Apple Privacy Nutrition Labels (introduced iOS 14) and Google Play Data Safety (required since 2022) are public-facing disclosures that users read before installing. A privacy label that lists a permission the app does not use — or omits a permission the app does use — is a misrepresentation that App Store and Play Store reviewers actively check. Under GDPR Art. 13, the information provided to users must be accurate and complete at the time of collection; a label that claims the app does not access location while the app requests location permission is a false disclosure. Google Play explicitly states that apps with inaccurate Data Safety forms may have their updates rejected or listings suspended. Phantom permissions (declared but unused) also appear on the store listing and reduce install conversion.
Low because the privacy label is a disclosure rather than a data collection mechanism, but inaccurate labels are grounds for Play Store suspension and GDPR Art. 13 false-disclosure findings.
Cross-reference your app.json permissions array, ios/PrivacyInfo.xcprivacy, and your Google Play Data Safety form against the list of permissions actively used in code. Remove any permission not tied to an active feature.
{
"expo": {
"ios": {
"infoPlist": {
"NSCameraUsageDescription": "Video calls require camera access",
"NSMicrophoneUsageDescription": "Voice and video calls require microphone access"
}
},
"android": {
"permissions": [
"android.permission.CAMERA",
"android.permission.RECORD_AUDIO"
]
}
}
}
For the Google Play Data Safety form, use the Data Safety section guide to enumerate data types per SDK. Update both the form and your ios/PrivacyInfo.xcprivacy every time you add or remove an SDK that accesses user data. A mismatch between the manifest and the form is the most common Data Safety rejection cause.
ID: mobile-permissions-privacy.graceful-degradation.app-store-privacy-label
Severity: low
What to look for: List all permissions declared in app.json and PrivacyInfo.xcprivacy. Compare against the permissions actually used by the app's features. For each declared permission, classify whether it matches an active feature.
Pass criteria: Privacy label metadata (iOS PrivacyInfo.xcprivacy, Android manifest permissions) accurately reflects at least 100% of the app's actual permission usage. No phantom permissions declared for unused features.
Fail criteria: App metadata declares permissions the app doesn't actually use, or hides permissions the app does use. Privacy label is missing or inaccurate.
Skip (N/A) when: App is not published to app stores and is development-only (no release build configuration).
Detail on fail: Quote the mismatched permission. "No privacy label visible on app store listing" or "Privacy label lists camera permission but app has no camera feature"
Remediation: Ensure your privacy manifest and app metadata accurately reflect your app's permission usage:
{
"app.json": {
"ios": {
"infoPlist": {
"NSCameraUsageDescription": "Camera needed for video calls",
"NSMicrophoneUsageDescription": "Microphone needed for voice and video calls"
}
},
"android": {
"permissions": [
"android.permission.CAMERA",
"android.permission.RECORD_AUDIO"
]
}
}
}