wlxo0401
commented
10 months ago +1
Closed Angus-chang closed 6 months ago
wlxo0401
commented
10 months ago +1
ZYHshao
commented
10 months ago +1
tommyming
commented
10 months ago Agree that this needs to be added, there are still a lot of apps using RxSwift I think.
freak4pc
commented
10 months ago Definitely something we'll add by the deadline. There's almost a year by then. Thanks!
danielt1263
commented
10 months ago If one of you who has already looked into this could add it, that would be fantastic. If you have any questions about the library itself. Reach out to me on Slack.
freak4pc
commented
10 months ago Yeah, actually if anyone wants to open a relevant PR that would help immensely š thanks!
Here's an example, even though RxSwift doesn't track anything or does any API calls on its own, so there's really no privacy content to describe: https://github.com/BranchMetrics/ios-branch-sdk-spm/blob/main/BranchSDK/PrivacyInfo.xcprivacy
wlxo0401
commented
10 months ago @freak4pc
I simply looked it up, and it seems like 'mach_absolute_time' is used, did I make a mistake?
freak4pc
commented
10 months ago @freak4pc
I simply looked it up, and it seems like 'mach_absolute_time' is used, did I make a mistake?
Might be missing something but what's the privacy concern with mach time ?
wlxo0401
commented
10 months ago I was just looking up the API list in the Apple document in the RxSwift project.
The way I did it is as follows.
I checked and found that 'mach_absolute_time' exists in the 'Tests' folder, isn't this a problem??
danielt1263
commented
10 months ago Not a problem. It just needs a reason for being there.
The RxSwift tests harness uses
mach_absolute_time()in order to test performance only; it is not used in the production code and is not sent off device.
wlxo0401
commented
10 months ago @danielt1263
Here's an example, even though RxSwift doesn't track anything or does any API calls on its own, so there's really no privacy content to describe:
Oh, I'm afraid I didn't say it correctly. It's my mistake to say "problem." (I am not good at English.)
I mean... @freak4pc said 'so there's really no privacy content to description', shouldn't we write down the description in PrivacyInfo if RxSwift use 'mach_absolute_time'??
danielt1263
commented
10 months ago Yes, the description needs to be added to the privacy info. I provided you the description above.
tommyming
commented
10 months ago if mach_absolute_time() is the only API that is used in the project, mentioned by @wlxo0401, I think we just need to declare the use of the API and its purpose in the privacy file, as mentioned by Apple. then it should work?
For reference, this is a PR of Kingfisher, adding privacy manifest to the project: https://github.com/onevcat/Kingfisher/pull/2156
I can try to work on this on the 1st week of 2024, if anyone is free to work it out these days, feel free to create a PR.
wlxo0401
commented
10 months ago @tommyming
Apple specifically mentioned RxSwift, but within the RxSwift ecosystem, there are various related libraries like RxCocoa, RxRelay, RxBlocking, RxTest, and RxSwift-Dynamic, among others. (And we can only choose what we want.)
The question is whether you should include PrivacyInfo documentation for each of these libraries separately or if a single PrivacyInfo entry is sufficient.
(Use Chat GPT for translation)
tommyming
commented
10 months ago @tommyming
Apple specifically mentioned RxSwift, but within the RxSwift ecosystem, there are various related libraries like RxCocoa, RxRelay, RxBlocking, RxTest, and RxSwift-Dynamic, among others. (And we can only choose what we want.)
The question is whether you should include PrivacyInfo documentation for each of these libraries separately or if a single PrivacyInfo entry is sufficient.
(Use Chat GPT for translation)
According to the Apple's Article: RxCocoa, RxRelay, RxSwift is on the list.
If that's the case, I think adding privacy files to these 3 libraries should do the job?
wlxo0401
commented
10 months ago @tommyming
Thank you so much for your quick response.
I have another question about Privacy Manifest, not Rx content...
What happens to each of the above situations?
As far as I know, Privacy Manifest is compulsory for third-party libraries, but when I look at other library communities, I'm confused because some places can't even be mentioned.
tommyming
commented
10 months ago As far as I know, Privacy Manifest is compulsory for third-party libraries, but when I look at other library communities, I'm confused because some places can't even be mentioned.
