FirebaseMessaging: Missing API declaration NSPrivacyAccessedAPICategoryFileTimestamp

andrei200287 commented 6 months ago

Description

I received an error email from Apple: 'ITMS-91053: Missing API declaration NSPrivacyAccessedAPICategoryFileTimestamp' when I use FirebaseMessaging in my Notification Service Extension.

Reproducing the issue

Just import FirebaseMessaging into your Notification Service Extension and submit the build for Apple's review. After 3 minutes, you will receive this email.

Firebase SDK Version

10.24.0

Xcode Version

15.3

Installation Method

Swift Package Manager

Firebase Product(s)

Analytics, Crashlytics, Messaging

Targeted Platforms

iOS, App Extensions

Relevant Log Output

No response

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet

```json { "identity" : "firebase-ios-sdk", "kind" : "remoteSourceControl", "location" : "https://github.com/firebase/firebase-ios-sdk.git", "state" : { "revision" : "42eae77a0af79e9c3f41df04a23c76f05cfdda77", "version" : "10.24.0" } }, { "identity" : "googleappmeasurement", "kind" : "remoteSourceControl", "location" : "https://github.com/google/GoogleAppMeasurement.git", "state" : { "revision" : "51ba746a9d51a4bd0774b68499b0c73ef6e8570d", "version" : "10.24.0" } }, { "identity" : "googledatatransport", "kind" : "remoteSourceControl", "location" : "https://github.com/google/GoogleDataTransport.git", "state" : { "revision" : "a637d318ae7ae246b02d7305121275bc75ed5565", "version" : "9.4.0" } }, { "identity" : "googleutilities", "kind" : "remoteSourceControl", "location" : "https://github.com/google/GoogleUtilities.git", "state" : { "revision" : "26c898aed8bed13b8a63057ee26500abbbcb8d55", "version" : "7.13.1" } }, { "identity" : "grpc-binary", "kind" : "remoteSourceControl", "location" : "https://github.com/google/grpc-binary.git", "state" : { "revision" : "e9fad491d0673bdda7063a0341fb6b47a30c5359", "version" : "1.62.2" } }, { "identity" : "gtm-session-fetcher", "kind" : "remoteSourceControl", "location" : "https://github.com/google/gtm-session-fetcher.git", "state" : { "revision" : "9534039303015a84837090d20fa21cae6e5eadb6", "version" : "3.3.2" } }, { "identity" : "interop-ios-for-google-sdks", "kind" : "remoteSourceControl", "location" : "https://github.com/google/interop-ios-for-google-sdks.git", "state" : { "revision" : "2d12673670417654f08f5f90fdd62926dc3a2648", "version" : "100.0.0" } }, { "identity" : "leveldb", "kind" : "remoteSourceControl", "location" : "https://github.com/firebase/leveldb.git", "state" : { "revision" : "43aaef65e0c665daadf848761d560e446d350d3d", "version" : "1.22.4" } }, { "identity" : "nanopb", "kind" : "remoteSourceControl", "location" : "https://github.com/firebase/nanopb.git", "state" : { "revision" : "b7e1104502eca3a213b46303391ca4d3bc8ddec1", "version" : "2.30910.0" } }, { "identity" : "promises", "kind" : "remoteSourceControl", "location" : "https://github.com/google/promises.git", "state" : { "revision" : "540318ecedd63d883069ae7f1ed811a2df00b6ac", "version" : "2.4.0" } }, { "identity" : "swift-protobuf", "kind" : "remoteSourceControl", "location" : "https://github.com/apple/swift-protobuf.git", "state" : { "revision" : "9f0c76544701845ad98716f3f6a774a892152bcb", "version" : "1.26.0" } }, ```

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet

```yml Replace this line with the contents of your Podfile.lock! ```

google-oss-bot commented 6 months ago

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

ncooke3 commented 6 months ago

@andrei200287, is Firestore being used in the extension? The attached Package.resolved indicates that Firestore is being pulled in. Firestore transitively uses NSPrivacyAccessedAPICategoryFileTimestamp.

Messaging does not use NSPrivacyAccessedAPICategoryFileTimestamp APIs so I'd like to better understand if Messaging is the SDK that is causing this warning.

andrei200287 commented 6 months ago

@ncooke3, thank you for the answer. I don't use Firestore. Messaging is the only SDK included in the extension. It's very easy to reproduce; just add Messages to the extension, send the build for review, and receive an email from Apple.

ITMS-91053: Missing API declaration - Your app’s code in the “PlugIns/pushes.appex/pushes” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

willbattel commented 6 months ago

Experiencing the same with my notifications service extension with SDK version 10.24.0, although my message from Apple includes both NSPrivacyAccessedAPICategoryFileTimestamp and NSPrivacyAccessedAPICategoryUserDefaults.

