Keywords: Android Permissions | Privacy Policy | READ_PHONE_STATE | Google Play | App Compliance
Abstract: This paper provides an in-depth analysis of permission and privacy policy issues encountered when publishing Android apps on Google Play, using the READ_PHONE_STATE permission as a case study. It explains permission declaration mechanisms, privacy policy requirements, and solutions through practical examples, helping developers achieve compliance in app distribution.
Analysis of Permission Declaration and Privacy Policy Correlation
In Android app development, permission management is crucial for ensuring user data security. Google Play, as a primary app distribution platform, enforces strict regulations on permissions involving sensitive user data. When an app requests sensitive permissions like android.permission.READ_PHONE_STATE, it must provide a transparent privacy policy that clearly explains data collection and usage practices.
Implicit Permission Dependency Issues
A common confusion among developers is receiving privacy policy requirements for READ_PHONE_STATE despite not explicitly declaring it in AndroidManifest.xml. This typically stems from:
- Third-party library dependencies: Integrated SDKs may internally declare such permissions
- Build tool merging: Gradle build process merges manifest files from multiple modules, adding permissions
- System component implicit requirements: Certain Android system components automatically request permissions under specific conditions
Examining the provided manifest code:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.my.package.name">
<uses-permission android:name="android.permission.INTERNET" />
<application
android:name=".utils.PreferenceManager"
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:largeHeap="true"
android:supportsRtl="true"
android:theme="@style/AppTheme">
<activity
android:name=".SplashScreen"
android:screenOrientation="portrait">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity
android:name=".MainActivity"
android:screenOrientation="portrait" />
<activity
android:name=".CategoryListActivity"
android:screenOrientation="portrait" />
<activity
android:name=".ImagesActivity"
android:screenOrientation="portrait" />
</application>
</manifest>Shows only INTERNET permission is declared, yet the final APK contains READ_PHONE_STATE, indicating implicit dependencies.
Google Play Privacy Policy Configuration Guide
According to Google Play developer policies, apps handling personal or sensitive user data must provide a privacy policy. Configuration steps include:
- Log into Google Play Console and select the target app
- Navigate to Store presence → App content (or Policy → App content)
- Add a valid privacy policy URL in the Privacy Policy section
- Ensure the policy clearly describes data collection, usage, storage, and sharing practices
A comprehensive privacy policy should cover:
- Explicit listing of collected data types (e.g., device information, usage statistics)
- Explanation of data usage purposes (e.g., functionality, analytics improvement)
- Disclosure of data sharing with third parties (e.g., service providers)
- Description of user rights (e.g., data access, deletion requests)
Technical Solutions for Permission Removal
If the app genuinely doesn't require READ_PHONE_STATE permission, it can be explicitly removed using manifest merger tools:
<uses-permission android:name="android.permission.READ_PHONE_STATE" tools:node="remove" />Additionally, add the tools namespace to the <manifest> tag:
xmlns:tools="http://schemas.android.com/tools"This approach effectively removes unwanted permissions from imported libraries, ensuring the final APK doesn't contain sensitive permission declarations.
Best Practices for Compliant Development
To prevent permission-related issues, adopt these development practices:
- Permission Auditing: Regularly use Android Studio's APK analyzer to inspect final APK permissions
- Dependency Management: Review third-party library permission requirements and choose privacy-friendly alternatives
- Principle of Least Privilege: Request only the minimum set of permissions necessary for app functionality
- Transparent Communication: Honestly disclose all data practices in the privacy policy to build user trust
Through systematic permission management and transparent privacy practices, developers can not only meet platform requirements but also enhance app user experience and market competitiveness.