Removing the READ_SMS permission on Android for Google Play's new policy

Google Play recently announced a new policy that Android apps should not request the READ_SMS permission amongst others, unless the app acts as a default calling or texting app. The Expo client, standalone apps built with expo build:android, and ExpoKit projects request the READ_SMS permission through SDK 31. This permission was used by the Expo.SMS API to return whether a user sent or canceled a text message through the API, and we have been working on removing it.

If you received an email from Google Play titled, ā€œAction required: Update your app to comply with Google Play Permissions policyā€, continue reading to learn how to update your app.

Timeline

Google has asked for apps to be updated or for an extension to be granted by January 9, 2019. If Google grants you an extension, you will have until Match 9, 2019 to update your app. Instructions on how to update your app are described below.

If you need more time to update your app, you can request an extension through the Permissions Declaration form and on one of the questions, choose ā€œOption 1: Additional Time. Youā€™ll have until March 9, 2019 to remove unapproved SMS / Call Log permissions.ā€.

Updating your app to remove the READ_SMS permission

Apps that donā€™t use the Expo.SMS API

SDK 32: If your app doesnā€™t use the Expo.SMS API, you can rebuild your APK without the permission. The standalone app builders have been updated to produce APKs without this permission. Run expo build:android and submit the new APK to Google Play.

SDK 31 and older: For standalone apps built with expo build:android, set android.permissions to an empty array in your app.json file like so:

{
  "android": {
    "permissions": []
  }
}

Rebuild your app with expo build:android and submit the new APK to Google Play.

For ExpoKit apps, edit app/src/main/AndroidManifest.xml and add the following tag within the existing <manifest> tag:

<uses-permission tools:node="remove" android:name="android.permission.READ_SMS" />

Then build your app and submit the APK.

Apps that use the Expo.SMS API

If your app uses the Expo.SMS API, you can either change your app to not use it on Android and follow the above instructions, or you can upgrade to Expo SDK 32, which will no longer request the READ_SMS permission.

As part of this change, in SDK 32 and beyond, Expo.SMS.sendSMSAsync will return a promise that resolves to { result: 'unknown' } on Android, since without the permission there is no way to know whether the user sent the message.

Until you have had a chance to update your app, we recommend requesting an extension with Google as soon as possible using the Permissions Declaration form. The extension lasts through March 9, 2019.

5 Likes

Hi, I followed this approach:

{
ā€œandroidā€: {
ā€œpermissionsā€:
}
}

and ran expo build:android after then resubmit to google play, but still have the alert ā€œAlert - this app will be impacted by a policy changeā€ shown on my dashboard even after full rollout. Is that expected?

3 Likes

Same. Iā€™ve set only camera and external storage and the alert is still here.

I believe there was a bug in Google Store that caches that information. Are you still seeing the alert?

Thanks for this post. I hadnā€™t noticed it when I opened this thread about the same topic.

As mentioned there, I use import { SMS } from ā€˜expoā€™; to offer my app user the ability to send an SMS using the native android SMS functionality. I do not access or read existing SMSs.

I have tried changing the permission from:
"permissions": ["READ_SMS"]

To:
"permissions": ["SEND_SMS"]

But this breaks the functionality altogether since it doesnā€™t prompt the user to allow SMS permissions.

It is not clear to me in your post if SDK 32 will allow me to add a permission which is strictly to Send SMS. If not, is there an alternative?

This is actually one of the core features of my app which is why I am pretty interested in this topic. Google refused my request to allow READ_SMS, stating: ā€œThe declared feature {Default SMS is allowed; however we determined it to be unnecessary for the core functionality of your app.ā€

Thanks again.

If you use Expo.SMS you will need to wait for SDK 32 to build a version of your APK without the READ_SMS permission. Given the way Android works, the Expo.SMS module needed the READ_SMS permission in order to determine whether the user sent or canceled the message (no messages are ever read).

In SDK 32, Expo.SMS will no longer use the READ_SMS permission. You will be able to send SMS messages. The API will report "unknown" as the sent-or-canceled status on Android as mentioned above.

Makes sense, thanks very much for the clear explanation.

If i need some permissions such as ā€˜READ_EXTERNAL_STORAGEā€™, can i just set in my android permissions

{
ā€œandroidā€: {
ā€œpermissionsā€:  [
      "READ_EXTERNAL_STORAGE",
      "READ_INTERNAL_STORAGE",
  ]
}
}

Iā€™m using standalone apps built with expo
Will it works ?

Iā€™m experiencing as what @raywinarto had. I followed what was instructed but still got that alert from Google. Iā€™m using SDK 31, not sure if itā€™s google bug or expo bug? Please clarify @ide

You can look inside the APK (itā€™s just a zip file) and see whether the manifest contains the READ_SMS permission. If you grep the contents of your unpacked APK and donā€™t find the permission, then it is most likely an issue with Google.

1 Like

Ok, I did what @ide, instructed and cannot find the instance of the text SMS or CALL_LOG. I will file a ticket on Google play about this issue.

thanks @ide

2 Likes

Hi, I am using expokit and i have used the tag in androidmanifest.xml file, but i see READ_SMS permission in shell-app.bundle file . is it possible to delete the asset file and recreate it .

@ide I unzipped the apk and do a search on that folder, found"... SEND_SMS',RECEIVE_SMS:'android.permission.RECEIVE_SMS',READ_SMS:'android.permission.READ_SMS ...' in kernel.android.bundle file, is that expected?

no mention of READ_SMS in manifest though as @iamrommel said

Sorry Iā€™m very new to this Iā€™m not sure what to expect.

Thanks for the prompt reply! :smiley:

I canā€™t find ā€œREAD_SMSā€ in the android manifest and have released the update.

However, (in addition to still having the warning in the developer console) I still see the permission listed in the webpage listing of my app. I have contacted google, but am starting to feel concerned about this.

Can anyone else confirm the have followed the steps but still have the permission appearing on their web listing? (e.g. https://play.google.com/store/apps/details?id=com.thomasdonahoe.santassecretkeeper)

no mention of READ_SMS in manifest

If thereā€™s no READ_SMS permission in the manifest, your app should comply with the new Google Play rules.

1 Like

We updated the standalone app builder for SDK 32; to remove just the READ_SMS permission while keeping the other permissions is to run expo build:android again. You donā€™t need to modify your app.json file at all. (SDK 32 only.)

Will this work for all SDK versions or only the latest? (Iā€™m on SDK 30)

The READ_SMS permission was removed only from the SDK 32 builder. For SDK 31 and older, youā€™ll need to follow the instructions above.

It should work for all SDK versions.

After filing case to Google, they told me to wait for while until the app become live so playstore console site can read the values from published APKs.

I got the same READ_SMS permission issue after the updates on the app and deploy to playstore and iā€™m expecting immediate result, which is not the case. I need to wait until the app became publish to site can read the value from publish APKs.

Now i donā€™t have that warning.