Rejection from Apple review team because of Your app implements the App Tracking Transparency framework

[jkb0o]

[REQUIRED] Step 1: Describe your environment

• Xcode version: Version 12.4 (12D4e)
• Firebase SDK version: 7.8.1
• Installation method: Zip file
• Firebase Component: Analytics (probably)

[REQUIRED] Step 2: Describe the problem

Hello. We are working on educational app for kids. We use C++ based application on iOS, firebase-ios-sdk is the only third-party-library we use. Apple review team reject our application because of Your app implements the App Tracking Transparency framework. There is no adSupport or iAd frameworks linked. We completely disable analytics by adding <key>FIREBASE_ANALYTICS_COLLECTION_ENABLED</key><false/> to the Info.plist. We are going out of ideas. Please help.

There is message from apple review team:

We noticed that your Kids Category app includes analytics, advertising and collects, transmits, or has the ability to share personal information or device information with third parties. Specifically:

• Your app implements the App Tracking Transparency framework, which is used when apps collect data about users and share it with third-parties for tracking purposes. Since Kids Category apps are not allowed to collect, transmit or share identifiable information with third-parties, you should not implement App Tracking Transparency in your app.

There is list of frameworks we are using:

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[paulb777]

Sorry about the trouble. Can you confirm that you updated the GoogleAppMeasurement.framework in your app from the 7.8.1 zip distribution?

[jkb0o]

Yes, we did update all frameworks (zip archive from release section), GoogleAppMeasurement.framework also updated. There is also output from info.plist of framework:

> cat FirebaseAnalytics/GoogleAppMeasurement.xcframework/ios-arm64_armv7/GoogleAppMeasurement.framework/Info.plist | grep -1 CFBundleVersion
        <string>FMWK</string>
        <key>CFBundleVersion</key>
        <string>7.8.1</string>

[paulb777]

Thanks. Hmm, we haven't received any other reports about 7.8.1 causing rejections. Was there anything else in the Apple rejection providing detail the symbols that they are objecting to?

Another option, both to narrow it down and maybe move forward if you don't need Analytics, would be to remove FirebaseAnalytics.framework and GoogleAppMeasurement.framework and resubmit.

[paulb777]

In the meantime, we're doing additional tests on our end to try to isolate any remaining issues.

[jkb0o]

Thanks. Hmm, we haven't received any other reports about 7.8.1 causing rejections. Was there anything else in the Apple rejection providing detail the symbols that they are objecting to?

There are some reports: https://github.com/firebase/quickstart-unity/issues/994#issuecomment-800924057 and https://github.com/firebase/quickstart-unity/issues/989#issuecomment-800919375. It is about Unity-based package, but I guess it is built on the top of the firebase-is-sdk 7.8.1

Another option, both to narrow it down and maybe move forward if you don't need Analytics, would be to remove FirebaseAnalytics.framework and GoogleAppMeasurement.framework and resubmit.

Last time I've tried to remove analytics and/or GoogleAppMeasurement I've ended up with no luck. Looks like other frameworks depend on problematic ones, and I need to disable them (FirebaseABTesting, FirebaseCrashlytics, FirebaseDynamicLinks, etc.)

I will try again and report the results.

[thienphuoc]

I facing the same problem as above, Could the firebase team help us resolve this issue?

[haydarKarkin]

+1, we got rejection too, we couldn't release our app with Firebase Analytics 7.8.1

I also mentioned that issue in #7695

[eduhub123]

Hi all, Is there any update on this issue?

[ungripped]

We are also getting rejections for App Tracking Transparency framework violations. From quick scan of the GoogleAppMeasurement framework, it looks like the binary still contains runtime loading of the ATTrackingManager class and API calls, but obfuscated and loaded with NSClassFromString and NSSelectorFromString.

Some transparency from Firebase would be appreciated here about what changes are being made, as it is getting a bit embarrassing submitting new builds without knowing what has changed. (Is this new version just more of the same obfuscation etc?)

