Issue: Violation of Permissions policy, Call Log Permission - permissions

I made an app where first it reads the call logs and also requests for contacts to match the numbers to get contact images and display to the user within my application. After selecting any contact number, it opens that user's conversation to WhatsApp directly. I have also filled the declaration form. However, I received many rejection emails that call logs is not my core functionality and I should remove this feature from my mobile application.
As you can see that it is my core functionality to display the call logs and contacts to the user so that he can select to open it in WhatsApp Conversation Directly.
The permissions i declared in the manifiest file as shown below
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="com.crymzee.saveless_new">
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.READ_CALL_LOG"/>
The Picture of Google Play rejection is added below
Is there any other way to get call logs or which use case matches my App functionality?
What functionalities in your app require SMS and Call Log permissions?
Default SMS handler
Default Phone handler
Default Assistant handler
Transactional backup and restore for users and archive for enterprise (time-limited/non-continuous)
Enterprise archive, CRM, and device management
Caller ID, spam detection, and blocking
Connected device companion apps (for example, smartwatch or automotive)
Cross-device synchronization or transfer of SMS or calls
SMS-based financial transactions and related activity where access is restricted to financial SMS transactions (for example, 5-digit messages)
SMS based money management
Proxy calls
Services - Carrier
Services - OEM
Device Automation
Physical safety / emergency alert apps (e.g., senior safety)
Call-based OTP account verification
Using SMS_CB_RECEIVED for customer communications (e.g., Smart Zone Cast service)
Write and Show Call History in Dialer
In-vehicle hands-free use or projected display
Anti-SMS Phishing

Related

What Does "GADDelayAppMeasurementInit" Delay?

When using Google Mobile Ads SDK and integrating User Messaging Platform SDK, Google offers to Delay App Measurement.
You can do this programmatically or by adding GADDelayAppMeasurementInit to the info.plist and setting the Bool to YES.
It states:
Google Mobile Ads SDK initializes app measurement and begins sending
user-level event data to Google immediately when the app starts. ...
However, if your app requires user consent before these events can be
sent, you can delay app measurement...
But what does it actually do? What metrics are delayed? Does this affect whether personalised or non-personalised ads are served after providing consent?
There doesn't appear to be any more information on this anywhere.
Thank you.

How could the app send a message to the phone when certain mission fulfilled?

I can use FCM console to send messages to all users or certain users at a certain time.
Now I want the app send a message to specified users when their in-game energy is full. How to realize it with FCM? And can I know the messages' sends, opens, conversions?
Sending a message to a user can only be done from a trusted environment, such as the Firebase console, or a place where you can trust that the code running is yours (such as your development machine, a server that you control, or something like Cloud Functions/Cloud Run).
For examples of how to send a message by calling FCM's API, see the documentation on building send requests, and this sample use-case of notifying the user when something interesting happens using Cloud Functions.

Developer payload (external data) in App Store server notifications

We are using server-to-server purchase notifications for Google Play and App Store mobile apps. User can pay for subscription in several ways: in web broswer (via third-party billing provider), in android application (via google play) and in ios/macos application (via app store). That is why we use custom user/subscription ids - it should be equal across all platforms/devices within single account.
Now, everhing went just fine with other billing providers until we came to App Store. We configured server side notification with callback at our server as we did it before. And now it turns out, that there is no user information in App Store receipt data. And it seems to be no way to pass that data from mobile application. For example, Google Play have so called "developer payload" field for this purposes, other providers also have possibility to add external data into server notification request. Is there any analog for App Store notifications?
Another question is about notifications itself. If there is no user information in the receipt - that means that there is no way to bind user id and receipt id data. Then what is the purpose of such notfications with external server scenario?

Should i backup GCM registration ID with google cloud?

Is it advised to backup GCM id using android cloud back up ? i am storing the GCM id in a sharedpreferences so i dont have to keep registering.
if i backup this GCM sharedpref and user changes devices do i need to update it to a new registration id ? Is the registration ID device specific ? What happens when user changes devices and backs up ?
I tried and read this from the docs:
You must exclude any device specific identifiers, either issued by a server or generated on the device. This includes the Google Cloud Messaging (GCM) registration token which, when restored to another device, can render your app on that device unable to receive GCM messages.
From the docs i found my answer that the reason this should not be done is that it can intrefer in the apps intialization of gcm and it will not try to get the GCM id if its already restored from a new device that restored a old registration id.
Handle Google Cloud Messaging
For apps that use Google Cloud Messaging (GCM) for push notifications,
backing up the registration token that Google Cloud Messaging
registration returned can cause unexpected behavior in notifications
for the restored app. This is because when a user installs your app on
a new device, the app must query the GCM API for a new registration
token. If the old registration is present, because the system had
backed it up and restored it, the app doesn't seek the new token. To
prevent this issue from arising, exclude the registration token from
the set of backed-up files.

HOLLER: Secure Payment over API & Titanium Studio

I am using Titanium studio to build an iphone mobile app, and I want to do the following
Send a user id using API to my server
Server processes payment for that user using the previous card on file
Server sends a success/failure response.
What is the most secure way to do this? I know if I just send the user id then anyone could hack.
Are you sure what your doing is allowed (roll-your-own Payments and credit cards in-app will generally get you rejected)
Make sure your app does not violate any of these guidelines:
11.1 Apps that unlock or enable additional features or functionality with mechanisms other than the App Store will be rejected
11.2 Apps utilizing a system other than the In App Purchase API (IAP) to purchase content, functionality, or services in an app will be
rejected
11.13 Apps that link to external mechanisms for purchases or subscriptions to be used in the app, such as a “buy” button that goes
to a web site to purchase a digital book, will be rejected
Check the latest App store review guidelines here : https://developer.apple.com/appstore/resources/approval/guidelines.html
Also refer to these SO questions for more information:
iPhone Paypal in UIWebView Appstore approval process
iOS - Integrating credit card payments
A more secure way to do this (if you pass all the above guidelines) would be to use a userid, password, and salt, encrypted either over https or SHA256. Note that you have to specify you use encryption if you go the second route, during the review process.
Here is a wikipedia article about Salt and Passwords that I used.
Here is a SHA256 library for JavaSCript that works great with Titanium and is simple to use.