Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Playstore prompts to 'Declare sensitive permissions'

Our Android Manifest doesn't have any permissions for SMS. We did till 4 releases back. But the Playstore still prompts us to fill in the declaration for sensitive permissions by saying the following -

Previously declared permissions (3 permissions)
android.permission.RECEIVE_SMS
android.permission.SEND_SMS
android.permission.READ_SMS

Could this be coming due to a library that we're using which still requires these permissions? How can we avoid this?

Our Manifest has the following permissions:

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.ACCESS_PHONE_SUB_INFO" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT" />
<uses-permission android:name="com.android.launcher.permission.UNINSTALL_SHORTCUT" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
like image 899
Mallika Khullar Avatar asked Jan 28 '19 09:01

Mallika Khullar


People also ask

How do I remove sensitive permissions from Google Play?

Try to examine Artifact library in your play console. Click on version code's down arrow of apk/bundle file and check for required permissions section, are still able to see call,sms permissions? If yes, you need to check manifest file again and remove sensitive permissions.

Why are all my apps asking for permission?

Both Apple's iOS and Google's Android systems have evolved to contain very robust data permission regimes and, in general, apps ask your permission to access your data because they need it for one function or another.

How do I get rid of previously declared permissions on Play Store?

I solved it. Go to your artifact Library and check if there is any active artifact which contains these permissions. Now create a build and overwrite those active artifacts with your new build.

Should I give Google Play Services permissions?

It needs so many permissions because Play Services acts as a hub that other apps rely on for security services provided by Google. Google Play Services have system-level access to provide multiple internal features and hides sensitive information from other apps.


1 Answers

How we solved it:

  1. Figured out whether our merged manifest has permissions that don't fall within the Policy. We followed this article which led us to look at the merged Manifest file here: app/build/intermediates/manifests/full/debug/AndroidManifest.xml.

  2. We identified which dependency had added the permissions by looking into the logs: app/build/outputs/logs/manifest-merger-debug-report.txt

  3. We found that there were 3 permissions present in our Manifest file: android.permission.READ_SMS,android.permission.SEND_SMS, android.permission.RECEIVE_SMS.

  4. To remove them, in our AndroidManifest.xml, we added:

<uses-permission android:name="android.permission.READ_SMS" tools:node="remove" />
<uses-permission android:name="android.permission.SEND_SMS" tools:node="remove" />
<uses-permission android:name="android.permission.RECEIVE_SMS" tools:node="remove" />
  1. We updated all of the dependencies versions

  2. Pushed the APK with all these removed permissions into all the tracks open on our Google Play Console (Internal test track, Alpha, Beta and Production).

Within 12 hours the warning was removed.

like image 118
Mallika Khullar Avatar answered Oct 04 '22 19:10

Mallika Khullar