The way forward here would be to open source the parts of the frameworks that contain the violating code, and allow us as users to add #defines in the Cocoapod compile step to exclude the parts, just like other Analytics frameworks have been doing for a long time to exclude any code relating to ASIdentifierManager for example.

[ungripped]

Thanks. Hmm, we haven't received any other reports about 7.8.1 causing rejections. Was there anything else in the Apple rejection providing detail the symbols that they are objecting to?

Another option, both to narrow it down and maybe move forward if you don't need Analytics, would be to remove FirebaseAnalytics.framework and GoogleAppMeasurement.framework and resubmit.

I would assume they are objecting to the fact that the ATTrackingManager references are still in the binaries, just split into multiple strings.

I can confirm that submitting without FirebaseAnalytics.framework and GoogleAppMeasurement.framework does pass review, but is not very helpful in other ways than narrowing down the location of the problem, since we do actually use Firebase Analytics...

[jkb0o]

I can also confirm that submitting without FirebaseAnalytics.framework and GoogleAppMeasurement.framework does pass the review.

[AlexNay-iOS]

Hello, everyone! Did somebody get the rejection details from the Apple, like method or property names they are objecting to?

[jfinkelstein-ixl]

Will Firebase please create their own test app that uses FirebaseAnalytics.framework and GoogleAppMeasurement.framework and submit it to the app store as a kids category app so that they can communicate directly with Apple about the issue instead of us being the middle people? Firebase can chose a manual submission so it doesn't actually end up on the app store when Apple approves it. Especially when we don't have visibility into the Firebase code, we're just submitting blind and the process is slowed by us relaying the message from Apple to Firebase.

[jkb0o]

Any progress with hiding GoogleAppMeasurement? It's quite critical for us. For now, we are walking in the dark with zero information about users' behavior. Right before the most important release for the last three years. @paulb777, @ryanwilson?

[GregoireTapptic]

We have the same issue here for a Kids app with rejections from Apple with Firebase 8.7.1 and we would really need a solution as it blocks us from releasing anything on the Store.

[jkb0o]

@GregoireTapptic The solution is to build without FirebaseAnalytics and GoogleAppMeasurement frameworks. We did pass the review.

[GregoireTapptic]

Thanks @jkb0o but as I understand, this prevents from getting Analytics from Firebase right? What about Crashlytics?

[eburley]

We’re sorry you’re seeing rejections. Google Analytics for Firebase has provided AddSupport as an optional feature for a long time, and introduced optional support for AppTrackingTransparency last year. Our approach has been to use NSClassFromString and NSSelector to detect the presence of these frameworks - this approach is now resulting in App Store rejections. Our team is working on decoupling this detection and providing more transparency on the product behavior.

[jkb0o]

Thanks @jkb0o but as I understand, this prevents from getting Analytics from Firebase right? What about Crashlytics?

Yeah, you will stop getting Analytics. Crashlytics is a different part I guess, it works just fine.

[JohannesWarn]

We are also being rejected with the 7.8.1 version of the Firebase SDK. Same message from Apple. We asked Apple for more details but unfortunately only got the same message again.

[mobilepm]

We're also a kids app being rejected with 7.8.1. Apple told us "the ATTrackingManager and trackingAuthorizationStatus dynamic usage remains in place via concatenation in block code associated with -[APMIdentity updateIdentifiers]."

Could you help us resolve this issue ASAP? Thanks

[jkb0o]

Is it possible to release a strict version of the framework? Like Appsflyer does. Without any tracking or suspicious things. Just to keep the kids happy?

[bilck]

Is it possible to release a strict version of the framework? Like Appsflyer does. Without any tracking or suspicious things. Just to keep the kids happy?

I came to this post just to make the exact same suggestion.

We removed Firebase App Analytics from our app, but "Firebase/Core" pod dependency drags along "FirebaseAnalytics". Note: We use Firebase SDK for Unity 3D, including Firebase Remote Config and Crashlytics.

