Builds using 2.0.44 rejected by Apple due to issue ITMS-90683

[danpalmer]

Describe the bug

Since upgrading to 2.0.44, builds of our app are rejected by Apple under requirement ITMS-90683.

Full details from Apple's emails:

ITMS-90683: Missing Purpose String in Info.plist - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSCameraUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data are required to include a purpose string. If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).

To Reproduce

Submit build of new app to Apple using the Klarna Mobile SDK v2.0.44.

Expected behavior

I would expect Klarna to document that the NSCameraUsageDescription key is required to use this version of the SDK, as well as documentation for why the SDK needs camera access, and example usage description strings for apps to use for this.

Screenshots

Not applicable.

Merchant Name

Merchant: H&M Application: Sorted by H&M

Impact Level

We can work around this by downgrading to an earlier version.

Additional context

Looking at the git diff of the latest release, it looks like Klarna has added the ability to scan a card (based on nib name), and this could potentially be using the camera. As the framework is closed source we are unable to confirm this as the use, or the only usage. We could come up with some copy for this, but as we don't know for sure we'd prefer to use a string recommended by the SDK, or based on SDK documentation.

[polar133]

Hi @danpalmer, we have documented the requirement of the permission in our docs. There is also a light version of the SDK without the card scan feature.

If the integration is by SPM we also have the repo : https://github.com/klarna/klarna-mobile-sdk-basic-spm

We take the feedback to improve our docs in the future, if there is any issue integrating the light/basic version please let us know.

[danpalmer]

Ah thanks, glad to know it's in those docs.

I feel like this change is essentially a breaking change, what do you think?

Generally I don't go back to re-read the full documentation for a library when upgrading it unless I want to use new functionality or need to replace removed functionality. The scope of what could be different is too large, and it doesn't feel like a productive use of time in most cases.

I'd normally expect breaking changes to be signalled in two ways:

• A major version bump. This would have prevented us from just upgrading the library anyway as we don't auto-update anything more than a patch version.
• An explicit callout in the changelog indicating that changes are necessary, ideally linking to relevent documentation.

When we found this break we did check the changelog for Klarna as well as other SDKs, but didn't find anything indicating a breaking change, which slowed down the process a bit. Looking at the changelog now I can't actually see which release would have added the change that is causing the break. I had thought it was 2.0.44 but it looks like it was introduced earlier than that.

What do you think about this? I'm not certain if the intention is that the SDK follows semantic versioning practices or not, but various things like the versioning scheme and comments in the changelog imply that semver is followed.

[NMGuner]

We are trying our best to be more open about the changes and comply with semver versioning in a better way, especially when adding features since that release.

I will close the issue due to it happening 2 years ago, but hopefully it will not happen again, sorry for any inconvenience.