As per the developer policy, it was recommended not to use SMS and CALL_LOG related permissions, unless the app has core functionality related to them. I was previously using READ_SMS permission to auto-detect OTP, but later removed it from the application & replaced it with SMS Retriever API. I published the application without any prohibited permission to play store on 3rd Jan 2019, before the deadline that required the app to be updated without those permissions before 9th January 2019. Now when I try to update the app with a new release to play store I get an app release error that 1 error needs to fixed.When I clicked to see the error details the message is “You can’t edit this app until you create a new app release declaring sensitive permissions.”
Currently the list of permissions used in my app are as follows:-
<uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.GET_ACCOUNTS" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.CAMERA" /> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" /> <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.VIBRATE" /> <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/> <uses-permission android:name="android.permission.RECORD_AUDIO" />
I’m not using any SMS or CALL_LOG permission, but still face an error while publishing new release.Please refer the links to view the error.
App Error while publishing new release
I checked the ‘Artifact Library’ section, which is under ‘Release Management’ on app publishing dashboard.
I carefully examined every ‘Active Artifact’ and found one live artifact that was released on Open Track(Beta),which wasn’t pushed to production. This active artifact which was a beta release long ago had READ_SMS permission, which was responsible for the warning.
So in order to tackle this I rolled out my app without SMS or CALL_LOG permission to testing track on Beta.
From Beta I released it to production, and I was able to publish my app to production.
Make sure no active APK with sensitive permissions across tracks. Here are the steps to follow just in case:
To release a new compliant APK, please follow these steps:
Go to your Play Console.
Select the app.
On the left menu, select Release management > App releases.
Next to the release track(s) where non-compliant APK(s) are in active status, select Manage.
Highly recommended to make your last release in production track if your production track has non-compliant APK.
Suggested order (if tracks have non-compliant APKs): Internal track > Closed > Open > Production
To create a new release, select Create release (or Edit release).
Upload a new compliant APK or ‘Add from library’
If you see the Permissions Declaration Form while releasing the app, please complete the form according to the following instructions:
Choose one core functionality(e.g. Default SMS handler) to make a release with compliant APK. This release may automatically lead to rejection but this will deactivate the non-compliant APK(s) in the track.
Select Save > Review at the bottom of the page.
Click Start Rollout.
Please ensure that the new release is rolled out 100% and completely deactivates the non compliant APK.
Go back to step 1 to make another release in the track where non-compliant APK(s) are in active status until there is no active APK with sensitive permissions across tracks.
If you have updated your app with compliant APK(s) across tracks, please check if there is any active APKs with sensitive permissions remaining. Here is how to check within the Play Console.
Go to Release Management > Artifact Library
Expand Active APKs and Draft APKs
Expand Required Permissions for each APK
There are 2 thinks you need to make sure if you have removed all permission and still google is rejecting app.
1. check your merge manifest which may have permission from some library. remove it like
<uses-permission android:name="android.permission.READ_SMS" tools:node="remove" />
2. Update test builds from alpha or beta release in PlayStore console.
After around one day, I concluded following steps to get rid this weird error.
First , after making sure you have removed permissions from Manifest file, you should also cross verify that some library is not using the same permission, to remove permission from library as well,add this to Manifest file.
<uses-permission android:name="android.permission.RECEIVE_SMS" tools:node="remove"/> <uses-permission android:name="android.permission.READ_SMS" tools:node="remove"/> <uses-permission android:name="android.permission.READ_CALL_LOG" tools:node="remove"/> <uses-permission android:name="android.permission.WRITE_CALL_LOG" tools:node="remove"/>
Second most important point(the real problem was here in my case), check in every track(Production, Beta, Alpha, Internal test) on play store that you don’t have and old apk which was using these permissions, if this is the case, you need to upload new apk in every track:Production track:Production, Open track:Beta, Closed track:Alpha, Internal test track: Internal test
I suggest you to just go through this document. May be you forgot to remove some other sensitive permissions.https://play.google.com/about/privacy-security-deception/permissions/
so just check this permissions list and find out in your code if you find something that’s not required.
First you’ll have to release an APK with the sensitive permissions that the previous APK has. When APK is uploaded, a permission declaration form will pop up which will allow you to chose whether your app is compliant or no to use the sensitive permission. You’ll want to check “No, this release does not meet the SMS and Call log” so that the “roll out release” button will be highlighted, click on it. Once your app is rolled out and reviewed, you’ll then be able to release a new update without those sensitive permissions.
******However, if your app needs the sensitive permissions you’ll have to check “yes, my app is compliant” and wait for the approval from them.*****
This is the workaround I could find and it worked. Developer support wasn’t able to provide valuable information about this issue.
You may have to de-activate any older APKs bundled in the release.
If you are replacing an APK that has these permissions and has an older target SDK version then it looks like google play will leave them activated by default in the new release which will cause the Sensitive Permission Policy to be required even if your latest APK doesn’t have this permission.