[paulb777]

@bilck The Firebase/Core subspec is no longer recommended instead of specifying the Firebase pods specifically needed. See https://firebase.google.com/docs/ios/setup

BTW, we're working to get a more tangible response here on the issue soon.

[ryanwilson]

Hi everyone, apologies for the delay. We've put together a short-term fix to unblock app submissions and are working hard on a longer-term solution for all package managers. The following one-off build is based on the 7.9.0 release but has excluded the APIs flagged by App Review.

CocoaPods

In your Podfile, update the version specifier on Firebase/Analytics and any other Firebase/* pod to 7.9.0-k2.

pod 'Firebase/Analytics', '7.9.0-k2'

Then, run pod update and check your Podfile.lock to ensure the -k2 suffix exists on the FirebaseAnalytics and GoogleAppMeasurement Pods.

Zip Integration

Please download the following tar.gz files and replace the .xcframeworks in your project:

• FirebaseAnalytics-7.9.0-k1.tar.gz
• GoogleAppMeasurement-7.9.0-k1.tar.gz

Note: k1 here and k2 in CocoaPods are identical.

Swift Package Manager

If you’re using Swift Package Manager, using the above tar.gz downloads and replacing them in your .build directory may be sufficient, but if you have issues please let us know.

Further Updates

If you pass App Review using this new artifact, can you please add a rocket emoji reaction (🚀) to this post letting us know you were successful and are now unblocked? If this doesn't work for you, please reply to this thread with the rejection notice if possible and we'll respond ASAP.

Apologies once again, we'll update this thread with further instructions when the longer-term solution is in place. Thank you.

[jfinkelstein-ixl]

hi @ryanwilson thank you for the update!

1) We should update to 7.9.0-k2 (not 7.9.0-k1) for cocoapods, correct? 2) After we updated to 7.9.0-k2 (and ran pod update) in the Podfile.lock, I only see -k2 as part of the version (7.9.0-k2) for Firebase/Analytics and Firebase/Crashlytics in the DEPENDENCIES section not in the PODS section (there it's just 7.9.0 for FirebaseAnalytics, GoogleAppMeasurement, and others). Is this okay? Should we check the version somewhere else? Is there anything else we should do/run?

Thank you!

[paulb777]

Hi @jfinkelstein-ixl Firebase, FirebaseAnalytics, and GoogleAppMeasurement should all be the -k2 version.

After adding the following to the Analytics Quickstart Podfile:

  pod 'Firebase/Analytics', '7.9.0-k2'
  pod 'Firebase/Crashlytics', '7.9.0-k2'

I see

[curiousdustin]

I can confirm that an update to one of my kids category apps was facing this rejection.

I switched to using 7.9.0-k2 and resubmitted. I was approved within a few hours.

🚀

[curiousdustin]

@ryanwilson @paulb777, Is there anything in particular that this change may have broken? I will be testing my app a bit more before releasing the approved version.

My app uses:

- Firebase
- Firebase/Analytics
- Firebase/Core
- Firebase/CoreOnly
- Firebase/Crashlytics
- Firebase/Messaging
- Firebase/Performance
- FirebaseABTesting
- FirebaseAnalytics
- FirebaseCore
- FirebaseCoreDiagnostics
- FirebaseCrashlytics
- FirebaseInstallations
- FirebaseInstanceID
- FirebaseMessaging
- FirebasePerformance
- FirebaseRemoteConfig

[thienphuoc]

Thanks, firebase team! After we updated the firebase SDK to 7.9.0-k2, My app was approved by Apple.

[acunap]

Thank you for the update. We got our child's app approved yesterday using this SDK version on Cordova.

[jkb0o]

Thank you! We got approved with the archive release.

