Android Auto-Revoke: Why Unused Apps Lose Permissions

Mobile privacy is often seen as a constant battle of manual checking, but one of the most effective tools in your arsenal is actually fully automated. Android auto-revoke is a system-level feature designed to act as a safety net for your data by stripping permissions from apps you no longer use. I have tested this across several devices running Android 13, 14, and the latest Android 15 betas, and the results are consistent: if you haven't opened an app in three months, the system steps in to cut off its access to your camera, microphone, location, and files. This prevents "zombie apps" from running in the background and collecting data long after they have served their purpose.

While the feature is enabled by default for most applications, understanding how it operates—and why it sometimes fails to trigger—is essential for any privacy-conscious user. In this guide, I will break down the mechanics of the "Permissions auto-reset" system, how it interacts with the newer "App Hibernation" feature introduced in Android 12 and refined in Android 14, and the specific ways Samsung and Xiaomi have tweaked these settings. By the end of this article, you will know exactly how to audit your device to ensure that your most sensitive data is not being leaked by forgotten software.

How auto-revoke decides

The logic behind Android auto-revoke is governed by a background system service that monitors app interaction timestamps. On a standard Pixel running Android 14, the typical threshold is 90 days of inactivity. When the system detects that an app has not been launched in the foreground for this duration, it triggers a "reset" event. It is important to note that "background activity" does not count as usage. If an app is simply syncing data or sending notifications but you haven't actually opened it, the system still considers it unused. This is a deliberate privacy choice by Google to ensure that users are consciously interacting with the tools that have access to their private information.

In Android 13 and 14, the revocation is comprehensive. It targets "dangerous" permissions, which include your camera, microphone, contacts, call logs, SMS, and precise location. When the timer hits the limit, the system silently revokes these rights and places the app in a restricted state. On your next launch of that app, you will see a system dialogue explaining that permissions were removed for your protection. You can find the summary of these actions by going to Settings > Security & privacy > Privacy > Auto-reset permissions (on Pixel) or Settings > Apps > Unused apps on older builds. In Android 15, this logic remains largely the same, though the UI creates a more prominent "Privacy Dashboard" entry to show you exactly which apps were stripped of their access in the trailing 24 hours.

The system also considers the installation source. Apps installed via the Google Play Store are almost always subject to these rules unless they are system-critical. However, on older versions of Android (specifically Android 6 through 10), this feature didn't exist natively in the OS. Google eventually backported a version of this via Google Play Services. If you are using an older device, you can verify this by going to Settings > Google > Settings for Google apps > Connected apps. For modern devices running Android 11 or higher, the feature is baked directly into the OS kernel, making it much harder for malicious apps to bypass the restriction by simply staying active in the background cache.

Apps that opt out and why

Not every app is treated equally by the auto-revoke system. Developers have the ability to request an exemption from the user if the app’s primary function relies on background consistency. For example, an app like Tasker, which automates phone functions, or a dedicated security app like a password manager or an anti-theft tracker, would be useless if its permissions were revoked after a few months of silence. These apps will often prompt you during the initial setup with a system-level toggle that says "Disable permission monitoring" or "Keep permissions if app is unused."

You can see which apps have successfully opted out by navigating to Settings > Security & privacy > Privacy > Permission manager. If you click into a specific permission, like "Location," and scroll to the bottom, you might see a section for apps that are "not allowed to be automatically revoked." From my testing on a Pixel 8 Pro, the system is quite stingy with these exemptions. Even if an app requests it, Android 14 often denies the request unless the developer has specifically flagged the app as a "Accessibility Service" or a "Device Admin." This prevents social media or shopping apps from sneakily staying "active" to continue data harvesting without your input.

Another reason an app might opt out is if it is a pre-installed system app. On Xiaomi HyperOS and Samsung One UI 6.1, many "core" apps—like the proprietary Gallery, Calendar, or System UI—are exempt from auto-revoke. This makes sense from a stability perspective, as revoking the "Files and Media" permission from the system launcher could effectively brick the usability of your home screen. However, for any third-party app you have downloaded, you have the final say. If you find an app that has opted itself out of auto-revoke without a clear reason, I recommend 1. Long-pressing the app icon, 2. Tapping the "i" or "App info" button, 3. Selecting "Permissions," and 4. Ensuring the "Remove permissions if app is unused" toggle is switched ON.

App hibernation explained

While auto-revoke handles the privacy side by pulling permissions, Android 12 introduced "App Hibernation" to handle the performance side. On Android 13, 14, and 15, these two features work in tandem. When an app is unused for a long period, the system doesn't just take away its permissions; it effectively puts the app into a deep sleep. This process involves 1. Revoking all permissions, 2. Clearing temporary files and cache to free up storage, and 3. Stopping the app from sending notifications or running background tasks. This is particularly useful for those "travel" or "holiday" apps that you only use once a year.

Hibernation is a more aggressive state than mere permission revocation. On my testing devices, hibernated apps show a unique status in the App Info page. If you look at an app that has been hibernated, you will see that its storage usage has decreased significantly. This is because the OS deletes the "Oat" files (compiled code) associated with the app. Don't worry, your user data and login sessions are usually preserved; the system just removes the auxiliary files that can be easily re-downloaded or re-generated when you next open the app. This is a brilliant way to manage both privacy and device longevity on phones with limited 128GB storage.

