[question]: Privacy Manifest : Userdefaults and Timestamps

[Nav-3299]

How can we help?

Hi Team ,

I am using 5.0.5 version of SDK in IOS and facing these issues while uploading . Please guide

ITMS-91053: Missing API declaration - Your app’s code in the “PlugIns/OneSignalNotificationServiceExtension.appex/OneSignalNotificationServiceExtension” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

ITMS-91053: Missing API declaration - Your app’s code in the “PlugIns/OneSignalNotificationServiceExtension.appex/OneSignalNotificationServiceExtension” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[nan-li]

Hi @Nav-3299 thank you for reporting.

Can you share what dependencies your OneSignalNotificationServiceExtension contains and what code it contains?

Also, the OneSignal iOS SDK does not contain any NSPrivacyAccessedAPICategoryFileTimestamp APIs.

[nan-li]

A followup question for anyone encountering this, can you confirm you are not using UserDefaults or the File timestamp APIs in your own source code in your Notification Service Extension?

[Nav-3299]

I am using this Extension please @nan-li

[nan-li]

Hi @Nav-3299

• OneSignalExtension framework does not use any NSPrivacyAccessedAPICategoryFileTimestamp APIs.
• It does use NSPrivacyAccessedAPICategoryUserDefaults and it is documented in the Privacy Manifest.

I would confirm your FirebaseMessaging dependency as well as any of your own app code in your OneSignalNotificationExtension

[Nav-3299]

Hi @nan-li

Since the e-mail reads that OneSignaExtension is using userdefaults and CategoryFileTimestamp related Apis , I would not be able to upload my app from May 1 .I would rather request you to kindly get in touch with Apple support Team to provide clarifications on the same

For my upcoming builds on appstore I would attach this thread in order for them to know that OneSignal is not using any of these apis.

I also want to confirm you that in previous e-mails, I was notified about Userdefaults and Other Categories apis being used in my application (that is Sportslocker) ,which I had fixed by placing proper columns in Privacy Manifest File(previous mail attached below) . But now, I only get emails related to One Signal missing the above categories in their privacy Manifest .

I would be great if we can find out a way .

Thanks

---------------------------MAIL STARTS HERE-----------------------------

Hello,

We noticed one or more issues with a recent submission for App Store review for the following app:

Sports.com Version 4.0.0 Build 3 Although submission for App Store review was successful, you may want to correct the following issues in your next submission for App Store review. Once you've corrected the issues, upload a new binary to App Store Connect.

ITMS-91053: Missing API declaration - Your app’s code in the “PlugIns/OneSignalNotificationServiceExtension.appex/OneSignalNotificationServiceExtension” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

ITMS-91053: Missing API declaration - Your app’s code in the “PlugIns/OneSignalNotificationServiceExtension.appex/OneSignalNotificationServiceExtension” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

ITMS-91053: Missing API declaration - Your app’s code in the “Sports.com” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

ITMS-91053: Missing API declaration - Your app’s code in the “Sports.com” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategorySystemBootTime. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

ITMS-91053: Missing API declaration - Your app’s code in the “Sports.com” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryDiskSpace. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

ITMS-91053: Missing API declaration - Your app’s code in the “Sports.com” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

Apple Developer Relations

[nan-li]

Hi @Nav-3299, thank you for following up,

The warnings are for OneSignalNotificationServiceExtension. Please note that OneSignalNotificationServiceExtension is just the name for your app's own Notification Service Extension. You could name it anything else such as MyNotificationServiceExtension and the code and dependencies would be the same.

Your Notification Service Extension does use OneSignalExtension framework, which is part of our SDK. However, the warnings are unclear if the issue is:

• The OneSignal dependency
• Your own code in your Notification Service Extension are using these APIs
• The FirebaseMessaging dependency is using these APIs

I would recommend you confirm your FirebaseMessaging dependency version includes Privacy Manifest support. In addition, you can scan your own code for these APIs. Here is a simple text search implementation.

[lobanovD]

This problem is relevant even without using firebase

[nan-li]

@lobanovD Can you share all your dependencies your Notification Service Extension uses? Additionally, confirm your own code is not calling those APIs?

[lobanovD]

@lobanovD Can you share all your dependencies your Notification Service Extension uses? Additionally, confirm your own code is not calling those APIs?

I'm using UserDefaults. And described this in my privacy manifest. Removing OneSignal from the project solves the problem of submitting the build to the App Store, but this is clearly not the solution I need.

[nan-li]

Hi @lobanovD,

Removing OneSignal from the project solves the problem of submitting the build to the App Store, but this is clearly not the solution I need.

When you removed OneSignal from our project, what API error(s) did it resolve?

[lobanovD]

Hi @lobanovD,

Removing OneSignal from the project solves the problem of submitting the build to the App Store, but this is clearly not the solution I need.

When you removed OneSignal from our project, what API error(s) did it resolve?

this

after OneSignal was uninstalled, the application was reviewed

[nan-li]

Hi @lobanovD thank you for following up, your error about code signatures is different than the Privacy Manifest APIs reported by Nav-3299.

I believe you are using Swift Package Manager. I am not sure when you added the dependency but we did release version 5.1.6 to SPM without signatures, but updated them the next day.

This happened 7 days ago. Can you pull the package again?

I am confused about the RxSwift error because OneSignalOutcomes has no dependency on RxSwift and is an Objective-C only framework.

[lobanovD]

reinstalled this today according to the instructions https://documentation.onesignal.com/docs/ios-sdk-setup

however, the library does not contain a manifest file and I think this is the problem

for example, it is present in the Realm library

[nan-li]

Hi @lobanovD, the way the sources for the SDK are packaged, the privacy manifests will not show up in the file hierarchy.

You can generate your App's privacy report by following instructions Create your app’s privacy report and you should see it includes the Privacy Manifest information from the OneSignal SDK.

[nan-li]

@lobanovD We just released Release 5.2.0 in which we added Privacy Manifests to all of our sub-packages as well.

This may resolve the issue for you, can you try?

[lobanovD]

I'll check this on the next build of the application and get back to you with an answer.

[Nav-3299]

Hi @nan-li Its fixed

Thanks 👍🏻