User gets permissions request that are not included in the manifest

Question

I have Just released an app that has two permission in its manifest file (to show banner ads). "android.permission.INTERNET" and "android.permission.ACCESS_NETWORK_STATE". For testing I tried to install my app from the play market and discovered that the app required Identity, Location, Photo/Media/Files!! There is no such permissions in my manifest file, and I don't need them. Tried my other apps with similar manifest.xml (internet, network state) they are installing without any special permissions. Considering new content rating certificate system, i might have problems because in questionnaire i marked that don't need user location. Why it requires permissions that I didn't ask? I'm using android studio and build.gradle:

 android {
    compileSdkVersion 22
    buildToolsVersion "22.0.1"

    defaultConfig {
        applicationId "com.appName"
        minSdkVersion 15
        targetSdkVersion 22
        versionCode 1
        versionName "1.0"
    }
    buildTypes {
        release {
            minifyEnabled true
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
    }
}

repositories {
    maven {
        url "https://jitpack.io"
    }
}

dependencies {
    compile fileTree(dir: 'libs', include: ['*.jar'])
    compile 'com.github.PhilJay:MPAndroidChart:v2.1.0'
    compile 'com.melnykov:floatingactionbutton:1.3.0'
    compile 'com.mcxiaoke.volley:library:1.0.+'
    compile 'com.nispok:snackbar:2.10.2'
    compile 'com.android.support:cardview-v7:22.2.0'
    compile 'com.android.support:recyclerview-v7:22.2.0'
    compile 'uk.co.chrisjenx:calligraphy:2.1.0'
    compile 'com.google.android.gms:play-services:7.5.0'
    compile 'com.android.support:appcompat-v7:22.2.0'
    compile 'com.github.markushi:android-ui:1.2'
    compile 'com.afollestad:material-dialogs:0.7.3.1'
}

Manifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
          xmlns:tools="http://schemas.android.com/tools"
          package="com.AppPackage" >

    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />

    <application
        android:name=".MyApplication"
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:theme="@style/AppTheme"
        >
        <activity
            android:name=".MainActivity"

            android:label="@string/app_name" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity
            android:name="com.google.android.gms.ads.AdActivity"
            android:configChanges="keyboard|keyboardHidden|orientation|screenLayout|uiMode|screenSize|smallestScreenSize" />

        <meta-data
            android:name="com.google.android.gms.version"
            android:value="@integer/google_play_services_version" />

        <activity android:name=".Prefs_Activity" >
        </activity>
        <activity
            android:name=".Guide_Activity"
            android:label="@string/title_activity_" >
        </activity>
        <activity
            android:name=".Picker_Activity"
            android:label="@string/title_activity_" >
        </activity>
    </application>

</manifest>

Update:

Thanks to CommonsWare's answer I have found "manifest-merger-release-report.txt", and who uses these permissions. These are maps and wallet APIs. I have separated play service from this:

    compile 'com.google.android.gms:play-services:7.5.0'

to this(all I need for now):

    compile 'com.google.android.gms:play-services-analytics:7.5.0'
    compile 'com.google.android.gms:play-services-plus:7.5.0'
    compile 'com.google.android.gms:play-services-ads:7.5.0'
    compile 'com.google.android.gms:play-services-appindexing:7.5.0'

Results:

• removed unnecessary permissions
• apk size reduced up to 500kb
• started to take seriously API separation

Answer 1

Why it requires permissions that I didn't ask?

Because you are loading in 11 libraries, and one or more of them are asking for these permissions. In particular, you are loading in com.google.android.gms:play-services, and it will require a lot of permissions. For example, Play Services has the fused location API and Google Maps, both of which need location data.

A manifest merger report should be written to build/outputs/apk/ of your project or module (e.g., in app/ in a traditional Android Studio project). You can use this to try to determine where the additional permissions are coming from. Then, stop using those libraries, or switch to something else. In the case of Play Services, rather than loading in all of Play Services, load in only the pieces that you need. That is covered in the documentation (see the "Selectively compiling APIs into your executable" section).