Play Install Referrer Library Adding WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE permissions

Install referrer adds this permission due to the fact that the targetSdkVersion is a value lower than the version in which the restriction was added. If you take a look at generated manifest-merger-report in the build folder of your app, you can see this information:

uses-permission#android.permission.READ_PHONE_STATE
IMPLIED from android/app/src/main/AndroidManifest.xml:1:1-130:12 reason: com.android.installreferrer has a targetSdkVersion < 4

Information on how this implicit system permission works on Android can be found in this documentation : https://developer.android.com/studio/build/manifest-merge#inspect_the_merged_manifest_and_find_conflicts


Quoting from this answer (and completing):

Version 1.1 and 1.1.1 are missing "minSdkVersion". This would automatically add those permissions (because the default SDK < 4 as said by @thiagolr). See similar issue here: Google Play Services 12.0.1.

Solution

Version 1.1.2 solves this issue.

Details

Manifest.xml for v1.0 (from https://mvnrepository.com/artifact/com.android.installreferrer/installreferrer/1.0)

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.installreferrer" >

    <uses-sdk
        android:minSdkVersion="8"
        android:targetSdkVersion="22" />

    <uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE" />

    <application />

</manifest>

Manifest.xml for v1.1 (from https://mvnrepository.com/artifact/com.android.installreferrer/installreferrer/1.1)

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.installreferrer">

    <uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE" />

    <application />

</manifest>

I've also come across this issue.

But in my case, the 1.1 version is also adding the READ_PHONE_STATE permission

<uses-permission android:name="android.permission.READ_PHONE_STATE"/>

I've decompiled the .aar file for installreferrer:1.1 and checked the manifest and pom file, there is nothing in those files to indicate that these permissions should be added.
The library manifest file only adds this permission (which is always has in previous versions):

<uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE"/>

I haven't been able to find any official information regarding this.
But other Google libraries have had issues in the past with adding additional, unneeded, permissions, which have then been removed in a hotfix version shortly after.
For example, this:
Why has the READ_PHONE_STATE permission been added?

So i hope the same is gonna happen here.