Missing privacy manifest for NotificationService extension

[DavidLichy]

Receiving warnings from Apple when submitting ios build for App Store Review.

ITMS-91053: Missing API declaration - Your app’s code in the “PlugIns/NotificationService.appex/NotificationService” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

[Shahroz16]

Hey @DavidLichy thank you for reaching out and bringing this to our attention, we are reviewing this and will send out a fix for this.

[Shahroz16]

@DavidLichy we looked into this, the privacy mentions using App group, we are not necessarily utilizing App Groups in the SDK. Are you certain its not any other SDK that might be causing it? or if you are utilizing App Groups in the app?

[DavidLichy]

NSPrivacyAccessedAPICategoryUserDefaults

The issue from Apple was indicating the use of UserDefaults api in the NotificationService extension created by this plugin. I will look deeper to see if there are any other sdks that use the extension. Patching with the changes from this PR fixed the issue with App Store https://github.com/customerio/customerio-expo-plugin/pull/139.

[DavidLichy]

@DavidLichy we looked into this, the privacy mentions using App group, we are not necessarily utilizing App Groups in the SDK. Are you certain its not any other SDK that might be causing it? or if you are utilizing App Groups in the app?

I've removed 1C8F.1 from the manifest in the PR

[Shahroz16]

@DavidLichy the only one is already added in the react native release.

[DavidLichy]

@DavidLichy the only one is already added in the react native release.

We had updated to 3.6.0 with expo 50.0.17 and setup the app.json as per the expo docs. https://docs.expo.dev/guides/apple-privacy/#including-required-reasons-for-expo-sdk-packages-and-other-third-party-libraries. It seems like there is a problem with Apple parsing the PrivacyInfo files.

As of now, Apple does not correctly parse all the PrivacyInfo files included by static CocoaPods dependencies (such as Expo SDK packages and other ecosystem libraries). 
You may need to include the required reasons for the APIs used by those dependencies in your app's PrivacyInfo.xcprivacy file or the configuration in the app.json.

The only warning from App Store submission after that was the one mentioned in this issue, which had been fixed with the changes from the PR. Maybe we need to wait for Apple or Expo to fix?

[Shahroz16]

Yup, it seems like an Apple issue, and their suggestion in the link

You can usually identify the required reasons for the APIs used by other third-party libraries by checking if the library you intend to use has a PrivacyInfo.xcprivacy file in the node_modules/package_name/ios directory. If it does, you can check the NSPrivacyAccessedAPITypes and NSPrivacyAccessedAPITypeReasons values in that file and copy those values to your configuration.

suggest expo users will need to add these permission manually, until Apple fixes it.

I am going to close this issue, but feel free to reopen another one. We are going to update the docs to reflect this as well. Thank you for your assistance and help in this.