May I know the reference from Apple that Privacy Manifest is compulsory for 3rd party libraries? If that's the case, then many old libraries in cocoapods may require updates, which may cause a massacre of the whole community.
According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.
wlxo0401
commented
10 months ago @tommyming
From Fall 2023 youāll receive an email from Apple if you upload an app to App Store Connect that uses required reason API without describing the reason in its privacy manifest file. From Spring 2024, apps that donāt describe their use of required reason API in their privacy manifest file wonāt be accepted by App Store Connect.
It is part of the contents of the above document.
The contents that can be included in 'PrivacyInfo' are as follows. [NSPrivacyTracking, NSPrivacyTrackingDomain, NSPrivacyCollectedDataType, NSPrivacyAccessAPType]
However, in the case of 'NSPrivacyAccessAPType', the document had the above contents.
I understood that, 'All third party libraries should add Privacy Manifest if they have a 'Describing use of required reason API'.
Did I get it too differently?
tommyming
commented
10 months ago All third-party libraries should add a Privacy Manifest if they have a 'Describing use of required reason API'
Agree on this.
But I think Apple understands that a massacre will be summoned if they enforce all 3rd party libraries need to add Privacy Manifest lol. So that's why they provided a list of must-provide SDKs.
A bit off-topic. I will try to add a privacy manifest to the 3 repositories mentioned by Apple next week.
Please feel free to provide info related to this issue, thanks.
tommyming
commented
10 months ago Seems @wlxo0401 has created a PR (as mentioned above), please feel free to take a look.
lambda123254
commented
10 months ago According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.
Actually, all libraries or SDK which use this functions Apple Doc have to add Privacy Manifest, Apple just mentioned few of them which are common libraries, so all SDK developers should review their own SDK whether they are mentioned by Apple or not. CMIIW
tommyming
commented
10 months ago According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.
Actually, all libraries or SDK which use this functions Apple Doc have to add Privacy Manifest, Apple just mentioned a few of them which are common libraries, so all SDK developers should review their own SDK whether they are mentioned by Apple or not. CMIIW
Agree on this.
But then Apple announced a list(on early December 2023) of libraries/SDK that need to add privacyInfo, or else the app cannot submitted to app store. That's why I used the word compulsory in the statement.
Clarify one thing is, I agree that eventually all 3rd party SDK may need to add the file. I just worried about the long-term ongoing progress of the review process.
Thanks for the info @lambda123254! Much appreciated.
wlxo0401
commented
9 months ago I discovered a new while testing.
Until now, most of the libraries that have added PrivacyInfo have not been marked in PrivacyReport.
However, when an item is added to the 'Privacy Nutrition Label Types', the library name is displayed in the PrivacyReport.
Many libraries have updated PrivacyInfo without adding anything from 'Privacy Nutrition Label Types'.
Does anyone know about this? Is 'Privacy Nutrition Label Types' a must-have item?
Or is it not necessary to display it in the privacy report?
Please feel free to leave opinion.
(I used a translator.)
tommyming
commented
9 months ago I guess this is something from HealthKit, where this type of info should treated properly?
wlxo0401
commented
9 months ago I guess this is something from HealthKit, where this type of info should treated properly?
I didn't use HealthKit.
The comment I posted seems to have a translation error, so I corrected it again.š
tommyming
commented
9 months ago I discovered a new while testing.
Until now, most of the libraries that have added PrivacyInfo have not been marked in PrivacyReport.
However, when an item is added to the 'Privacy Nutrition Label Types', the library name is displayed in the PrivacyReport.
Many libraries have updated PrivacyInfo without adding anything from 'Privacy Nutrition Label Types'.
Does anyone know about this? Is 'Privacy Nutrition Label Types' a must-have item?
Or is it not necessary to display it in the privacy report?
Please feel free to leave opinion.
(I used a translator.)
May I know wdym by PrivacyReport? Thanks.
wlxo0401
commented
9 months ago May I know wdym by PrivacyReport? Thanks.
The 'PrivacyReport' I'm talking about can be downloaded as a PDF if you archive the app.
https://developer.apple.com/videos/play/wwdc2023/10060/ Please refer to 3:20.
Open your project in Xcode.
Choose Product > Archive. Xcode creates the archive and reveals it in the organizer.
Control-click the archive in the organizer and choose Generate Privacy Report.
tommyming
commented
9 months ago May I know wdym by PrivacyReport? Thanks.
