Remove the request for location permissions from your app

I had this issue too. It is gone after:

  1. removing manually all dependencies, related to “expo-location” in package-lock.json
  2. Adding empty array as a value of the “permissions” property in the app.json
    "android": { "permissions": [], ... }
3 Likes

Hi, @davidapears.
Maybe this will be helpful for you


Quote from this doc:
" > Some Expo and React Native modules include permissions by default. If you use expo-location , for example, both the ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION are implied and added to your app’s permissions automatically.

To limit the permissions your managed workflow app requires, set the android.permissions property in your app.json file to list only the permissions you need, and Expo will also include the minimum permissions it requires to run. If you leave this property out, all permissions will be included in your app."
I added a comment to this topic with steps, which helped me to get rid of the issue

@rooftopbase - thanks for this. Our app is a very very simple one and I can’t see anything at all that would require any location-based info. Our dependencies are here:

"@expo-google-fonts/benchnine": "^0.1.0",
"@expo-google-fonts/darker-grotesque": "^0.1.0",
    "@expo-google-fonts/inter": "^0.1.0",
    "@expo/vector-icons": "^10.2.1",
    "@react-native-community/masked-view": "0.1.5",
    "@react-navigation/core": "^5.11.1",
    "@react-navigation/native": "5.0.0",
    "@react-navigation/stack": "5.0.0",
    "expo": "~36.0.0",
    "expo-font": "~8.0.0",
    "prop-types": "^15.7.2",
    "react": "~16.9.0",
    "react-dom": "~16.9.0",
    "react-native": "https://github.com/expo/react-native/archive/sdk-36.0.0.tar.gz",
    "react-native-gesture-handler": "~1.5.0",
    "react-native-linear-gradient": "^2.5.6",
    "react-native-lookup-modal": "git+https://github.com/levelstudiosuk/react-native-lookup-modal.git",
    "react-native-modal": "^11.5.6",
    "react-native-reanimated": "~1.4.0",
    "react-native-safe-area-context": "0.6.0",
    "react-native-screens": "2.0.0-alpha.12",
    "react-native-web": "~0.11.7",
    "search-modal-picker": "^1.0.1",
    "styled-components": "^5.0.1"
  },

So all I can assume is that this is coming from Expo - I will re-try setting android to "android": { "permissions": [], ... } - ( i have already tried it with

"permissions": [
        "ACCESS_COARSE_LOCATION",
        "ACCESS_FINE_LOCATION",
        "ACCESS_BACKGROUND_LOCATION"
      ]

Which just leads GooglePlay to ask why we need location info - which I can’t answer as we don’t use it - so I’m stuck with a rejection. :confused:

Hopefully, the empty array will sort it.

Thanks!

Yes. Expo added it.
You don’t have "expo-location’ in package.json, but Expo added it to package-lock.json (when you generated your app the first time or run “expo update” command)
I removed manually all blocks which contained “expo-location” from package-lock.json. After that built app-bundle and uploaded it to Google play and warning disappeared.
And added empty array as an additional “safety net”
Try to do the same and they will not reject (at least it will pass auto check step)

7 Likes

This worked - Thank you. :v:

For everyone looking for the root issue, it’s the permissions key configuration in your app.json.

Quoting from:
https://docs.expo.io/versions/latest/config/app/#permissions

To use ONLY the following minimum necessary permissions and none of the extras supported by Expo in a default managed app, set permissions to [ ].
The minimum necessary permissions do not require a Privacy Policy when uploading to Google Play Store and are:
• receive data from Internet
• view network connections
• full network access
• change your audio settings
• prevent device from sleeping
To use ALL permissions supported by Expo by default, do not specify the permissions key. To use the minimum necessary permissions ALONG with certain additional permissions, specify those extras in permissions, e.g. [ “CAMERA”, “ACCESS_FINE_LOCATION” ]

The above means:

  • If you do not specify a permissions key, expo will request all possible permissions. This includes permissions that you may or may not use.
  • If you do specify a permissions key with an empty array:
    "permissions": []
    expo will request the bare minimum permissions that are required for the core expo app to work. These permissions are listed above.
  • If you do specify a permissions key, with a non-empty array:
    "permissions": ["CAMERA","ACCESS_FINE_LOCATION"]
    expo will request the bare minimum permissions, plus the permisssions you specify in the array.

