Distribute and grow

Remove Permissions from your Manifest

Updated: Mar 25, 2025

Determining Permissions Used By Your App

There are many ways to see the permissions requested by your APK. Some are:

Use the aapt.exe program that comes with Android SDK build tools. For instance, the following command outputs all permissions requested by MyAPK.apk: aapt.exe dump permissions C:\path\to\MyAPK.apk

In Android Studio, select File > Profile or Debug APK, and open your desired APK. In the directory tree of your loaded APK, examine AndroidManifest.xml for uses-permission tags.

Upload your APK to the Meta Horizon Developer Dashboard⁠, then examine the list of permissions in Distribution > Builds, under the Details tab.

Removing Unwanted Manifest Permissions

Unity Apps

Option A: Remove Code

Unity will automatically add permissions to the manifest to support relevant systems in your codebase. For example, if your app contains code that polls the microphone, Unity will automatically add the RECORD_AUDIO permission to your manifest -- even if that code doesn’t actually get called at runtime.

To remove these permissions from your manifest, find and remove all code that references related functionality from your codebase.

Option B: Manifest Override

If you can’t find the code responsible, you can request the fields be removed by using an AndroidManifest.xml override.

Create the override file at Assets/Plugins/Android/AndroidManifest.xml as documented in the Unity Android App Manifest⁠ docs.

Add a node="remove" attribute to each permission you wish to remove.

For example:

 <uses-permission android:name="android.permission.WAKE_LOCK" tools:node="remove" />

Verify that the manifest contains the tools namespace:

 <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.yourpackage" xmlns:tools="http://schemas.android.com/tools">

Unreal Apps

Option A: Manifest Additions file

Unreal Engine can use a manifest additions file to remove unwanted permissions:

Go to the Build\Android folder, and then create a new ManifestRequirementsAdditions.txt file containing:

<uses-permission android:name="PERMISSION_NAME" tools:node="remove" />

Replace PERMISSION_NAME with the name of the unwanted Android permission. You can exclude more than one permission by repeating the <uses-permission> element for each unwanted permission.

Example ManifestRequirementsAdditions.txt

<uses-permission android:name="android.permission.CALL_PHONE" tools:node="remove" />
<uses-permission android:name="android.permission.INSTALL_PACKAGES tools:node="remove" />

Option B: Unreal plugin language (C++ only)

If you have a C++ project, you can remove unwanted permissions from your manifest by pointing to an XML file from your PROJECT_NAME.Build.cs file. This technique does not work for Blueprint projects unless you wrap the Blueprint project as a C++ project⁠.

Go to the folder PROJECT_NAME/Source/PROJECT_NAME.

Modify the PROJECT_NAME.Build.cs file so that the last lines resemble the following:

if (Target.Platform == UnrealTargetPlatform.Android
&& Target.Configuration == UnrealTargetConfiguration.Shipping)
{
  var manifest_file = System.IO.Path.Combine(ModuleDirectory,
    "RemovePermissions.xml");
  AdditionalPropertiesForReceipt.Add("AndroidPlugin",
    manifest_file);
}

Create a new RemovePermissions.xml file in the same folder.

<?xml version="1.0" encoding="utf-8"?>
<root xmlns:android="http://schemas.android.com/apk/res/android">
  <androidManifestUpdates>
    <removePermission android:name="PERMISSION_NAME" />
  </androidManifestUpdates>
</root>

Replace PERMISSION_NAME with the name of the unwanted permission. You can exclude additional permissions by adding additional <removePermission> elements.

Example removePermissions.xml

<?xml version="1.0" encoding="utf-8"?>
<root xmlns:android="http://schemas.android.com/apk/res/android">
  <androidManifestUpdates>
    <removePermission android:name="android.permission.READ_EXTERNAL_STORAGE" />
    <removePermission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <removePermission android:name="android.permission.WAKE_LOCK" />
  </androidManifestUpdates>
</root>

Removing Unwanted Manifest Permissions From Built APKs

It is possible to remove manifest permissions from an APK after it’s been built.

Although this method works on all APKs, regardless of game engine, this is not the recommended way to remove permissions from your application. This method simply removes permissions requests from the manifest. If an app does require a permission, removing that permission from your manifest will cause your app to function incorrectly, or crash.

However, you can remove any permissions by unpacking your APK, modifying the manifest, and re-packing and re-signing the APK. A Windows Powershell script that performs this behavior is given below.

Note that this script requires additional tools, documented in the header. Review all associated licenses and documentation yourself to ensure these tools fit your usage.