The 'PrivacyReport' I'm talking about can be downloaded as a PDF if you archive the app.
https://developer.apple.com/videos/play/wwdc2023/10060/ Please refer to 3:20.
- Open your project in Xcode.
- Choose Product > Archive. Xcode creates the archive and reveals it in the organizer.
- Control-click the archive in the organizer and choose Generate Privacy Report.
Understand, could you provide a sample project which can reproduce this condition? That could help on the investigation.
The privacy report is organized in a similar way to Privacy Nutrition Labels.
I think what you mean is something here: reference
I am just guessing the privacy labels can only be seen when you upload the app to the app store connect page, and let them help you make the thing.
wlxo0401
commented
9 months ago @tommyming Um... I'm sorry. I think I asked a question without really understanding 'PrivacyRport' and 'Privacy Nutrition Label Types'. Let me find out again.š„
jpeckner
commented
9 months ago @tommyming Um... I'm sorry. I think I asked a question without really understanding 'PrivacyRport' and 'Privacy Nutrition Label Types'. Let me find out again.š„
Huge thanks to @wlxo0401 for putting together https://github.com/ReactiveX/RxSwift/pull/2572, it's very much appreciated š I've worked with Privacy Manifests a fair bit, and I'd be very surprised if any of the Rx repos were accessing any of the data on this list. There's maybe a tiny chance that they're accessing data in the Identifiers and/or Diagnostics categories- but again, that sounds very unlikely. Anything I might be overlooking @freak4pc @danielt1263?
ghost
commented
9 months ago Following the same topic in RxSwift offical slack. According to the definition of "third-party SDKs" that as mentioned in the WWDC23, new documents: Privacy manifest files | Apple Developer Documentation and the new announcement from Apple. It seems like RxSwift/RxCocoa/RxRelay require a privacy manifest and signature as well.
I was wondering if the Privacy Manifest update will be introduce in following updates, and, whether it is possible for us to know the schedule so that we can plan and manage our app releases more effectively.. Deeply appreciated.
Platform/Environment
[x] iOS
[ ] macOS
[ ] tvOS
[ ] watchOS
[ ] playgrounds
Installation method:
[x] CocoaPods
[ ] Carthage
[ ] Git submodules
Level of RxSwift knowledge:
(this is so we can understand your level of knowledge
and formulate the response in an appropriate manner)
[x] just starting
[ ] I have a small code base
[ ] I have a significant code base
nikolaykasyanov
commented
9 months ago Folks, I appreciate the research being done in this thread, could someone please shed a light on why RxSwift (or any other Rx* module for that matter) needs a privacy manifest, if mach_absolute_time is only used in tests, i.e. code that's not deployed to users?
danielt1263
commented
9 months ago ... could someone please shed a light on why RxSwift (or any other Rx* module for that matter) needs a privacy manifest, if
mach_absolute_timeis only used in tests, i.e. code that's not deployed to users?
Because some automated tool at Apple went over the RxSwift library and flag its use.
lancefu-eventbase
commented
8 months ago Hi all, is there a timeline for when we can expect this to be completed? According to Apple's documentation: Upcoming third-party SDK requirements, the deadline is spring 2024. I see there's a PR up: https://github.com/ReactiveX/RxSwift/pull/2572. Is there anything we can do to finish what's left so that it can be merged? Thank you.
JernardDucon
commented
8 months ago Hi all, is there a timeline for when we can expect this to be completed? According to Apple's documentation: Upcoming third-party SDK requirements, the deadline is spring 2024. I see there's a PR up: #2572. Is there anything we can do to finish what's left so that it can be merged? Thank you.
+1
jpeckner
commented
8 months ago Apple just announced the exact timelines for this: warning emails are starting on March 13, and app rejections will start on May 1.
Could one of the project maintainers review and hopefully merge https://github.com/ReactiveX/RxSwift/pull/2572 soon? @danielt1263 Is that something you're able to do?
danielt1263
commented
8 months ago Not me... As far as I know only @freak4pc can do this.
freak4pc
commented
8 months ago Hey all,
I commented on the opened PR - the mach_absolute_time API is irrelevant to consumers of this SDK, it's only in our own tests so the privacy manifest shouldn't be relevant here. If it is still required by Apple, it won't have anything to report from a privacy perspective.
