Restricted Permissions policy
Permissions Policy: Requesting Unnecessary or Restricted Permissions
Our Take
Your app requests permissions that are not essential to its core functionality, or uses restricted permissions (SMS, call log, background location) without an approved Permissions Declaration Form. Google Play enforces the principle of least privilege — apps may only request permissions that are directly needed to implement current features advertised to users.
Resolution Guide
**Audit AndroidManifest.xml** — List every `<uses-permission>` in your manifest. For each one, document which feature requires it.
**Check merged manifest** — In Android Studio, open your `AndroidManifest.xml` and click "Merged Manifest" tab. Third-party SDKs may inject permissions you didn't declare directly. Use `tools:node="remove"` to strip unwanted SDK permissions:
```xml
<uses-permission android:name="android.permission.READ_PHONE_STATE" tools:node="remove" />
```
**Remove unnecessary permissions** — If a permission isn't essential to a core, user-facing feature, remove it. Common offenders: READ_PHONE_STATE, ACCESS_FINE_LOCATION (when coarse is sufficient), READ_CONTACTS.
**Submit Permissions Declaration Form** — For restricted permissions you must keep (background location, SMS, call log), go to Play Console → Policy → App content → Permissions declarations. Explain the feature that requires it, why alternatives won't work, and include a demo video.
**Implement runtime permissions** — Request permissions at the moment the user triggers the related feature, not at app startup. Show a rationale dialog explaining why the permission is needed.
**Test permission-denied paths** — Ensure your app functions gracefully when permissions are denied. Never block the entire app for a non-essential permission.
Example Rejection Email
Before & After
AndroidManifest.xml includes ACCESS_BACKGROUND_LOCATION, READ_PHONE_STATE, and READ_CONTACTS — background location is used only for a non-core 'nearby places' widget, phone state for analytics, contacts not used at all
Removed READ_PHONE_STATE and READ_CONTACTS entirely, replaced ACCESS_BACKGROUND_LOCATION with ACCESS_COARSE_LOCATION requested at runtime only when user opens the nearby places feature
What changed: Only keep permissions essential to core features, request them contextually at runtime, and remove any injected by SDKs that your app doesn't need
Community Solutions · 0
Sign in to share your solution.