[christinachanhk]

I was using Firebase version 7.8.0 and my App got rejected for collecting user and device information to create a unique identifier for the user's device. After updated to 7.9.0-k2, my App got approved by Apple. Also tested on Firebase/Messaging for Push Notification, that works fine.

Thanks for the update.

[mortenbekditlevsen]

Is the fix included in Firebase 7.10.0?

[lanouari-Mar1]

We got approved with the Firebase 7.10.0 release, thank you :)

[paulb777]

So far the fix is only in 7.9.0-k2. We're working on a longer term solution that will part of regular releases, but it will likely take a few more releases. Until then, we recommend that Kids apps stay on 7.9.0-k2.

[aasamson]

I updated my FirebaseAnalytics, FirebaseCrashlytics and Firebase from 7.0.0 to 7.10.0 but my app still rejected, can someone help me :'(. Thank you in advance.

[paulb777]

@aasamson See details above, especially https://github.com/firebase/firebase-ios-sdk/issues/7736#issuecomment-811340570

[aasamson]

Hi upon installing again the project with 7.9.0-k2, I didn't seem to get the 7.9.0-k2 version in Firebase/Analytics. Here's the screenshot. Can you help me :'(

Thank you so much.

[paulb777]

From the instructions linked:

In your Podfile, update the version specifier on Firebase/Analytics and any other Firebase/* pod to 7.9.0-k2.

pod 'Firebase/Analytics', '7.9.0-k2'

[aasamson]

Thank you so much <3 I'll update you once the app is approved.

[pablo-leite-playkids]

Hi, Our release was finally approved using the 7.9.0-k2. However we lost track of Google Ads campaigns completely, which is crucial for our product. Was this expected? Is there anything we can do to fix this? Thanks!

[paulb777]

Google Ads campaigns requires IDFA that is disabled with 7.9.0-k2, so no easy answer here.

[pablo-leite-playkids]

What about SKAdNetwork? Is there any plan to support Google Ads campaigns tracking in the future, as currently there's no way to optimize Google Ads on Kids Category app.

[mikehardy]

@paulb777 I believe this is an accurate statement, based on the recent 7.11.0 release? I just added support and launched it in react-native-firebase but I figured it can't hurt to cross-check here:

There has been more development in this area, and I believe the combo of firebase-ios-sdk 7.11.0 (which added a cocoapods subspec to Analytics with no AdIds) in combo with the support I added for the same in react-native-firebase v11.4.x may be the final solution: https://github.com/invertase/react-native-firebase/blob/master/CHANGELOG.md#1141-2021-04-29

[paulb777]

@mikehardy It looks like it, but I'm not fully educated enough to make a full judgement about the react-native-firebase integration

[mikehardy]

@paulb777 If RNFB users set a variable in their Podfile that we look for in our RNFBAnalytics.podspec, we include the new subspec you all publish with no ad ids, otherwise they get the original Firebase/Analytics dependency

I put guards in requiring 7.11.0 min and also verify in RNFBAdMob that they did not set the variable as that would make no sense.

Examination of Podfile.lock with and without the variable shows expected results (Analytics and AppMeasurement either with or without ad ids, depending)

So I think it's all set, at long last! Quite the odyssey on this one.

[mcezzare]

Hi. Thanks for the update, a question is after update to this versions to : pod 'Firebase/Analytics', '7.9.0-k2' pod 'Firebase/Crashlytics', '7.9.0-k2'

Is it necessary change anything in the app privacy policy on apple store ?

[mikehardy]

@mcezzare I think the current best solution is not the k2 variants but the new 7.11.0 release, and an include of Firebase/AnalyticsWithoutAdIdSupport

I'm not sure anyone can say exactly what Apple wants at any given time as it appears to fluctuate depending on reviewer's mood (personal opinion), and your app may have other reasons that it needs to implement ATT or privacy policy, but it is my understanding that if you use Firebase/AnalyticsWithoutAdIdSupport then you are not using IDFA via Firebase at least, and that can feed into your decision making process.