So we were about to submit our app for review but we were stopped by Google's new requirement for apps targeting Android 13 and above, which basically tells developers to disclose the purpose of AD_ID permission in their app. The thing is, our app doesn't declare the AD_ID permission explicitly, but it turns out some play-services lib or Firebase uses it and thus, it has been merged to our app's manifest.

So I found some solutions so that a permission declared by a library will not be merged to an app's manifest, but my fear is that our app's functionality that depends on Firebase might stop working. Has anyone faced this situation?

If you've disabled collection already, removing the AD_ID permission is unlikely to cause problems. See: https://github.com/firebase/firebase-android-sdk/issues/2582

Disable collection:

<meta-data android:name="google_analytics_adid_collection_enabled" android:value="false" />

Remove permission:

<uses-permission android:name="com.google.android.gms.permission.AD_ID" tools:node="remove" />