App Store RejectionGuideline Google Play — PermissionsPermissions Policy

Your app is requesting permissions it doesn't need. Google noticed.

Google Play reviews dangerous permissions — SMS, contacts, location, call logs, camera — to ensure they're actually necessary for the app's core function. If reviewers can't see why your app needs a permission, you'll be asked to justify it or remove it. Here's how to handle that conversation.

What Apple said

Your app requests access to sensitive user data including SMS messages and contacts. These permissions do not appear necessary for your app's core functionality as described in your store listing. Please remove unnecessary permissions or provide a detailed explanation of why each permission is required.

What this actually means

Google's permission policy requires that every sensitive permission you request is necessary for the app's primary purpose — not just for a minor feature or future roadmap item. If you request SMS permission to auto-fill OTPs but your core app is a recipe manager, expect to justify that. Google is increasingly strict about permission minimization.

What Apple needs to see

  • Every dangerous permission tied directly to a core feature clearly described in your store listing
  • No permissions requested for features that are secondary, optional, or behind a paywall
  • A permission rationale dialog shown to users explaining why each permission is needed before the system prompt appears
  • Removal of any permissions your app requests but doesn't actively use in the current version
  1. 1List every dangerous permission in your AndroidManifest.xml and write down the specific feature it enables
  2. 2Remove any permission that supports a feature not in the current app version or not described in your store listing
  3. 3Add runtime rationale dialogs before requesting each sensitive permission — tell users why you need it in plain English
  4. 4Update your store listing description to explicitly mention any features that require sensitive permissions
  5. 5If Google sends a Declaration form for permissions like SMS or Call Log, fill it out honestly and specifically — vague answers trigger escalation

While you're at it — Apple also requires these pages for every app.

Fix this rejection, then make sure you're covered on the compliance side too. Apple requires every app to link to a hosted Privacy Policy, Terms of Service, Support page, and Data Deletion page. No link means another rejection — just for a different reason.

Privacy Policy
Terms of Service
Support Page
Data Deletion Page
Generate my compliance pages — $9

Common questions

My app uses location for a core feature — why was it still flagged?
If location is genuinely core to your app, you likely need to be more explicit in your store listing. Describe the location-dependent feature prominently. Also check whether you're requesting precise location when approximate location would suffice — Google prefers least-privilege permission requests.
Google sent me a Permissions Declaration form — what do I do?
Fill it out completely and specifically. For each flagged permission, explain the exact user-facing feature it enables and why it cannot work without that permission level. Generic answers like 'to improve user experience' will get rejected. Specific answers like 'SMS permission is used to auto-read OTP verification codes during account login' will pass.
Can I add a permission later after the app is live?
Yes, you can add permissions in an update, but adding a new dangerous permission will likely trigger another review. Plan your permission needs upfront and request only what you need today. Permissions added speculatively 'for future use' are a common rejection cause.