search

rive-app / rive-flutter

Flutter runtime for Rive
https://rive.app
MIT License
1.2k stars 188 forks source link

Missing rive-common Apple Privacy Manifest #382

Closed inceptusp closed 4 months ago

inceptusp commented 5 months ago

Apple updated its requirements for uploading to the app store and now requests a PrivacyInfo.xcprivacy manifest file informing about sensitive API usage. From May 1st they will start preventing the upload of apps that do not discriminate all uses of sensitive APIs.

Third-party SDKs must include their own manifests.

The flutter team have updated most of their first-party packages to include their manifests. After a analysis on my app that depends on rive the rive-common transitive dependency is missing its privacy manifest

Analyzing rive_common-0.4.5 ...
⚠️  Missing privacy manifest file!
API usage analysis result(s): 14
[0] NSPrivacyAccessedAPICategoryFileTimestamp:stat,fstat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/ios/harfbuzz/src/hb-blob.cc
[1] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/ios/harfbuzz/src/hb-ot-font.cc
[2] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/ios/harfbuzz/src/hb-style.cc
[3] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/ios/harfbuzz/src/hb-subset-plan.cc
[4] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/ios/harfbuzz/src/hb-subset.cc
[5] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/ios/miniaudio/extras/miniaudio_split/miniaudio.c
[6] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/ios/miniaudio/miniaudio.h
[7] NSPrivacyAccessedAPICategoryFileTimestamp:stat,fstat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/macos/harfbuzz/src/hb-blob.cc
[8] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/macos/harfbuzz/src/hb-ot-font.cc
[9] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/macos/harfbuzz/src/hb-style.cc
[10] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/macos/harfbuzz/src/hb-subset-plan.cc
[11] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/macos/harfbuzz/src/hb-subset.cc
[12] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/macos/miniaudio/extras/miniaudio_split/miniaudio.c
[13] NSPrivacyAccessedAPICategoryFileTimestamp:stat:/Users/pedrocarvalho/.pub-cache/hosted/pub.dev/rive_common-0.4.5/macos/miniaudio/miniaudio.h
🛠️  Descriptions for the following required API reason(s) may be missing: 1
[0] NSPrivacyAccessedAPICategoryFileTimestamp
MarcinusX commented 5 months ago

While analyzing the built app file, it shows the following warning.

Analyzing rive_common.framework ...
⚠️  Missing privacy manifest file!
API usage analysis result(s): 2
[0] NSPrivacyAccessedAPICategoryFileTimestamp:stat,fstat:/.../build/ios/iphoneos/Runner.app/Frameworks/rive_common.framework/rive_common
[1] NSPrivacyAccessedAPICategorySystemBootTime:mach_absolute_time:/.../build/ios/iphoneos/Runner.app/Frameworks/rive_common.framework/rive_common
🛠️  Descriptions for the following required API reason(s) may be missing: 2
[0] NSPrivacyAccessedAPICategoryFileTimestamp
[1] NSPrivacyAccessedAPICategorySystemBootTime

I used this CLI tool to find the usages.
Using rive: 0.13.1.

Please do act on that 🙏

inceptusp commented 4 months ago

I've seen that a PrivacyInfo was added but it only states the usage of NSPrivacyAccessedAPICategorySystemBootTime, still missing NSPrivacyAccessedAPICategoryFileTimestamp... 😕

philter commented 4 months ago

Hi @inceptusp, 0.13.4 is now available. We have modified the build scripts so they no longer compile in the API usages flagged by NSPrivacyAccessedAPICategoryFileTimestamp, since we were not using them. If you analyze the built app file or framework, you should now see that only NSPrivacyAccessedAPICategorySystemBootTime is required.

thobiassilva commented 4 months ago

When I generate the Privacy Report, in the Errors Encountered session, it shows 'Missing an expected key: NSPrivacyCollectedDataTypes - Runner.app/Frameworks/rive_common.framework/rive_common_privacy.bundle/PrivacyInfo.xcprivacy .

Using: rive: 0.13.4

philter commented 4 months ago

@thobiassilva This key was added and is available in 0.13.5.