Remove unwanted permissions from Expo app

Asked 18/5, 2022 at 8:21 Answered 9/6, 2023 at 7:19

Solved android react-native expo google-play

I developed an Expo app (managed) and generated the Android binary using EAS. After submitting the binary for internal testing, I see many dangerous unwanted permissions on the Google Play store.

The worse ones are "Camera: take pictures" and "Microphone: record audio." These scare away anyone concerned with privacy.

My app doesn't access the camera or the microphone, and I have no idea how these permissions got there.

I found questions related to React-Native and Android development, and their solution is to edit the AndroidManifest.xml. This solution is not compatible with my case, a Managed Expo environment. And no, I'm not ejecting the app.

PS: There are similar questions to this, but none related to Managed Expo environments - they are all about Android or React Native. Not the same thing.

Disbursement answered 18/5, 2022 at 8:21 Comment(3)

Where is this screen shot from? I can't find what permissions my app is requesting. – Housley 4/7, 2022 at 13:21

@Housley The screenshot is from Google Play. I built the app with the eas command, publish the binary to Google Play (as internal testing, not visible to the general public), and then I could see my app on Google Play, which shows the permissions info. – Disbursement 5/7, 2022 at 13:42

Ah yes! It doesn't show up in the Play app on android, but it does on the web play store. Thanks! – Housley 5/7, 2022 at 15:18

Short answer:

On SDK 45+, use blockedPermissions to remove unwanted permissions:

"android": {
  // ...
  "blockedPermissions": [
    "android.permission.RECORD_AUDIO",
    "android.permission.CAMERA"
  ]
}

On SDK 44-, use permissions: []. This will not work on EAS builds though, you have to use Classic builds (retired in Jan 2023):

"android": {
  // ...
  "permissions": []
}

Long Answer

It happens that Expo automatically includes lots of permissions by default: camera access, microphone recording, read and write external storage, etc.

In the past, with Clasic Builds (retired in Jan 2023), the solution was to include a permissions key on app.json to remove permissions.

For example, to remove them all, we used to do this: "permissions": [].

The Classic builds were replaced by EAS builds, and they changed the behavior of permissions.

On EAS builds, you have to use blockedPermissions instead. But this keyword is only available on SDK 45+.

From Expo Github:

The permissions key works differently in classic builds vs EAS Build. on EAS Build, permissions is just for adding permissions, it doesn't remove any. blockedPermissions is only supported on EAS Build and SDK 45+ also.

Disbursement answered 18/5, 2022 at 10:56 Comment(2)

Thanks for this answer. How can I actually see what permissions are requested for my app? – Housley 4/7, 2022 at 13:20

@Housley They are on the AndroidManifest.xml file. To get this file, you need to eject from Expo. If you don't want to eject, just do a copy of your folder and run eject on this copy. – Disbursement 5/7, 2022 at 15:57

To use ONLY the following minimum necessary permissions and none of the extras supported by Expo in a default managed app, set permissions to []. The minimum necessary permissions do not require a Privacy Policy when uploading to Google Play Store and are: • receive data from Internet • view network connections • full network access • change your audio settings • prevent device from sleeping To use ALL permissions supported by Expo by default, do not specify the permissions key. To use the minimum necessary permissions ALONG with certain additional permissions, specify those extras in permissions, e.g. [ "CAMERA", "ACCESS_FINE_LOCATION" ].

Thats why you have extra permissions, you can read about it here

Asomatous answered 18/5, 2022 at 8:24 Comment(3)

Thanks, Mehdi. I added permissions: [] to my app.json#expo.android, compiled it again, but still shows CAMERA and RECORD_AUDIO permissions. I even ran a expo run:android and looked into the generated AndroidManifest.xml and these permissions are still there. :/ – Disbursement 18/5, 2022 at 10:19

I found a solution! I added blockedPermissions along with "permissions". It happens that some libraries ("expo-av" and "sentry-expo") were automatically adding these extra permissions. With "blockedPermissions" I was able to force Expo to remove them. Thanks again, Mehdi, for taking some time to help me with this. – Disbursement 18/5, 2022 at 11:1

oh, nice, thanks! and well done debugging! :) – Asomatous 18/5, 2022 at 12:2

It may be a late answer. But can we also use this option as well.

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="">

<uses-permission
    android:name="android.permission.WAKE_LOCK"
    tools:node="remove" />

Pedrick answered 9/6, 2023 at 7:19 Comment(0)

Short answer:

Long Answer

Recommended topics

Hot tags