[Bug] Missing privacy manifest for iOS

[sgreifeneder]

Description

Got the following message when submitting an app for review in App Store Connect:

ITMS-91061: Missing privacy manifest - Your app includes “Frameworks/FBLPromises.framework/FBLPromises”, which includes FBLPromises, an SDK that was identified in the documentation as a privacy-impacting third-party SDK. Starting November 12, 2024, if a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a privacy manifest file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. For more details about this policy, including a list of SDKs that are required to include signatures and manifests, visit: https://developer.apple.com/support/third-party-SDK-requirements.

For the following SDKs:

• FBLPromises
• FirebaseCore
• FirebaseCoreDiagnostics
• FirebaseInstallations
• FirebaseMessaging
• GoogleDataTransport

Steps to Reproduce

1. Include Plugin.FirebasePushNotifications in a MAUI app
2. Build and publish iOS app
3. Send app to review

Expected Behavior

• privacy manifest exists, I don't get a warning during app review and I can also submit app updates after November 12th 2024

Actual Behavior

• privacy manifest missing

Basic Information

• Version with issue: 2.3.12
• Last known good version: n/a

[thomasgalliker]

I think that‘s something you have to add to the app that is using this library.
If I‘m wrong, let me know how I have to adjust this library.

[sgreifeneder]

We already have a privacy manifest for our app (I think you can't submit anymore without it).
But in this case, the SDK/library provider has to include a privacy manifest as well.

Apple is also explicitly mentioning that:

Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest.

See also
https://developer.apple.com/documentation/bundleresources/privacy_manifest_files
https://developer.apple.com/support/third-party-SDK-requirements

[thomasgalliker]

Strangly, I cannot see this ITMS-91061 warnings in our solution. Do you get it when you upload the ipa file with Transporter.app? How can I reproduce this issue? - As far as I read on github, we need to place a privacy file in this library. I didn't know that.

[sgreifeneder]

I'm uploading the ipa file from a GitHub Action: apple-actions/upload-testflight-build
But in the logs I can see that there are no errors (I also don't get any notification from Apple about it).

Only when I submit the build for review, I get a mail with the above mentioned warnings.

[sgreifeneder]

Hi @thomasgalliker, any update here?

[thomasgalliker]

No update yet in this direction. There is currently a lot of other priority work going on.

• Is the warning you receive a show stopper - or does Apple still accept the app?
• If you have the time to do some research on what exactly we have to update here, I'd highly appreciate it. Merge requests are welcome!

[sgreifeneder]

I don't know what your priority work is, but according to the Apple message, no one would be able to submit new apps or app updates using your Firebase PN SDK starting Nov 12th (which is in 2 months):

Starting November 12, 2024, if a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a privacy manifest file.

As of now, Apple is still accepting the app, but I think this should be high prio.

[thomasgalliker]

Work performed for paying customers = priority work. You can fork this repo, add all privacy info needed to comply with Apple, create a merge request and I‘ll review it with high priority.

[thomasgalliker]

Newer versions of firebase-ios-sdk contain the necessary privacy manifest files (PrivacyInfo.xcprivacy). Therefore we need to resolve #19 first and get this issue resolved for free.

[sgreifeneder]

Ok, can you already estimate when the work on this can be started or how long it would take?