In Android 14, the hibernation logic is even more sophisticated. It uses "Advanced Battery Optimization" to decide when an app should enter this state. If the OS notes that an app is consuming significant battery in the background and hasn't been opened in 45 days (half the standard 90-day window), it may pre-emptively suggest hibernation via a system notification. You can manage this by going to Settings > Apps > Unused apps. Here, Android provides a list of everything it has "put to sleep." You can either leave them be, or if you realise you truly don't need the app, this screen provides a one-tap solution to uninstall the app entirely, which is the ultimate privacy win.

Samsung and Xiaomi behaviour

If you are using a Samsung Galaxy device with One UI 6 or 7, the path is slightly different because Samsung integrates these features into their "Device Care" suite. On a Galaxy S23 or S24, navigate to Settings > Apps > Choose an app > App permissions. At the bottom, you will see "Remove permissions if app is unused." Samsung also has a "Deep sleeping apps" category under Settings > Battery > Background usage limits. These are apps that Galaxy users have manually or automatically restricted. In Samsung’s ecosystem, an app that is "Deep Sleeping" almost always has its permissions revoked as well, but the UI focuses more on battery saving than the explicit "Privacy" branding Google uses.

Xiaomi’s HyperOS (the successor to MIUI) takes a more aggressive, and sometimes confusing, approach. Xiaomi’s "Security" app often overrides the native Android settings. To find auto-revoke settings on a Xiaomi device, go to Settings > Privacy > Permission manager, but you should also check the "Security" app > Privacy > Special permissions. I have noticed on the Xiaomi 14 that the system tends to kill background processes much earlier than the 90-day Android standard, meaning apps might lose their ability to send notifications long before the permissions are officially revoked. If you are a Xiaomi user, you must manually ensure that "Auto-start" is disabled for apps you want the system to manage, as the "Auto-start" toggle can sometimes interfere with the OS’s ability to hibernate the app correctly.

The main difference between Pixel (stock) and OEM versions like One UI is the notification frequency. Pixels are quite vocal when they revoke permissions, giving you a clear notification to review the changes. Samsung tends to bundle these updates into a weekly or monthly "Device Care" report. If you use a Samsung device, I recommend 1. Opening Settings, 2. Searching for "Auto-optimize," and 3. Ensuring that "Restart when needed" is on. This regular reboot helps the system index which apps are actually in use and triggers the auto-revoke / hibernation script more reliably than if the phone stays on for months at a time.

Manually managing it

You do not have to wait 90 days for the system to act; you can take manual control of the auto-revoke status for any app. This is particularly useful for banking apps or social media where you want to ensure that if you ever stop using the service, your data access is cut off immediately. To audit this, follow these steps: 1. Open Settings and go to "Apps." 2. Tap "See all apps" and select a specific app. 3. Tap "Permissions." 4. Look for the toggle "Remove permissions if app is unused" and ensure it is enabled. I suggest doing this for every app that has access to your "Location" or "Microphone" as a matter of routine.

In Android 15, Google has introduced a new "Private Space" feature, which is like a digital vault for sensitive apps. Apps placed inside Private Space have their own separate auto-revoke timers. If the Private Space is locked and not accessed for a set period, the system treats all apps inside it as "unused" much faster than the standard 90-day window. This is a massive improvement for those who store sensitive work or health apps on their device. To manage this in the future, you will look under Settings > Security & privacy > Private Space > Protection settings.

Conversely, if you have an app that keeps losing its permissions and it’s annoying you—perhaps a weather app that needs your location to update a widget—you can manually exempt it. Follow the same path: 1. Settings > Apps > [Your App] > Permissions, and then 2. Toggle "Remove permissions if app is unused" to the OFF position. Just be aware that by doing this, you are telling Android to trust this app indefinitely, even if you don't open it for a year. Only do this for apps from developers you trust implicitly and that provide a vital background service that you rely on daily.

Verifying it worked

The easiest way to verify that the auto-revoke system is functioning is to check the "Unused apps" dashboard. In Android 14, navigate to Settings > Apps > Unused apps. This screen is a graveyard of apps the system has managed for you. It will show a list of apps that have had their permissions revoked and were placed in hibernation. If this list is empty, it either means you use all your apps regularly (at least once every three months) or the feature is disabled. On Samsung devices, the equivalent is found in Settings > Security and privacy > Privacy > Permissions used in the last 24 hours (tapping "See all" shows the history of revocations).

Another verification method is to check the "Privacy Dashboard." This feature, found in Settings > Security & privacy > Privacy > Privacy Dashboard, shows a 24-hour timeline of which apps accessed what permissions. If you see an app in your drawer that you haven't opened in months, but it *doesn't* appear in the "Unused apps" list and *does* appear in the Privacy Dashboard, it means the app has found a way to stay active in the background. In this case, you should 1. Force stop the app, 2. Clear its cache, and 3. Manually toggle the "Remove permissions" switch to ensure the system handles it correctly moving forward.

As we look toward the wider release of Android 15, the "auto-revoke" system is becoming even more integrated with "Google Play Protect." The system will now not only revoke permissions for unused apps but also for apps that Google identifies as "potentially harmful" via cloud scanning, even if you use them every day. This shift from "usage-based" revocation to "safety-based" revocation marks the next evolution of Android privacy. Staying on top of these settings ensures that your smartphone remains a tool for your benefit, rather than a silent witness for third-party advertisers and data brokers.