Removed permissions still show up in Play Store
I clicked on the Google Play beta which accidentally added more permissions compared to the version currently in production.
I removed these permissions before pushing the final new version to production via staged roll-out, but despite this, users still complain about the new permissions when they got the update on the Play Store.
Why are the new permissions still visible? I removed the APK from the beta channel, new APKs (both old and new in phased deployment) have new permissions. I even see these new permissions on the Play Store list.
source to share
By using the new SDK, but not changing the targetSdkVersion of all my imported modules, I automatically inherited some implicit permissions.
First, there is one library with targetSdkVersion 3 - which will automatically add READ_PHONE_STATE as already described in this answer and the official docs .
This can be easily seen by looking at the manifest merge log in build / output / logs / manifest-merger-release-report.txt:
android:uses-permission#android.permission.READ_PHONE_STATE
IMPLIED from AndroidManifest.xml:2:1 reason: com.foo.library has a targetSdkVersion < 4
Another problem was setting READ_CONTACTS, but at least one library used both minSdkVersion and targetSdkVersion <15. This automatically adds READ_CALL_LOG. See the documentation about this . Oddly enough, I didn't notice any mention of this in the merge log, but I may have missed it.
The final APK resolutions can be checked with aapt:
aapt dump badging build\outputs\apk\foo-release.apk
This displays a list of permissions.
Full credit to CommonsWare for leading me. Thanks Mark!
source to share