Why financial apps get rejected by Google Play Store (and how to fix it)

Akande Simpa Lead Security Engineer & Cofounder, Simpa Labs CEH (Certified Ethical Hacker)

Google is watching financial apps more closely

Since 2023, Google has progressively tightened its policies around financial services apps on the Play Store. Apps that handle payments, lending, insurance, or digital wallets face a higher bar for approval than standard apps. Google's automated scanning now checks for security misconfigurations, policy violations, and—increasingly—compliance with its Mobile App Security Assessment (MASA) framework.

For Nigerian fintechs, this is a double challenge. Many teams build fast to meet market demand, then hit a wall when the Play Store flags security issues they assumed were minor. We have helped several startups at Simpa Labs remediate rejections and pass re-review, and the patterns are consistent.

The most common rejection reasons

1. Missing or misconfigured network security

Google expects financial apps to enforce encrypted communications. The most frequent triggers are: missing network_security_config.xml, allowing cleartext HTTP traffic (even to a single domain), and not implementing certificate pinning for sensitive API endpoints.

The fix is straightforward: create a network security configuration that explicitly disables cleartext traffic, restricts trusted CAs, and pins certificates for your API domains. Apply it in your AndroidManifest.xml with the android:networkSecurityConfig attribute.

2. Unsafe WebView implementations

Many Nigerian fintech apps use WebViews for payment flows, KYC verification, or document viewing. Google flags WebViews that enable JavaScript without proper URL validation, load arbitrary URLs from untrusted sources, or expose JavaScript interfaces that bridge WebView content to native code.

An attacker who can control the URL loaded in an unsafe WebView can execute arbitrary JavaScript with access to native Android functions—effectively turning your app into a malware platform. Google knows this and scans for it aggressively.

3. Hardcoded credentials and secrets

Google's static analysis detects API keys, secret tokens, and credentials embedded in the app binary. This includes payment gateway secret keys, Firebase service account files, and database connection strings. Read our deep dive on how attackers extract hardcoded API keys to understand why this is a critical finding.

4. Insufficient data encryption

Financial apps are expected to encrypt sensitive data at rest. Storing user credentials, transaction data, or KYC information in SharedPreferences, plain SQLite, or unencrypted files will trigger rejection. Use Android Keystore-backed encryption and the EncryptedSharedPreferences API.

5. Missing permissions justification

Financial apps that request sensitive permissions (SMS, camera, location, accessibility service) without a clear, documented justification in the Play Console declaration will be rejected or flagged for manual review. Google specifically scrutinises SMS permissions in financial apps due to OTP interception abuse.

MASA: the new standard for financial apps

Google's MASA programme requires apps in the financial category to undergo independent security testing against the OWASP Mobile Application Security Verification Standard (MASVS). Testing is performed by authorised labs, and passing earns a security badge displayed on your Play Store listing.

While MASA is currently voluntary, Google is increasingly using it as a signal in its review process. Apps with MASA certification face fewer manual review cycles and smoother updates. For Nigerian fintechs targeting scale, MASA certification is becoming a competitive advantage, not just a compliance checkbox.

The MASVS categories tested in MASA align closely with what we cover in our mobile app pentest checklist: data storage, cryptography, authentication, network security, platform interaction, code quality, and resilience against reverse engineering.

How to prepare before submission

Do not wait for Google to reject you. Run this pre-submission security check:

• Build configuration: Verify the release build has debuggable=false, cleartext traffic disabled, and ProGuard/R8 enabled.
• Network security: Create a proper network_security_config.xml with certificate pinning for your API endpoints.
• Secret scan: Run jadx on your own APK and search for every string constant. If you find anything resembling a secret, remove it and use a backend proxy pattern.
• WebView audit: Ensure all WebViews validate URLs against an allowlist, disable file access, and remove unnecessary JavaScript interfaces.
• Data storage: Confirm all sensitive data uses EncryptedSharedPreferences or Android Keystore-backed encryption.
• Permissions: Remove any permissions you do not actively use and prepare justifications for sensitive ones.
• Third-party SDKs: Audit every SDK for known vulnerabilities. Outdated SDKs with published CVEs are flagged by Google. Review our guide on third-party vendor risk.

The appeal process

If your app has been rejected, read the rejection notification carefully—Google often flags specific classes or code patterns. Fix the identified issues, run your own security scan to confirm, then submit an appeal with detailed documentation of what you changed and why. Include evidence: screenshots of your network security config, proof that secrets have been removed, test results showing encryption is in place.

If the rejection reason is vague, a vulnerability assessment will identify every issue Google might be flagging, giving you a comprehensive fix list rather than playing whack-a-mole with individual rejections.

Related reading

Blog: Hardcoded API Keys in Mobile Apps · Certificate Pinning Guide · Security Audit Before Launch

Guides: Mobile App Pentest Nigeria · OWASP for Fintech

Services: Penetration Testing · Vulnerability Assessment · Secure Architecture Review