The packages that you choose to include in your build have nothing to do with the permissions required by your app. No expo package requests permissions automatically, even if you install it and include it in your app. Worst case scenario, if you do not manually request permissions, you will be denied access to the features.
As I said, the permissions key configuration is all you need.

Also, make sure to close all sessions opened with expo start, then do a expo start -c, before building your app. It may help expo to force it rebuild with the new settings without using any cached data.

2 Likes

It still doesn’t work for me :frowning:

I removed "expo-location’ from package-lock.json, and specified permissions . [ “CAMERA”] yet access_coarse_location is still present in node_module folder under android/permissions.js and Google rejected the app.

Please help.

1 Like

If you remove package-json.lock and node_modules and re-run npm install, do you still have references to expo-location in the newly created package-json.lock?

The references to *_LOCATION in ./node_modules/@expo/config/build/android/Permissions.js should not matter, since you say you have set expo.android.permissions to ["CAMERA"] in your app.json.

If the above doesn’t work, please post your app.json here and the output of:

grep location package*.json yarn.lock

EDIT: I think you need to be on at least SDK version 39. Also, to see what your APK is actually including, see this: https://stackoverflow.com/a/27866435/495319

See also: How to decrease permission on Android.

3 Likes

Sorry for the late reply, I was waiting for Google’s respond and they rejected the app again.

This is the output of:

grep location package*.json :
package-lock.json:                "expo-location": "~8.2.1",
package-lock.json:        "expo-location": {
package-lock.json:            "resolved": "https://registry.npmjs.org/expo-location/-/expo-location-8.2.1.tgz",

My app doesn’t have a yarn.lock file.

This is my app.json file:

{
  "expo": {
    "name": "MyApp",
    "slug": "MyApp",
    "privacy": "public",
    "scheme": "MyApp",
    "platforms": [
      "ios",
      "android"
    ],
    "version": "1.0.0",
    "orientation": "portrait",
    "icon": "./src/assets/images/icon.png",
    "splash": {
      "image": "./src/assets/images/splash.png",
      "resizeMode": "cover",
      "backgroundColor": "#ffffff"
    },
    "updates": {
      "enabled": false,
      "fallbackToCacheTimeout": 0
    },
    "assetBundlePatterns": [
      "**/*"
    ],
    "ios": {
      "bundleIdentifier": "com.MyApp.MyApp",
      "buildNumber": "1.0.0",
      "supportsTablet": true,
      "usesAppleSignIn": true,
      "infoPlist": {
        "UIBackgroundModes": [
          "audio"
        ]
      }
    },
    "android": {
      "package": "com.MyApp.MyApp",
      "versionCode": 10,
      "permissions": [
        "NOTIFICATIONS",
        "CAMERA",
        "CAMERA_ROLL"
      ],
      "useNextNotificationsApi": true
    },
    "androidStatusBar": {
      "backgroundColor": "#ffffff",
      "translucent": false
    },
    "description": "",
    "notification": {
      "icon": "./src/assets/images/icon.png"
    }
  }
}


Please help thanks.

OK, ignore the stuff below the line of hashes unless you’re interested in how to find reverse dependencies or something. The expo package depends on expo-location, so it’s expected for it to be in your package-lock.json.

Please post the output of expo diagnostics. You should be on SDK 39.

Given that you have already overridden the android.permissions in app.json as per the documentation, it should work.

#########################################################################

hmmm… and if you remove package-lock.json and node_modules and rerun npm install, do you still have references to expo-location in the newly-created package-lock.json?

Maybe also post your package.json.

