For developers building finance-related mobile apps and pen testers planning to conduct VAPT, we have compiled some Philippine and mobile app-specific security and privacy requirements that should be present and validated. This page will be constantly updated. You can bookmark it for reference. (Updated Feb 27, 2024)
Google Play Store
Account Deletion Policy
It emphasizes that when users delete their accounts, their data should be promptly removed from your app’s servers. Ensuring proper handling of user data is essential to protect privacy and meet regulatory requirements.
Migrating from SafetyNet Attestation to Play Integrity API
Developers need to transition their apps to use the Play Integrity API for enhanced security and fraud prevention.
Photo and Video Permissions
Only photos and videos that are directly related to their functionality may be accessed by apps.
App Updates
Play Billing Library 5 or later must be used to update the apps.
Register in Play Console that app is Finance Related
You must fill out a financial feature declaration form in the Play Console for every app that contains any financial features.
In verbatim from Google Support:
Personal Loans
Apps that provide personal loans, including but not limited to apps which offer loans directly, lead generators, and those who connect consumers with third-party lenders, must have the App Category set to “Finance” in Play Console and disclose the following information in the app metadata:
Minimum and maximum period for repayment
Maximum Annual Percentage Rate (APR), which generally includes interest rate plus fees and other costs for a year, or similar other rate calculated consistently with local law
A representative example of the total cost of the loan, including the principal and all applicable fees
A privacy policy that comprehensively discloses the access, collection, use, and sharing of personal and sensitive user data, subject to the restrictions outlined in this policy
We do not allow apps that promote personal loans which require repayment in full in 60 days or less from the date the loan is issued (we refer to these as “short-term personal loans”).
We must be able to establish a connection between your developer account and any provided licenses or documentation proving your ability to service personal loans. Additional information or documents may be requested to confirm your account is in compliance with all local laws and regulations.
Personal loan apps or apps with the primary purpose of facilitating access to personal loans (for example, lead generators or facilitators) are prohibited from accessing sensitive data, such as photos and contacts. The following permissions are prohibited:
- Read_external_storage
- Read_media_images
- Read_contacts
- Access_fine_location
- Read_phone_numbers
- Read_media_videos
- Query_all_packages
- Write_external_storage
Apps that utilize sensitive information or APIs are subject to additional restrictions and requirements. Please see the Permissions policy for additional information.
Specific for the Philippines:
All financing and lending companies offering loans via Online Lending Platforms (OLP) must obtain a SEC Registration Number and the Certificate of Authority (CA) Number from the Philippines Securities and Exchanges Commission (PSEC).
In addition, you must disclose your Corporate Name, Business Name, PSEC Registration Number, and Certificate of Authority to Operate a Financing/Lending Company (CA) in your app’s description.
Apps engaged in lending-based crowdfunding activities, such as peer-to-peer (P2P) lending, or as defined under the Rules and Regulations Governing Crowdfunding (CF Rules), must process transactions through PSEC-Registered CF Intermediaries.
For privacy, these are the standards that can be followed: