Our Android Manifest doesn't have any permissions for SMS. We did till 4 releases back. But the Playstore still prompts us to fill in the declaration for sensitive permissions by saying the following -
Previously declared permissions (3 permissions)
android.permission.RECEIVE_SMSandroid.permission.SEND_SMSandroid.permission.READ_SMS
Could this be coming due to a library that we're using which still requires these permissions? How can we avoid this?
Our Manifest has the following permissions:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.ACCESS_PHONE_SUB_INFO" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT" />
<uses-permission android:name="com.android.launcher.permission.UNINSTALL_SHORTCUT" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
Try to examine Artifact library in your play console. Click on version code's down arrow of apk/bundle file and check for required permissions section, are still able to see call,sms permissions? If yes, you need to check manifest file again and remove sensitive permissions.
Both Apple's iOS and Google's Android systems have evolved to contain very robust data permission regimes and, in general, apps ask your permission to access your data because they need it for one function or another.
I solved it. Go to your artifact Library and check if there is any active artifact which contains these permissions. Now create a build and overwrite those active artifacts with your new build.
It needs so many permissions because Play Services acts as a hub that other apps rely on for security services provided by Google. Google Play Services have system-level access to provide multiple internal features and hides sensitive information from other apps.
How we solved it:
Figured out whether our merged manifest has permissions that don't fall within the Policy. We followed this article which led us to look at the merged Manifest file here: app/build/intermediates/manifests/full/debug/AndroidManifest.xml.
We identified which dependency had added the permissions by looking into the logs: app/build/outputs/logs/manifest-merger-debug-report.txt
We found that there were 3 permissions present in our Manifest file:
android.permission.READ_SMS,android.permission.SEND_SMS, android.permission.RECEIVE_SMS.
To remove them, in our AndroidManifest.xml, we added:
<uses-permission android:name="android.permission.READ_SMS" tools:node="remove" />
<uses-permission android:name="android.permission.SEND_SMS" tools:node="remove" />
<uses-permission android:name="android.permission.RECEIVE_SMS" tools:node="remove" />
We updated all of the dependencies versions
Pushed the APK with all these removed permissions into all the tracks open on our Google Play Console (Internal test track, Alpha, Beta and Production).
Within 12 hours the warning was removed.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With