apple is rejecting apps for kids because of IDFA

[pabloearg]

We are using react-native-firebase for push notifications and analytics, but after 1st of July apple start blocking any update for any app that is for kids if it has any IDFA

so, Apple rejected our app, because there is some code with iDFA present in our app

to test this, we just run in our ios folder:

fgrep -R advertisingIdentifier .

and the command retrieve this:

Binary file ./Pods/GoogleAppMeasurement/Frameworks/GoogleAppMeasurement.framework/GoogleAppMeasurement matches

is there any way to avoid having this library?, or any IDFA present in our app

---

this are our versions:

    "@react-native-firebase/analytics": "7.3.1",
    "@react-native-firebase/app": "8.2.0",
    "@react-native-firebase/messaging": "7.5.0",

[andersonaddo]

Have you linked AdSupport to your Xcode project? Because from my understanding (here, here and here), IDFA only becomes enabled when you manually link AdSupport. It seems like if you don't do that, you can report that you don't use IDFA and the Apple Reviewers seem to agree (meaning they don't reject your app due to misreporting haha).

[pabloearg]

from what I read here::

https://github.com/firebase/firebase-ios-sdk/issues/5153#issuecomment-601875436

they want the app to contain absolutely no IDFA code, regardless of if it is called or not.

[andersonaddo]

Ahhh so it's been fixed upstream. There's already a commit on master to update our native SDK versions; should be released soon.

[mikehardy]

In the meantime you may override SDK versions easily, docs here https://rnfirebase.io/#overriding-native-sdk-versions

[Salakar]

Latest SDKs released today, so this should be fixed.

[ilyakar]

I have used the latest react-native-firebase/app and react-native-firebase/admob on August 29, the problem was still the same.

    "@react-native-firebase/admob": "^7.6.2",
    "@react-native-firebase/app": "^8.4.1",

I believe the problem lies in Google-Mobile-Ads-SDK which includes the IDFA.

[mikehardy]

@ilyakar admod and analytics self-evidently need IDFA. The whole point is: quit targeting kids with ads and tracking. You can't use those for kids apps.

[ilyakar]

No. Ads don't need IDFA. It's an optional thing that gives admob more info about the user. It shouldn't be imported by default. What I'm trying to figure out is how to make sure that Admob doesn't use IDFA.

The comment above says:

Latest SDKs released today, so this should be fixed.

However, that isn't the case, it isn't fixed.

[mikehardy]

Ah, then perhaps it is the case of simply updating the SDK (remove Podfile.lock and do a pod update / pod install cycle). The linked issues contain all the findings from then and it seemed like we were doing all the things necessary for "currently Apple compliant apps" but I've moved on so don't remember, I'll just refer to them

[ilyakar]

I'm using the latest react-native-firebase/admob version and the latest SDKs. Digging deeper, it seems that Google-Mobile-Ads-SDK is doing something bad (see image below).

How do we stop this behaviour and not let it include AdSupport.framework?

By the way, why has this issue been closed?

[mikehardy]

Hi there - some questions - why would the AdMobs library not use IDFA? Why would you make an app for kids with AdMobs in it? I thought the requirement for kids apps was "no ads"?

[curiousdustin]

We have a kids category app that is also getting rejected based on IDFA collection. Apple reps tell us that disabling IDFA collection is not enough. They say we need to remove any code that could collect IDFA, even if it is never executed.

We would like to continue using @react-native-firebase/analytics. Is there any way to use this without including any code that could even potentially access IDFA? As mentioned, it appears that the issue is somewhere within GoogleAppMeasurement.

[ilyakar]

We use Firebase Analytics for a kids app and the analytics seems not to cause a rejection. It’s the Firebase Admob that was causing problems for us so we removed that and now all is fine.

Sent from my iPhone

On 3 Nov 2020, at 19:31, Dustin Bahr notifications@github.com wrote:

 We have a kids category app that is also getting rejected based on IDFA collection. Apple reps tell us that disabling IDFA collection is not enough. They say we need to remove any code that could collect IDFA, even if it is never executed.

We would like to continue using @react-native-firebase/analytics. Is there any way to use this without including any code that could even potentially access IDFA? As mentioned, it appears that the issue is somewhere within GoogleAppMeasurement.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[mikehardy]

I'm not 100% sure @curiousdustin but I don't believe Kids category apps can use analytics. My best suggestion is to check out the issues list in firebase-ios-sdk and see if others have worked through this. https://github.com/firebase/firebase-ios-sdk

[ilyakar]

We have a kids app and use analytics. They just don’t want us to use or reference the AdSupport.framework aka: IDFA.

Sent from my iPhone

On 8 Nov 2020, at 17:39, Mike Hardy notifications@github.com wrote:

 I'm not 100% sure @curiousdustin but I don't believe Kids category apps can use analytics. My best suggestion is to check out the issues list in firebase-ios-sdk and see if others have worked through this. https://github.com/firebase/firebase-ios-sdk

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[curiousdustin]

After more research and trial and error, I agree with @ilyakar. We were able to get a build approved by Apple with the following packages installed:

    "@react-native-firebase/analytics": "^7.6.9",
    "@react-native-firebase/app": "^8.4.7",
    "@react-native-firebase/crashlytics": "^8.4.12",
    "@react-native-firebase/perf": "^7.4.10",

Also, correct, we are not linking AdSupport.framework to avoid IDFA collection.

While we have not been able to get solid confirmation from Apple yet, it seems that our rejections are actually being caused by AppsFlyer instead.

[mikehardy]

Interesting, I will revise my demo script then as I was under the impression that analytics was not allowed either:

https://github.com/mikehardy/rnfbdemo/blob/ad0d82dba4008b801f1d41ce5b9532337b6a076e/make-demo.sh#L12 https://github.com/mikehardy/rnfbdemo/blob/ad0d82dba4008b801f1d41ce5b9532337b6a076e/make-demo.sh#L146-L155

Appears I can keep analytics in and just remove admob. If Apple let it through I think that's a solid result, I believe they are just doing static analysis on the binaries and looking for any call in the binary at all (used or not) to the underlying IDFA APIs, so if they passed it, that should be that.

Thanks for the report!

[mikehardy]

This may be of interest to people. firebase-ios-sdk 7.8.0 has apparently made enough changes that Analytics is possible from within an iOS-acceptable kids app? https://github.com/firebase/firebase-ios-sdk/issues/7652