I use many Firebase modules in my app, but the email from Apple indicates that this pertains specifically to my notification service extension. I suppose it's possible that other modules such as Firestore are somehow being linked in the extension, but I'm not aware of it.

TMS-91053: Missing API declaration - Your app’s code in the “PlugIns/notificationService.appex/notificationService” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

ITMS-91053: Missing API declaration - Your app’s code in the “PlugIns/notificationService.appex/notificationService” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

This is the entirety of my Notification Service. We use it to show image thumbnails on the notifications.

import FirebaseMessaging
import UserNotifications

class NotificationService: UNNotificationServiceExtension {

    var contentHandler: ((UNNotificationContent) -> Void)?
    var bestAttemptContent: UNMutableNotificationContent?

    override func didReceive(_ request: UNNotificationRequest, withContentHandler contentHandler: @escaping (UNNotificationContent) -> Void) {
        self.contentHandler = contentHandler
        bestAttemptContent = (request.content.mutableCopy() as? UNMutableNotificationContent)

        guard let bestAttemptContent = bestAttemptContent else {
            return
        }

        Messaging.serviceExtension().populateNotificationContent(bestAttemptContent, withContentHandler: contentHandler)
    }

    override func serviceExtensionTimeWillExpire() {
        if let contentHandler = contentHandler, let bestAttemptContent =  bestAttemptContent {
            contentHandler(bestAttemptContent)
        }
    }

}

Happy to provide more info if requested.

linus-ahlenius commented 6 months ago

This is not limited to extensions. Simply adding FirebaseMessaging to any App target under the "Frameworks, Libraries and Embedded Content section" causes the NSPrivacyAccessedAPICategoryFileTimestamp violation. The same does not seem to be true for FirebaseRemoteConfig, for example.

aureliencolas commented 6 months ago

I already have reported this very issue here but it has been closed.

I confirm what @andrei200287 describes: my NotificationService app extension only imports FirebaseMessaging (as the main app) and I get a NSPrivacyAccessedAPICategoryFileTimestamp warning for both the app and the app extension despite now using Firebase 10.24.0.

Note that FirebaseMessaging has dependencies which make the following modules to also be embedded :

Firebase_FirebaseCore.bundle
Firebase_FirebaseCoreInternal.bundle
Firebase_FirebaseInstallations.bundle
GoogleDataTransport_GoogleDataTransport.bundle
GoogleUtilities_GoogleUtilitiesPrivacy.bundle
nanopb_nanopb.bundle
Promises_FBLPromises.bundle

So if FirebaseMessaging does not use any API related to FileTimestamp, could it be one of its dependencies?

Finally, as a test, I uploaded a version of my app where FirebaseMessaging module is not embedded anymore (neither in the app nor in the NotificationService app extension) and I only got a NSPrivacyAccessedAPICategoryFileTimestamp warning for the main app (not for the app extension anymore).

Since the above-mentioned FirebaseMessaging dependencies are also dependencies for the Firebase frameworks embedded in the main app (FirebaseCrashlytics, FirebaseAnalyticsWithoutAdIdSupport), I definitely suspect one of these dependencies to use the FileTimestamp API.

nikitaame commented 6 months ago

Same issue here. Not getting any warnings from our main project that uses firebase but getting warnings from the notification service extension with similar setup.

Muhammadbarznji commented 6 months ago

Same issue here. any update?

zzdravkin commented 6 months ago

any updates ?

pewebapps commented 6 months ago

Same issue here. Also I’m not even using FirebaseMessaging. Any update?

ncooke3 commented 6 months ago

Hi everyone, I re-audited the dependencies of Messaging and I now believe this is a duplicate of #12557. While Messaging does not use NSPrivacyAccessedAPICategoryFileTimestamp APIs, GoogleUtilities does (see its privacy manifest here) and is a dependency of Messaging.

This issue is on the App Store Connect side and is well described in this https://github.com/firebase/firebase-ios-sdk/issues/12557#issuecomment-2057319060.

I'm now closing this in favor of #12557, but please subscribe to that issue and give a thumbs up to the issue's description to signal that you are affected.

andrei200287 commented 6 months ago

I just submitted my app for review with Firebase version 10.25.0. I didn't receive any error emails, and it got approved within 15 minutes. It seems like the bug has been resolved.

linus-ahlenius commented 6 months ago

@andrei200287 are you sure it is not because Apple relaxed the requirements?

Starting May 1, 2024, new or updated apps that have a newly added third-party SDK that‘s on the list of commonly used third-party SDKs will need all of the following to be submitted in App Store Connect [...]

andrei200287 commented 6 months ago

@linus-ahlenius, I missed this article, thank you. Maybe you're right; it wasn't a newly added SDK.

firebase / firebase-ios-sdk