Privacy Manifest

[dplewis]

New Issue Checklist

• [x] I am not disclosing a vulnerability.
• [x] I am not just asking a question.
• [x] I have searched through existing issues.
• [x] I can reproduce the issue with the latest versions of Parse Server and the Parse ObjC SDK.

Issue Description

At WWDC23 Apple announced that apps and SDKs that make use of "required reason" APIs and "Data Collection", "Tracking" will need to provide a privacy manifest. An application will be rejected if missing a privacy manifest

https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

Starscream has been listed on Apple's website as a library that requires a privacy manifest. https://developer.apple.com/support/third-party-SDK-requirements

Reminder: Privacy requirement for app submissions starts May 1

Approach

• Update Starscream to 4.0.8
• Add privacy manifest to the SDK if needed

[parse-github-assistant[bot]]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[JohnCaccavale]

The Privacy Manifest for Parse SDK I think ought to be straightforward I would imagine. I believe the Privacy Tracking Enabled Boolean would just be set to false, with an empty array for the privacy tracking domains.

For the NSPrivacyCollectedDataTypes, I would imagine this could then be left empty as well? Given that this SDK isn't gathering user data, but rather, it is the user of this SDK that is gathering data to store on their Parse instance.

What annoys me about Apple's label types, they don't seem to have a good way of indicating if any of the data is optional, as far as I can tell. For example, Parse allows for Anonymous accounts which is great, I offer that option to my users. But if someone wants to create an account and provide an email, I don't know how to say mark the NSPrivacyCollectedDataTypeEmailAddress as optional.

I think the only thing needed here would be the Privacy Accessed API Types for the User Defaults APIs. I did a quick search, but don't think I came across any file timestamp APIs. I certainly didn't see any use of System boot time APIs.

[dplewis]

I'm submitting an app to the App Store soon for review. I'll see if it's rejected. If it doesn't we may not need a Privacy Manifest for the SDK.

[JohnCaccavale]

I submitted an app update on Friday and was approved yesterday. Does not appear as though this SDK needs the Privacy Manifest, and is not on the list of 3rd Party SDKs they are requiring Privacy Manifests for.

With that said, this issue could probably be closed.

[mtrezza]

Apple recommends all SDK developers add a privacy manifest. It's fair to assume that the explicit list is only the beginning of this policy.

[dplewis]

@JohnCaccavale My app also got approved without issue. Can you add a privacy manifest to this SDK? Looks like you done the research.

[JohnCaccavale]

Yes, I can add in when I get a chance. Would likely be towards end of the week or weekend.