Our Android Manifest doesn't have any permissions for SMS. We did till 4 releases back. But the Playstore still prompts us to fill in the declaration for sensitive permissions by saying the following -

Previously declared permissions (3 permissions)

android.permission.RECEIVE_SMS

android.permission.SEND_SMS

android.permission.READ_SMS

Could this be coming due to a library that we're using which still requires these permissions? How can we avoid this?

Our Manifest has the following permissions:

    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.READ_CONTACTS" />
    <uses-permission android:name="android.permission.CAMERA" />
    <uses-permission android:name="android.permission.ACCESS_PHONE_SUB_INFO" />
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
    <uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
    <uses-permission android:name="android.permission.WAKE_LOCK" />
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT" />
    <uses-permission android:name="com.android.launcher.permission.UNINSTALL_SHORTCUT" />
    <uses-permission android:name="android.permission.GET_ACCOUNTS" />

How we solved it:

1) Figured out whether our merged manifest has permissions that don't fall within the Policy. We followed this article which led us to look at the merged Manifest file here: app/build/intermediates/manifests/full/debug/AndroidManifest.xml.

2) We identified which dependency had added the permissions by looking into the logs: app/build/outputs/logs/manifest-merger-debug-report.txt

3) We found that there were 3 permissions present in our Manifest file: android.permission.READ_SMS,android.permission.SEND_SMS, android.permission.RECEIVE_SMS.

4) To remove them, in our AndroidManifest.xml, we added:

<uses-permission android:name="android.permission.READ_SMS" tools:node="remove" />
<uses-permission android:name="android.permission.SEND_SMS" tools:node="remove" />
<uses-permission android:name="android.permission.RECEIVE_SMS" tools:node="remove" />

5) We updated all of the dependencies versions

6) Pushed the APK with all these removed permissions into all the tracks open on our Google Play Console (Internal test track, Alpha, Beta and Production).

Within 12 hours the warning was removed.