braintree / braintree_ios

Braintree SDK for iOS
https://developer.paypal.com/braintree/docs/start/hello-client/ios/v5
MIT License
560 stars 294 forks source link

libPPRiskComponent uses `CNCopyCurrentNetworkInfo` API, which requires an entitlement in iOS 12 #423

Closed jaredegan closed 5 years ago

jaredegan commented 6 years ago

General information

Full version information from Podfile.lock:

- Braintree (4.17.0):
    - Braintree/Card (= 4.17.0)
    - Braintree/Core (= 4.17.0)
    - Braintree/PayPal (= 4.17.0)
    - Braintree/UI (= 4.17.0)
  - Braintree/Card (4.17.0):
    - Braintree/Core
  - Braintree/Core (4.17.0)
  - Braintree/PaymentFlow (4.17.0):
    - Braintree/Card
    - Braintree/Core
  - Braintree/PayPal (4.17.0):
    - Braintree/Core
    - Braintree/PayPalOneTouch
  - Braintree/PayPalDataCollector (4.17.0):
    - Braintree/Core
    - Braintree/PayPalUtils
  - Braintree/PayPalOneTouch (4.17.0):
    - Braintree/Core
    - Braintree/PayPalDataCollector
    - Braintree/PayPalUtils
  - Braintree/PayPalUtils (4.17.0)
  - Braintree/UI (4.17.0):
    - Braintree/Card
    - Braintree/Core
  - Braintree/UnionPay (4.17.0):
    - Braintree/Card
    - Braintree/Core
  - BraintreeDropIn (6.4.1):
    - BraintreeDropIn/DropIn (= 6.4.1)
  - BraintreeDropIn/DropIn (6.4.1):
    - Braintree/Card (~> 4.17)
    - Braintree/Core (~> 4.17)
    - Braintree/PaymentFlow (~> 4.17)
    - Braintree/UnionPay (~> 4.17)
    - BraintreeDropIn/UIKit
  - BraintreeDropIn/UIKit (6.4.1)

Issue description

libPPRiskComponent uses the CNCopyCurrentNetworkInfo API, which now requires the "Access WiFi Information" entitlement in iOS 12. If your app does not have that entitlement, your app will be rejected.

This can be verified by using grep in your project directory.

grep "CNCopyCurrentNetworkInfo" * -r
Binary file Pods/Braintree/BraintreePayPal/PayPalDataCollector/Risk/libPPRiskComponent.a matches

Apple documentation here: https://developer.apple.com/documentation/systemconfiguration/1614126-cncopycurrentnetworkinfo

I can't find any official Apple documentation on what are appropriate use cases for this capability. That is frustrating, but with their ever-increasing focus on user privacy, and the potential privacy implications of this API, I would assume it leans towards avoiding the use (and inclusion) of this API. I understand this information is used as input into some risk calculation algorithm, but in my opinion PayPal would not win an argument against Apple to say that it is necessary for the Braintree SDK to function.

The options to move forward are either:

1) Remove the use of this API from the PPRiskComponent and publish a new version of the Braintree SDK that doesn't use it. For what it's worth, this is my recommendation. It keeps integration simple, prevents users of this SDK from getting a surprise rejection, and generally follows the direction that Apple is heading.

2) Add notes to the README about needing to add the entitlement necessary to use this API. With the current situation, I believe submitting our app with this SDK and without the entitlement will lead to a confusing app rejection. It's not clear how to determine which 3rd party SDK is using what Apple APIs.

demerino commented 6 years ago

@jaredegan Thanks for the detailed feedback. We're going to discuss with the PayPal Risk team and look into a solution regarding the usage of CNCopyCurrentNetworkInfo.

demerino commented 6 years ago

@jaredegan The PayPal Risk team is looking into alternatives so we can drop the CNCopyCurrentNetworkInfo. Thanks again for raising the issue and your patience as we work on the solution.

jaredegan commented 6 years ago

Any update? We're hoping to ship our Braintree integration within the next 2 weeks. We just got over a 27 day wait for app approval after another one of our partner SDKs was using CNCopyCurrentNetworkInfo. I have a feeling our next app review will not go well if it's all of a sudden back, whether or not we add the entitlement.

demerino commented 6 years ago

screen shot 2018-10-22 at 1 53 00 pm

For now, we recommend enabling the entitlement and we will update our documentation where appropriate with these directions. Let us know if you still have questions and if there are still issues submitting your app.

jaredegan commented 6 years ago

We should be submitting this version within 7 days, so we should be able to give you some feedback within 2 weeks.

philmartin83 commented 5 years ago

@jaredegan I've been following this post, did your app get approved?

jaredegan commented 5 years ago

Yes, I'm sorry I meant to follow up on this. The app was approved without issue. I will close the issue.