See note here: https://github.com/ReactiveX/RxSwift/pull/2572#pullrequestreview-1912004323
lancefu-eventbase
commented
8 months ago Hey all,
I commented on the opened PR - the mach_absolute_time API is irrelevant to consumers of this SDK, it's only in our own tests so the privacy manifest shouldn't be relevant here. If it is still required by Apple, it won't have anything to report from a privacy perspective.
See note here: #2572 (review)
Hi @freak4pc,
I understand your point, but that's irrelevant. Ultimately, Apple has mandated that RxCocoa, RxRelay, and RxSwift, all need to include privacy manifest and signature. They're specifically called out in Upcoming third-party SDK requirements.
It's totally reasonable to include a manifest to declare that they're not using any of the affected APIs or track anything. However, they must include such file regardless. Otherwise, it can be a reason for rejection when the rule comes into effect. It will be really unfortunate if we have to fork the repos just to add this manifest to avoid being rejected by Apple. This is why many of us have been asking for progress.
Thank you.
freak4pc
commented
8 months ago Hey all, I commented on the opened PR - the mach_absolute_time API is irrelevant to consumers of this SDK, it's only in our own tests so the privacy manifest shouldn't be relevant here. If it is still required by Apple, it won't have anything to report from a privacy perspective. See note here: #2572 (review)
Hi @freak4pc,
I understand your point, but that's irrelevant. Ultimately, Apple has mandated that RxCocoa, RxRelay, and RxSwift, all need to include privacy manifest and signature. They're specifically called out in Upcoming third-party SDK requirements.
It's totally reasonable to include a manifest to declare that they're not using any of the affected APIs or track anything. However, they must include such file regardless. Otherwise, it can be a reason for rejection when the rule comes into effect. It will be really unfortunate if we have to fork the repos just to add this manifest to avoid being rejected by Apple. This is why many of us have been asking for progress.
Thank you.
I'm a bit confused by your response and number of likes. I didn't say we shouldn't add it, I said that the fact they're asking it is based on a mistake, and if we provide it, that manifest should be empty since we have nothing to report. We can continue the discussion in the other thread.
mushyoom
commented
8 months ago Hello all, I saw there's a PR in progress, is there any support for code signing?
wlxo0401
commented
8 months ago Hey all, I commented on the opened PR - the mach_absolute_time API is irrelevant to consumers of this SDK, it's only in our own tests so the privacy manifest shouldn't be relevant here. If it is still required by Apple, it won't have anything to report from a privacy perspective. See note here: #2572 (review)
Hi @freak4pc, I understand your point, but that's irrelevant. Ultimately, Apple has mandated that RxCocoa, RxRelay, and RxSwift, all need to include privacy manifest and signature. They're specifically called out in Upcoming third-party SDK requirements. It's totally reasonable to include a manifest to declare that they're not using any of the affected APIs or track anything. However, they must include such file regardless. Otherwise, it can be a reason for rejection when the rule comes into effect. It will be really unfortunate if we have to fork the repos just to add this manifest to avoid being rejected by Apple. This is why many of us have been asking for progress. Thank you.
I'm a bit confused by your response and number of likes. I didn't say we shouldn't add it, I said that the fact they're asking it is based on a mistake, and if we provide it, that manifest should be empty since we have nothing to report. We can continue the discussion in the other thread.
The way we can check right away is to review apps that have applied 'Privacy Manifest' without any new updates of the app from March 13th.
Through this, we can check Apple's response.
So I'm going to use 'Manually Release' to do a repetitive test in a way that even if I pass the examination, I'm going to cancel it.
If a lot of people's information is gathered, won't we find a sure way within May??
freak4pc
commented
8 months ago Hey there, Our own app (monday.com) will be in review in a few days and I can't believe it will be rejected over this. This seems like an entire mistake on Apple's end. For example, AFNetworking is also in that list and it's been in Archived state for a while now.
I've opened a TSI to Apple Engineering and hoping to hear back from them soon, but I'm 99% we won't be experiencing any problems since RxSwift (and child libraries) don't use any of the privacy-related APIs outlined in Apple's docs.
