Capacitor: App rejected for referencing (while not using) APIs that access sensitive user data
Description of the problem:
It seems that @capacitor/core code references APIs that access sensitive user data. In this case it's the photo library.
I'm not calling any of the functions that request authorisation to use the API, but it seems that apple will now check the code up front and if you reference any of these sensitive API's which capacitor does with its native plugin core the will reject it with a warning.
ITMS-90683: Missing Purpose String in Info.plist - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSPhotoLibraryUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data are required to include a purpose string. If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
example in Camera.swift
func showCamera(_ call: CAPPluginCall) {
...
AVCaptureDevice.requestAccess(for: .video) { granted in
Affected platform
- [ ] Android
- [ x] iOS
- [ ] electron
- [ ] web
OS of the development machine
- [ ] Windows
- [x ] macOS
- [ ] linux
Other information:
Capacitor version:
1.2.0
node version:
v10.16.1
npm version:
6.9.0
CocoaPods version:
1.7.5
Steps to reproduce:
Remove unused privacy explanation keys in Info.plist for those API's you never call and upload to app store for a testflight.
For now I will place dummys as a workaround, but I think the core could potentially be split into modules that we can install when needed instead of having all the privacy API's up front.
chrene
All 4 comments
Did you remove those keys from Info.plist yourself?
In the documentation there is some description about this requirement: https://capacitor.ionicframework.com/docs/ios/configuration#managing-permissions
naranjamecanica
on 17 Sep 2019
@naranjamecanica yes I removed them since I don't use them nor intend to. One workaround is to put in some dummy values, but I think it would be better if you can opt out of the ones you done use. It's more clean in my opinion.
chrene
on 18 Sep 2019
Since Apple scans the code and Capacitor ships with all the plugins, it will detect that the code is present despite your app doesn't use any of those features.
The only solution would be to take the plugins out of Capacitor, not sure if that's going to happen in short therm.
jcesarmobile
on 23 Jan 2020
@chrene can you elaborate on "put in some dummy values"? As in dummy values in the 'Value' section of the respective key?
aaronwJordan
on 18 Jun 2020
Related issues
peterpeterparker
路
3Comments
Kepro
路
3Comments
moberwasserlechner
路
3Comments
daniel-lucas-silva
路
3Comments
TayKara
路
3Comments
Most helpful comment
@naranjamecanica yes I removed them since I don't use them nor intend to. One workaround is to put in some dummy values, but I think it would be better if you can opt out of the ones you done use. It's more clean in my opinion.