How to Get Android Restricted Permissions Approved on Google Play

Accessibility, SMS, background location and All Files Access need a Play Console Permissions Declaration before you can publish. Here is how it works.

Timothy Lindblom

Founder, Newly

May 2026|10 min read

Google Play treats a set of permissions as high-risk or sensitive. When your app requests one, Play Console makes you justify it through a Permissions Declaration and, in most cases, get approval before the app or any update can publish. Unlike Apple’s per-entitlement request forms, this all happens inside Play Console — and it is triggered automatically the moment a sensitive permission appears in your uploaded app bundle, even if a library added it for you.

Complete this in Play Console

Google Play — Declare permissions and the Permissions Declaration Form

Open form

Key Takeaways

The declaration lives in Play Console under App content → Sensitive app permissions.
It is triggered by the permission appearing in your compiled manifest — audit transitive ones.
Google wants a core-functionality justification and usually a video demonstration.
Without an approved declaration you cannot publish, and a live app can be removed.

Restricted Permissions at a Glance

Console

Declaration form

Core use

Must be essential

Up to weeks

Extended review

Video

Often required

What This Entitlement Is

A restricted permission is one Google has classified as accessing sensitive information or powerful device capabilities — AccessibilityService, SMS/Call Log, background location, All Files Access (MANAGE_EXTERNAL_STORAGE), exact alarms, broad photo/video access, package visibility (QUERY_ALL_PACKAGES) and Health Connect data. For each, you complete the Permissions Declaration Form in Play Console, explaining why it is core to your app and why a privacy-friendlier alternative will not work.

Entitlement & config keys

BIND_ACCESSIBILITY_SERVICE (accessibility)
READ_SMS / SEND_SMS / READ_CALL_LOG (SMS & Call Log)
ACCESS_BACKGROUND_LOCATION (background location)
MANAGE_EXTERNAL_STORAGE (All Files Access)
QUERY_ALL_PACKAGES, USE_EXACT_ALARM, READ_MEDIA_IMAGES/VIDEO

Who Needs It

Accessibility-driven apps

Apps using the accessibility API. Genuine accessibility tools are exempt; any other use needs a declaration, disclosure and consent.

SMS / Call Log apps

Default SMS/phone handlers, or narrow approved exceptions like caller-ID and backup. Always requires a declaration.

Background location apps

Apps that need location while backgrounded — must be core functionality, never ads or analytics alone.

All Files Access apps

File managers and similar apps where the Storage Access Framework or MediaStore cannot serve the core function.

How to Complete the Declaration

1
Audit your compiled manifest
Check the merged AndroidManifest (or expo prebuild output) for sensitive permissions — including ones a library or config plugin pulled in transitively.
2
Open the declaration in Play Console
Go to App content → Sensitive app permissions / the Permissions Declaration Form. It also surfaces automatically during a release that requests an undeclared sensitive permission.
3
Select the core use case and justify it
Choose the supported use case and explain why the permission is essential to your app’s primary, user-facing purpose — and why a privacy-friendlier alternative will not work.
4
Provide a video demonstration
Add a short video (YouTube link or upload) showing the permission in use, plus test instructions or a test account if the feature is gated.
5
Submit and wait for extended review
Roll out the release; the app enters extended review / pending publication until the declaration is approved.

What Google Play Evaluates

Whether the permission is core to the app’s primary, user-facing functionality.
Whether a privacy-friendlier alternative (SAF, photo picker, SMS Retriever, targeted <queries>) would work.
That the demonstration video and test instructions let a reviewer reach the feature.
That the data is not used for advertising, analytics monetization, sale or undisclosed behavior.

Timeline. After you submit the form and roll out, the app enters extended review and sits in pending publication — Google says this can take up to several weeks. Once approved, the declaration is tied to the app and you generally do not re-declare unless the usage changes. If you do not declare (or fail review), you cannot publish updates, and a non-compliant live app can be rejected or removed.

Common Reasons It Gets Rejected

Not core functionality

The permission powers a secondary feature, or a privacy-friendlier API exists — for example using READ_SMS for OTP instead of the SMS Retriever API.

How to avoid it: Use the recommended alternative where one exists, and reserve the permission for genuinely core flows.

Weak demonstration

A missing or unclear video, broken test credentials, or instructions that do not reach the feature.

How to avoid it: Record a clear walkthrough of the permission in use and supply working test access.

Prohibited purpose

Using the data for ads, analytics monetization, data sale, call recording, or (for SMS/Call Log) without being the default handler.

How to avoid it: Restrict use to the disclosed core feature and meet the default-handler requirement where it applies.

Adding It in Newly

Newly builds real native apps, so the capability goes into your app exactly the way it would in a hand-written project — you just describe it instead of editing config files.

1Describe the feature, e.g. "track runs with background location" or "let users manage all their files."
2Newly adds the matching Android permissions to your app config; they merge into the AndroidManifest at build time.
3Review the generated manifest so you know exactly which sensitive permissions you are shipping.
4Build the AAB, upload to Play Console, and complete the Permissions Declaration before rolling out.

For the full deployment flow, see the permissions & entitlements guide in the Newly docs.

Frequently Asked Questions

Where do I declare restricted permissions?

Inside Google Play Console, under App content → Sensitive app permissions / the Permissions Declaration Form. There is no standalone web form — it surfaces during the release process whenever an uploaded bundle requests an undeclared sensitive permission.

A library added a permission I did not ask for — does that still need a declaration?

Yes. The declaration is triggered by the permission appearing in your compiled manifest, regardless of whether you added it or a dependency/config plugin pulled it in. Always audit the merged manifest before submitting.

How long does approval take?

After submitting the declaration and rolling out, the release enters extended review and can sit in pending publication for up to several weeks. Plan submissions with that buffer in mind.

What happens if I skip the declaration?

You cannot publish the update, and a live app that violates the policy can be rejected or removed from Google Play, with notices sent to the account owner.

Ship a Android Restricted Permissions app without fighting the native config

Describe the feature and Newly wires up the entitlement keys, Info.plist / manifest entries and native modules for you — then builds and submits to the App Store and Google Play. You still file the approval yourself, but the build is ready the moment it's granted.

Start Building Your App →

Sources & Further Reading

Official Google documentation for the Android Restricted Permissions capability. Always confirm the current requirements against these pages before you apply.