google-oss-bot
commented
5 months ago I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
Closed tboniger closed 5 months ago
google-oss-bot
commented
5 months ago I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
ncooke3
commented
5 months ago Hi @tboniger, this is likely the same issue as in #12557. Could you share your Package.resolved? Analytics does not use any R.R. API so it's likely that the NSPrivacyAccessedAPICategoryFileTimestamp is coming from another SDK, and the App Store Connect issue discussed in #12557 is not processing the SDK's manifest– causing the warning email.
tboniger
commented
5 months ago Sure:
{ "pins" : [ { "identity" : "abseil-cpp-binary", "kind" : "remoteSourceControl", "location" : "https://github.com/google/abseil-cpp-binary.git", "state" : { "revision" : "748c7837511d0e6a507737353af268484e1745e2", "version" : "1.2024011601.1" } }, { "identity" : "app-check", "kind" : "remoteSourceControl", "location" : "https://github.com/google/app-check.git", "state" : { "revision" : "c218c2054299b15ae577e818bbba16084d3eabe6", "version" : "10.18.2" } }, { "identity" : "firebase-ios-sdk", "kind" : "remoteSourceControl", "location" : "https://github.com/firebase/firebase-ios-sdk", "state" : { "revision" : "42eae77a0af79e9c3f41df04a23c76f05cfdda77", "version" : "10.24.0" } }, { "identity" : "googleappmeasurement", "kind" : "remoteSourceControl", "location" : "https://github.com/google/GoogleAppMeasurement.git", "state" : { "revision" : "51ba746a9d51a4bd0774b68499b0c73ef6e8570d", "version" : "10.24.0" } }, { "identity" : "googledatatransport", "kind" : "remoteSourceControl", "location" : "https://github.com/google/GoogleDataTransport.git", "state" : { "revision" : "a637d318ae7ae246b02d7305121275bc75ed5565", "version" : "9.4.0" } }, { "identity" : "googleutilities", "kind" : "remoteSourceControl", "location" : "https://github.com/google/GoogleUtilities.git", "state" : { "revision" : "bc27fad73504f3d4af235de451f02ee22586ebd3", "version" : "7.12.1" } }, { "identity" : "grpc-binary", "kind" : "remoteSourceControl", "location" : "https://github.com/google/grpc-binary.git", "state" : { "revision" : "e9fad491d0673bdda7063a0341fb6b47a30c5359", "version" : "1.62.2" } }, { "identity" : "gtm-session-fetcher", "kind" : "remoteSourceControl", "location" : "https://github.com/google/gtm-session-fetcher.git", "state" : { "revision" : "76135c9f4e1ac85459d5fec61b6f76ac47ab3a4c", "version" : "3.3.1" } }, { "identity" : "interop-ios-for-google-sdks", "kind" : "remoteSourceControl", "location" : "https://github.com/google/interop-ios-for-google-sdks.git", "state" : { "revision" : "2d12673670417654f08f5f90fdd62926dc3a2648", "version" : "100.0.0" } }, { "identity" : "leveldb", "kind" : "remoteSourceControl", "location" : "https://github.com/firebase/leveldb.git", "state" : { "revision" : "0706abcc6b0bd9cedfbb015ba840e4a780b5159b", "version" : "1.22.2" } }, { "identity" : "nanopb", "kind" : "remoteSourceControl", "location" : "https://github.com/firebase/nanopb.git", "state" : { "revision" : "819d0a2173aff699fb8c364b6fb906f7cdb1a692", "version" : "2.30909.0" } }, { "identity" : "promises", "kind" : "remoteSourceControl", "location" : "https://github.com/google/promises.git", "state" : { "revision" : "540318ecedd63d883069ae7f1ed811a2df00b6ac", "version" : "2.4.0" } } ], "version" : 2 }
Image of the email where you can see it mentions both the main and the app clip targets.
Image of just Analytics in the app clip
When we remove that, we get an email with just showing the main target showing the issue. That's what lead us to believe Analytics was the culprit. Thanks for any insight you can provide.
ncooke3
commented
5 months ago Thanks! So the warning is most likely coming from GoogleUtilities, which is used by FirebaseAnalytics. GoogleUtilities uses the timestamp API and has it declared in its privacy manifest: https://github.com/google/GoogleUtilities/blob/26c898aed8bed13b8a63057ee26500abbbcb8d55/GoogleUtilities/Privacy/Resources/PrivacyInfo.xcprivacy#L17
So I'm going to mark this as closed in favor of #12557. This problem affects all 3P SDKs with R.R. usage currently (not just Firebase) and we are awaiting on a fix from Apple. As it stands now, the App Store connect validator only seems to apply justifications for R.R. API from the main app's privacy manifest. That's why workaround like this work.
tboniger
commented
5 months ago Ok. Thank you for checking. I'll follow the other ticket for updates.
Description
FirebaseAnalytics is the only dependency in our app clip. We are getting an email from Apple for NSPrivacyAccessedAPICategoryFileTimestamp access upon submittal. Removing FirebaseAnalytics from the app clip removes the issue. I saw another report where it was stated that privacy manifests were only being added for the items on Apple's list, and the others updated later. FirebaseAnalytics isn't on that list. Will a version with a privacy manifest be available for this library before May 1st?
Reproducing the issue
Add FirebaseAnalytics to app and submit to Testflight or AppStore.
Firebase SDK Version
10.24
Xcode Version
15.2
Installation Method
Swift Package Manager
Firebase Product(s)
Analytics
Targeted Platforms
iOS
Relevant Log Output
No response
If using Swift Package Manager, the project's Package.resolved
Expand
Package.resolvedsnippet```json Replace this line with the contents of your Package.resolved. ```
If using CocoaPods, the project's Podfile.lock
Expand
Podfile.locksnippet```yml Replace this line with the contents of your Podfile.lock! ```