Restricted Permissions policy

Permissions Policy: Requesting Unnecessary or Restricted Permissions

Medium RiskMedium Difficulty0 Reports
Also known as:ACCESS_BACKGROUND_LOCATION without approved justification or core feature needREAD_SMS or RECEIVE_SMS permissions for apps that are not default SMS handlersREAD_PHONE_STATE requested for non-essential features like analyticsBroad permission requests at install time instead of contextual runtime requests

Our Take

Your app requests permissions that are not essential to its core functionality, or uses restricted permissions (SMS, call log, background location) without an approved Permissions Declaration Form. Google Play enforces the principle of least privilege — apps may only request permissions that are directly needed to implement current features advertised to users.

Resolution Guide

01

**Audit AndroidManifest.xml** — List every `<uses-permission>` in your manifest. For each one, document which feature requires it.


02

**Check merged manifest** — In Android Studio, open your `AndroidManifest.xml` and click "Merged Manifest" tab. Third-party SDKs may inject permissions you didn't declare directly. Use `tools:node="remove"` to strip unwanted SDK permissions:

```xml

<uses-permission android:name="android.permission.READ_PHONE_STATE" tools:node="remove" />

```

03

**Remove unnecessary permissions** — If a permission isn't essential to a core, user-facing feature, remove it. Common offenders: READ_PHONE_STATE, ACCESS_FINE_LOCATION (when coarse is sufficient), READ_CONTACTS.


04

**Submit Permissions Declaration Form** — For restricted permissions you must keep (background location, SMS, call log), go to Play Console → Policy → App content → Permissions declarations. Explain the feature that requires it, why alternatives won't work, and include a demo video.


05

**Implement runtime permissions** — Request permissions at the moment the user triggers the related feature, not at app startup. Show a rationale dialog explaining why the permission is needed.


06

**Test permission-denied paths** — Ensure your app functions gracefully when permissions are denied. Never block the entire app for a non-essential permission.


Example Rejection Email

From:Google Play Developer Support
Subject:Policy violation - Permissions Policy: Requesting Unnecessa
Issue found: Permissions policy — Use of restricted permissions Your app requests the following restricted permission(s) without an approved Permissions Declaration Form: • ACCESS_BACKGROUND_LOCATION Restricted permissions require a valid use case and an approved declaration form. If your app's core functionality requires this permission, submit a Permissions Declaration Form in Google Play Console. If not, remove the permission from your AndroidManifest.xml. Action required: Either submit a Permissions Declaration Form or remove the restricted permission(s) from your app.

Before & After

Before — Rejected

AndroidManifest.xml includes ACCESS_BACKGROUND_LOCATION, READ_PHONE_STATE, and READ_CONTACTS — background location is used only for a non-core 'nearby places' widget, phone state for analytics, contacts not used at all

After — Approved

Removed READ_PHONE_STATE and READ_CONTACTS entirely, replaced ACCESS_BACKGROUND_LOCATION with ACCESS_COARSE_LOCATION requested at runtime only when user opens the nearby places feature

What changed: Only keep permissions essential to core features, request them contextually at runtime, and remove any injected by SDKs that your app doesn't need

Community Solutions · 0

Sign in to share your solution.