says "prevent app uninstallation" in order not to remove the protection on the subordinate device.
Despite the obvious intended use case, Boomerang has repeatedly labeled the app as app cannot be uninstalled during the app review process of the Play Store when submitting updates and bug fixes.
This started on May 8, 2020 and took over a month to resolve. Developer Justin Payeur submitted the first appeal on May 11 to test whether the ban had just been triggered by Google's "App Review Robots". On May 13, the app was re-approved without a human response or response to the complaint sent to Google.
But on June 30, Boomerang was marked again for the same reason: "App cannot be uninstalled." Payeur lodged a second complaint, stating that the feature is not enabled by default. It can be used by parents if they so choose.
On July 6, Boomerang had to inform users of the problem because they were increasingly frustrated and could not find the app on Google Play. In a customer email with no words crushed, Boomerang wrote: "Google has gotten angry." Complaints from users said that it would not be worth using the app if it did not offer the "prevent uninstall" feature.
On July 8, Boomerang received a response from Google with further information, stating that Google does not allow apps that change the device settings or functions of the user outside the app without the user's knowledge or consent. In particular, the app's use of the "Google Accessibility Services API" was cited in a manner that violated the Play Store regulations. Google said the app would not be approved until features were removed that prevented a user from removing or uninstalling the app from their device.
Although this requirement is based on user security, it puts child-protection apps at a disadvantage compared to Google's own Family Link offer. As Google’s help documentation shows, parents must enter a passcode to remove a child’s account from an Android device. This cannot simply be uninstalled by the end user (the child).
Boomerang received a second notification of violations later that day after the app was changed to make it explicitly clear to the end user (the child) that the device administrator (a parent) would have permission to control the device, which mimicked other apps Boomerang said they're still active on Google Play.
After two more days with no response from the appeal team, Boomerang asked for a call to discuss the situation. Google sent a short email saying that the two active appeals were merged into one, but no further information on the appeal was provided.
On July 13, Boomerang was informed that Google was still testing the app. The company replied again to explain why a parental control app would have such a function. On the same day, Boomerang was notified that older versions of its app were rejected in its internal test area in the Play Console. These versions were never released live, the company says. The rejections showed that Boomerang worsened device security with its app.
The next day, Boomerang informed its user base that the desired feature may need to be removed and emailed Google again to indicate that the app now contains clear consent.
Although Google made no changes, it informed Boomerang on July 16 that this violated the "Elevated Abuse of Permissions" section of the Google Play Malware Policy. On July 19, the company removed the additional app protection feature and on July 21, Google rejected the app again for the same violation – via a feature that has now been removed.
Despite repeated emails, Boomerang did not receive a message from Google until an automatic email arrived on July 24th. Again, Google did not respond to the emails in which Payeur explained that the infringing function has now been removed. Repeated emails up to July 30 were also not answered.
theinformationsuperhighway, after learning about Boomerang's problems, asked Google on July 27 to explain his reasoning.
After some follow-up, theinformationsuperhighway announced on August 3 that the issues with Boomerang – as later emails to Boomerang said – were related to how the app implemented its features. Google does not allow apps to abuse abused rights. Apps must not abuse the Android Accessibility APIs to interfere with basic operations on a device.
Google also said that apps do not allow the same mechanism as Boomerang to be used, including that of Google. (Of course, Google's own apps have the advantage of extensive integration into the Android operating system. For example, developers cannot access a kind of "Family Link API" to get a similar way of controlling a child's device.)
"We recognize the value of surveillance apps in different contexts, and developers are free to create this experience with reasonable security measures," said a Google spokesman.
In general, Boomerang's experience is similar to that of iOS parental controls apps last year. Like these apps, Boomerang also came across a security measure designed to protect an entire app store from abusive software. However, the blanket rule leaves no scope for exceptions. Google meanwhile argues that the security of the operating system should not be "circumvented" in this way. At the same time, however, it does not offer any official options for interacting with the operating system and its own functions for screen time / parental controls. Instead, alternative screen time apps need to find ways to hack the system to make it exist, even though consumer demand for its offerings is clear.
The special case of Boomerang also shows the complexity associated with a company living or dying according to the whims of an app review process.
It's easy to argue that the developer should have simply removed the feature and continued, but the developer seemed to think that the feature would be fine – as evidenced by previous approvals and the approval received in at least one of his appeals . It also gives the developer an incentive to fight for the feature because users wanted it – or rather, what they asked for to make the app worth paying for.
Had someone from Google just picked up the phone and told Boomerang what was wrong and what alternative methods would be acceptable, the case might not have been so long. In the meantime, Boomerang has likely lost the trust of its users, and its removal has definitely had an impact on the business in the short term.
Payeur, who reached for a follow-up, was still frustrated, although the app has now been approved for distribution in the Play Store again.
"It took Google over a month to give us this feedback," he said, referring to the prohibited API usage, which was the real problem. "We are currently digesting this," he said, adding how difficult it is to be unable to speak to the Google teams in order to achieve proper communicationand feedback in the past few weeks.
Boomerang has started collecting the names of other similarly affected apps like Filter Chrome, Minder Parental Control and Netsanity. The company says other apps can get in touch privately if they prefer.