# IMPORTANT: This script requires the Android SDK tools, as well as Java, and APKTool. Make sure you read and understand the licenses for
# those tools before use.
#
# HOW TO USE Remove-APK-Permissions.ps1
# - Ensure Android tools are installed, and that your ANDROID_HOME environment variable points to your Android SDK directory.
# - Ensure APKTool is installed and in your path: https://ibotpeaches.github.io/Apktool/install/
# - Save this file to your hard drive.
# - Launch Powershell
# - Run the following command to load the function into your Powershell environment, or look up how to automatically load custom functions in Powershell:
# PS> Import-Module C:\Path\To\Remove-APK-Permissions.ps1
# - Run the following command to remove permissions from an APK:
# PS> Remove-APK-Permissions -Permissions android.permission.FIRST[,android.permission.SECOND[,android.permission.THIRD...]] -InputAPK C:\Path\to\input.apk [-OutputAPK C:\Path\to\output.apk] [-KeystorePath C:\Path\to.keystore] [-KeystorePassword myPassword]
#
# If OutputAPK isn't specified, we will overwrite InputAPK with the modified APK.
# If KeystorePath and KeystorePassword aren't specified, we'll use Android's debug keystore found at C:\Users\[user]\.android\debug.keystore with password "android"
# NOTE THIS WILL NOT WORK FOR YOUR DISTRIBUTION BUILD. For your distribution build, you'll need the path and password of your release keystore.


function Remove-APK-Permissions {
    param(
        [Parameter(Mandatory)] [string[]] $Permissions,
        [Parameter(Mandatory)] [string] $InputAPK,
        [string] $OutputAPK,
        [string] $KeystorePath,
        [string] $KeystorePassword
    )

    if (-not (Test-Path env:ANDROID_HOME)) {
        Throw "ANDROID_HOME path variable not detected. You need to install the Android SDK."
    }

    # This is where we decode the APK to, before modifying the permissions and then rebuilding
    $DecodedAPKPath = "C:\Users\" + $env:UserName + "\apktool\temp"

    # Some fanciness to find the most recent apksigner.jar
    $ApkSignerPath = $env:ANDROID_HOME + "\build-tools\"
    $MostRecentAPKVer = ls -dir $ApkSignerPath | Sort-Object LastWriteTime -Descending | Select-Object -First 1 Name | foreach {$_.Name}
    $ApkSignerPath += $MostRecentAPKVer + "\lib\apksigner.jar"

    echo "`n`n!!!!!!!!!!!!!!!!!!"
    echo "!! DECODING APK !!"
    echo "!!!!!!!!!!!!!!!!!!`n`n"

    try {
        "`n" |& apktool decode $InputAPK -o $DecodedAPKPath -f #-o = output dir; -f = force (overwrite existing)
    }
    catch {
        Throw "Could not find apktool.bat . Please install ApkTool according to instructions at https://ibotpeaches.github.io/Apktool/install/"
    }

    echo "`n`n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
    echo "!! REMOVING PERMISSIONS IN APK !!"
    echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!`n`n"

    $AndroidManifest = Get-Content $DecodedAPKPath\AndroidManifest.xml
    $AnyPermissionsChanged = $false

    foreach ($Permission in $Permissions) {
        $needle = '<uses-permission android:name="' + $Permission + '"/>'
        if (($AndroidManifest | Select-String -pattern $needle).Matches.Count -ge 1) {
            $AndroidManifest = $AndroidManifest -replace $needle,""
            echo "Removed permission '$Permission'"
            $AnyPermissionsChanged = $true
        }
        else {
            echo "Unable to find permission '$Permission'"
        }
    }

     if ($AnyPermissionsChanged -eq $false) {
        echo "No permissions have been changed, so there's no point in rebuilding the .apk. Quitting..."
        return
    }

    Set-Content -Path $DecodedAPKPath\AndroidManifest.xml -Value $AndroidManifest

    echo "`n`n!!!!!!!!!!!!!!!!!!!!"
    echo "!! REBUILDING APK !!"
    echo "!!!!!!!!!!!!!!!!!!!!"

    if ($OutputAPK -eq "") {
        $OutputAPK = $InputAPK
    }
    echo "Rebuilt apk path: $OutputAPK`n`n"
    "`n" |& apktool build $DecodedAPKPath -o $OutputAPK


    echo "`n`n!!!!!!!!!!!!!!!!!"
    echo "!! SIGNING APK !!"
    echo "!!!!!!!!!!!!!!!!!"

    # Keystore is needed to sign the APK (which is a requirement to install to any device).
    # This default keystore path+pass exists with Android installs, and is super insecure.
    if ($KeystorePath -eq "") {
        $KeystorePath = "C:\Users\" + $env:UserName + "\.android\debug.keystore"
    }
    if ($KeystorePassword -eq "") {
        $KeystorePassword = "android"
    }

    try {
        java -jar $ApkSignerPath sign --ks $KeystorePath --ks-pass pass:$KeystorePassword $OutputAPK
        echo "APK successfully signed using keystore $KeystorePath"
        echo "`n`nSUCCESS! Modified APK is available at $OutputAPK"
    }
    catch {
        Throw "Unable to sign APK: $_"
    }
}

Did you find this page helpful?