search

stripe / stripe-terminal-ios

Stripe Terminal iOS SDK
https://stripe.com/docs/terminal/sdk/ios
Other
100 stars 61 forks source link

Missing privacy manifest #297

Closed rowanlsnapper closed 5 months ago

rowanlsnapper commented 5 months ago

Summary

I'm working with an app that uses this SDK and I am trying to ensure that the app is compliant with the new App Store requirements for privacy manifests (https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api).

I have created a privacy manifest for the app, and added the required reason APIs that we are using directly to this. I have also updated all third party SDKs that the app is using to versions that include a privacy manifest, with the exception of the Stripe Terminal SDK, as it appears that this doesn't include a privacy manifest even with the most recent version. Unfortunately, the app is being flagged by App Store Connect as not being compliant, due to the use of "system boot time" and "file timestamps" APIs, even though the app does not make use of these APIs (and therefore I have not added them to the app's privacy manifest).

I suspect the cause for this may be the lack of a privacy manifest for the Stripe Terminal SDK. Can this please be investigated and added if needed? The deadline for apps to be compliant is May 1st 2024, at which point app updates/new apps will not be accepted if they do not meet the requirements.

Installation method

Swift Package Manager

SDK version

3.4.0

Other information

I've noticed that the app does seem to pass the App Store validation if I add the mentioned APIs to the privacy manifest for the app, but this is not a solution as the app itself does not in fact make use of these APIs. The proper solution is for the providers of third party SDKs that are using these APIs to include privacy manifests with their SDKs that give their reason for use.

bric-stripe commented 5 months ago

👋 Hi our 3.5 update which is planned to ship next week will include an xcprivacy file.

The two required reason APIs the SDK uses are NSPrivacyAccessedAPICategoryUserDefaults and NSPrivacyAccessedAPICategoryDiskSpace.

Not sure if this will be your situation as well but we had one of our internal apps also get flagged for system boot time and we found it was from Alamofire (the internal app uses it but the Terminal SDK does not). The latest version of Alamofire includes this in their xcprivacy file.

rowanlsnapper commented 5 months ago

Thanks for this @bric-stripe. As far as I'm aware Alamofire isn't included in the app or any of its dependencies but I'll keep digging.

rowanlsnapper commented 5 months ago

After further investigation it looks like Firebase was the cause of the issue I was encountering, the latest version of their SDK seems to have resolved it.