EDIT: Before trying the above, try running the following and post the output. Also post package.json as I said above:

npm ls expo-location

Anybody else that finds this thread who runs yarn instead of npm, try:

yarn why expo-location

(the above npm and yarn commands found here)

upgrading sdk 39 removed 4 more permission which were location related. But still I do have unused permission. Here’s the permission that I request and what expo includes:

      "permissions": [
        "WRITE_EXTERNAL_STORAGE",
        "READ_EXTERNAL_STORAGE",
        "READ_INTERNAL_STORAGE"
      ]

Features(13)

 android.hardware.bluetooth,
 android.hardware.camera,
 android.hardware.camera.autofocus,
 android.hardware.location,
 android.hardware.location.gps,
 android.hardware.location.network,
 android.hardware.microphone,
 android.hardware.screen.landscape,
 android.hardware.screen.portrait,
 android.hardware.telephony,
 android.hardware.touchscreen,
 android.hardware.wifi,
 android.software.leanback

Permissions (24)

 android.permission.ACCESS_NETWORK_STATE,
 android.permission.ACCESS_WIFI_STATE,
 android.permission.FOREGROUND_SERVICE,
 android.permission.INTERNET,
 android.permission.MODIFY_AUDIO_SETTINGS,
 android.permission.READ_APP_BADGE,
 android.permission.READ_EXTERNAL_STORAGE,
 android.permission.READ_INTERNAL_STORAGE,
 android.permission.RECEIVE_BOOT_COMPLETED,
 android.permission.SYSTEM_ALERT_WINDOW,
 android.permission.WAKE_LOCK,
 android.permission.WRITE_EXTERNAL_STORAGE,
 my.app.android.permission.C2D_MESSAGE,
 com.google.android.c2dm.permission.RECEIVE,
 com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE,
 com.huawei.android.launcher.permission.CHANGE_BADGE,
 com.huawei.android.launcher.permission.READ_SETTINGS,
 com.huawei.android.launcher.permission.WRITE_SETTINGS,
 com.oppo.launcher.permission.READ_SETTINGS,
 com.oppo.launcher.permission.WRITE_SETTINGS,
 com.sonymobile.home.permission.PROVIDER_INSERT_BADGE,
 host.exp.exponent.permission.C2D_MESSAGE,
 me.everything.badger.permission.BADGE_COUNT_READ,
 me.everything.badger.permission.BADGE_COUNT_WRITE

Honestly, my app is only a dictionary app, the features I need are writing some data into app’s file system for caching purpose, notification and internet. That’s all, rest is not needed. I was expecting to get rid off with latest SDK (39) but seems nothing has changed but location.

How about the hardware features? I don’t need anything above.

This worked so good!! I was desperate because I’ve tried so many times publishing on PlayStore and always been rejected for LOCATION. Sadly, I had to take off everything about GPS , mapView and location. But, It was necessary while a first version could be published. And what you did suggested works for me.
Well, next steps is researching about using location and be accepted by google play policies.
By the while, I have a tinny smile.
Thanks bro!

Hi @rooftopbase, is it ok if I add the notifications (the only thing I need) within the permissions? Or it needs to be empty at all?

"android": { "permissions": [NOTIFICATIONS], ... }

Apologies for the silly questions but I have never done this How did you remove them manually from package-lock.json?

Hi, could you please share the steps? I was planning to update app.json by adding "android": { "permissions": [NOTIFICATIONS], ... } is this enough? If you manually removed the dependencies from package-lock.json could you please explain me how did you do it, as I am not sure? Thanks in advance

1 Like

Yes, that is what you should do. Also, you should be using at least SDK 38.

Many Thanks @wodin Someone was saying to manually remove the expo-location dependencies from package-lock.json, is this needed as well? Because I am not sure how to do it.

That should not be necessary. Let us know if fixing the permissions in app.json does not work for you on an SDK >= 38 app.

2 Likes

Sure! My SDK is 39 BTW thanks

(My SDK 39 app was rejected for the same issue)

I configured the app.json with an array including only camera and camera roll permissions.

I also deleted my package-lock.json and node modules and used npm install again.

The new build was, however, also rejected.

Expo-locations was in the new package-lock.json, once it was rebuilt.

What would you suggest?

I believe I also upgraded to sdk39 from maybe 36 or 38(whichever was the most recent build 3 months ago), so maybe there’s something in that, I don’t remember the steps exactly that I took.

1 Like