We use this SDK within our app. It’s imported as its own module, and is packaged as a .AAR file. Last year, our app was removed from the Play Store multiple times for uploading contact information without displaying a prominent disclosure. This SDK was to blame for some of these removals. Our response was to remove all contact-related features from our app and to remove the READ_CONTACTS permission in both our app’s AndroidManifest and the SDK’s AndroidManifest. However, now we’re reimplementing these contact-related features, so we can’t remove this permission in our app’s AndroidManifest any more. We need our app to have this permission, but the SDK must not have it.
My question is this: if our app has READ_CONTACTS permission, does that also grant this permission to the SDK? Or does the SDK’s AndroidManifest need to explicitly include the READ_CONTACTS permission in order to be able to use it?
>Solution :
We need our app to have this permission, but the SDK must not have it.
That is not a thing, sorry.
if our app has READ_CONTACTS permission, does that also grant this permission to SDK?
Yes. There is no difference between a library and code that you typed in yourself.