So I have an app generated with GeneXus in the Play Store and I received the following e-mail from the store:
[...] Policy issue: Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. Your app requests sensitive permissions (e.g. camera, microphone, accounts, contacts, or phone) or user data, but does not include a valid privacy policy. [...]
So I went to the Developer Console and found this in the privacy police section (translated from portuguese):
Your app have an APK with the version code 40 thar require these permissions: android.permission.READ_PHONE_STATE. Using these permissions in an APK require a privacy police.
So my question is: What am I using in GeneXus that needs this permission? I get the NetworkId from the ClientInformation object, is it?
Yes, that is precisely the reason. The Android method that obtains the IMEI number (and that GeneXus applications call to obtain it) needs the READ_PHONE_STATE permission to execute. This is understandable, as it's considered private information.
Following Android's Best Practices for Unique Identifiers I would suggest using the ClientInformation.Id property instead. As a bonus, it doesn't persist over device wipes, which in 99% of cases is the intended behavior (unless the app is only installed in controlled devices, which doesn't seem to be the case if it's published in the Play Store).
If you decide to go this route, just remember to reset the Send Device Information on Requests property to false.
(Note: the property name has been/will be changed to Include Network Id in Client Information as of GeneXus 15 U3, since the old name was prone to confusion).