Let's examine over the next few days. It isn't difficult adding an empty xcprivacy file but Apple recommends not doing that, and we have nothing to report from the framework's side.
mitchins
commented
8 months ago Hey there, Our own app (monday.com) will be in review in a few days and I can't believe it will be rejected over this. This seems like an entire mistake on Apple's end. For example, AFNetworking is also in that list and it's been in Archived state for a while now.
I've opened a TSI to Apple Engineering and hoping to hear back from them soon, but I'm 99% we won't be experiencing any problems since RxSwift (and child libraries) don't use any of the privacy-related APIs outlined in Apple's docs.
Let's examine over the next few days. It isn't difficult adding an empty xcprivacy file but Apple recommends not doing that, and we have nothing to report from the framework's side.
Do you recall where Apple recommend not adding an empty one?
Snapkit was also called out but has added an empty one here: https://github.com/SnapKit/SnapKit/blob/develop/Sources/PrivacyInfo.xcprivacy
It would seem if the SDK is specifically listed on Apple's documentation list then it would need a manifest whether or not it has anything to report using, right?
tikidunpon
commented
8 months ago Let's examine over the next few days. It isn't difficult adding an empty xcprivacy file but Apple recommends not doing that, and we have nothing to report from the framework's side.
~Do you have any update for this? We've get ITMS-91053: Missing API declaration warning now.~
Thanks for the reply. This was caused by Apple's tool not detecting the privacy manifest of the Firebase SDK.
freak4pc
commented
7 months ago Let's examine over the next few days. It isn't difficult adding an empty xcprivacy file but Apple recommends not doing that, and we have nothing to report from the framework's side.
Do yot have any update for this? We've get ITMS-91053: Missing API declaration warning now.
We didn't get it for RxSwift. Can you share the warnings you got?
jpeckner
commented
7 months ago @freak4pc Did you receive any warnings at all when you submitted your app? Note that uploading a TestFlight build won't trigger the email; you have to actually submit it for review (which is crazy I know). If you or anyone submits a build for review that includes RxSwift, and don't receive a warning email, that would go a long way towards proving the hypothesis that RxCocoa/RxRelay/RxSwift don't need a privacy manifest.
For reference here's the warning we received in our app; because it's so vague, it's impossible to tell if it was caused by RxSwift, Firebase, or something else.
ITMS-91053: Missing API declaration - Your appās code in the āAspirationā file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your appās privacy manifest to provide approved reasons for these APIs used by your appās code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.
danielt1263
commented
7 months ago @jpeckner Apple has a list of all the function calls/properties that will require a NSPrivacyAccessedAPICategoryFileTimestamp. The RxSwift library doesn't use any of them. Your problem is likely elsewhere.
freak4pc
commented
7 months ago @freak4pc Did you receive any warnings at all when you submitted your app? Note that uploading a TestFlight build won't trigger the email; you have to actually submit it for review (which is crazy I know). If you or anyone submits a build for review that includes RxSwift, and don't receive a warning email, that would go a long way towards proving the hypothesis that RxCocoa/RxRelay/RxSwift don't need a privacy manifest.
For reference here's the warning we received in our app; because it's so vague, it's impossible to tell if it was caused by RxSwift, Firebase, or something else.
ITMS-91053: Missing API declaration - Your appās code in the āAspirationā file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your appās privacy manifest to provide approved reasons for these APIs used by your appās code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.
We didn't get any timestamp warnings, I got other warnings but their inside out own code base, not RxSwift (we're fixing them)
jpeckner
commented
7 months ago @freak4pc Thanks! Sounds like we can probably rule-out RxSwift as a cause of the NSPrivacyAccessedAPICategoryFileTimestamp warning. Just so we all know for sure, appreciate if you or anyone else could post here when you've successfully submitted a build with RxSwift that doesn't get any warnings (I'll do the same if I get there too).
Following the same topic in RxSwift offical slack. According to the definition of "third-party SDKs" that as mentioned in the WWDC23, new documents: Privacy manifest files | Apple Developer Documentation and the new announcement from Apple. It seems like RxSwift/RxCocoa/RxRelay require a privacy manifest and signature as well.
I was wondering if the Privacy Manifest update will be introduce in following updates, and, whether it is possible for us to know the schedule so that we can plan and manage our app releases more effectively.. Deeply appreciated.
Platform/Environment
Installation method:
Level of RxSwift knowledge: (this is so we can understand your level of knowledge and formulate the response in an appropriate manner)