Comments (18)
@Daenara would it be possible to share the tool you used to identify the required API?
This is one of the two I used, the other was a worse version of the text search included in this. Pretty sure neither the text search nor the binary one found all places though. Apparently Apples strategy is "have ppl upload apps, tell them something is missing but not which sdk it is, and then rinse and repeat"
from capacitor-plugins.
Version 1.81 of the Ionic VS Code Extension will detect missing privacy manifest reasons (based on known plugins) and help you choose the reasons.
I've also written an article on this. If you find any plugins that require you to modify the privacy manifest I'd like to hear about them.
from capacitor-plugins.
@dtarnawsky Should I open a separate issue about the device plugin flagging apps for usage of the NSPrivacyAccessedAPICategoryDiskSpace API category, triggered here?
capacitor-plugins/device/ios/Sources/DevicePlugin/Device.swift
Lines 40 to 44 in 0ccb9c4
We would still be interested in a way of using some of this device plugin's features without using any privacy-impacting features.
from capacitor-plugins.
I came here with a similar concern, in my case the Disk Space APIs are being flagged in my code by Apple, which I tracked back to the volumeAvailableCapacityForImportantUsageKey called in the getRealFreeDiskSize function of the device plugin.
Your app’s code file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryDiskSpace. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api
My app does not use the disk space info returned by the device plugin, so I cannot declare any of the supported reasons for calling this API. It would be nice if there were an alternate version of this plugin which excludes the required reason APIs so I do not need to maintain a fork with these API calls removed.
from capacitor-plugins.
@Daenara would it be possible to share the tool you used to identify the required API?
from capacitor-plugins.
I'm encountering this issue as well.
The issue came up when I tried to publish the new version of my app on the app store.
Email from Apple:
ITMS-91053: Missing API declaration - Your app’s code in the “My Target” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.
ITMS-91053: Missing API declaration - Your app’s code in the “My Target” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryDiskSpace. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.
More investigation led to this doc which explains how to create the privacy file
And this doc that describes each possible reason for each API.
Seeing as I don't know how capacitor uses these API, or which capacitor dependency uses them, I'm having difficulties picking reasons.
FYI, I'm using these capacitor dependencies:
"@capacitor-community/firebase-analytics": "^4.0.0",
"@capacitor/android": "4.7.2",
"@capacitor/app": "^4.1.1",
"@capacitor/core": "4.7.2",
"@capacitor/device": "^4.1.0",
"@capacitor/geolocation": "^4.1.0",
"@capacitor/haptics": "^4.1.0",
"@capacitor/ios": "4.7.2",
"@capacitor/keyboard": "^4.1.1",
"@capacitor/preferences": "^4.0.2",
"@capacitor/status-bar": "^4.1.1",
from capacitor-plugins.
Version 1.81 of the Ionic VS Code Extension will detect missing privacy manifest reasons (based on known plugins) and help you choose the reasons.
I've also written an article on this. If you find any plugins that require you to modify the privacy manifest I'd like to hear about them.
Do you know of any way to access the list used by the extension manually? We do not use VS Code and just having the list of which plugin uses what would be far more helpful than what all the text and binary searches I used so far output.
from capacitor-plugins.
For us, the plugins capacitor/device
and capacitor/filesystem
require us to modify the privacy manifest and, as @Kevin-Hamilton wrote in his comment, we have troubles choosing the correct reason code because we do not actually use the APIs.
We also would appreciate a modified plugin version where we can exclude the problematic API calls.
from capacitor-plugins.
Hey @Daenara, I wrote a tool to find which plugins uses which APIs. Here is the resulting JSON file: https://github.com/dtarnawsky/plugin-scan/blob/main/privacy.json. You could cross reference this list with your package.json
and manually edit your privacy manifest file. You could also just use VS Code once - I swear neoVIM won't get jealous.
from capacitor-plugins.
Hey @Daenara, I wrote a tool to find which plugins uses which APIs. Here is the resulting JSON file: https://github.com/dtarnawsky/plugin-scan/blob/main/privacy.json. You could cross reference this list with your
package.json
and manually edit your privacy manifest file. You could also just use VS Code once - I swear neoVIM won't get jealous.
neoVIM might not, but as an avid IntelliJ Ultimate user, I prefer to not touch vs code at all, I just don't have the time to spend setting up plugins so it feels even remotely like a true IDE I can work with and less like a glorified text editor. That json file will be very helpful, as will the list of plugins you scanned, leaves me only my own two plugins, and I actually know what I am doing there.
While manually adding everything to my own privacy manifest file doesn't seem like it is what apple intended, at least I know what I have to add thanks to your list and it will hopefully be enough to stop them from sending those nice not very helpful emails all the time.
from capacitor-plugins.
Version 1.81 of the Ionic VS Code Extension will detect missing privacy manifest reasons (based on known plugins) and help you choose the reasons.
I've also written an article on this. If you find any plugins that require you to modify the privacy manifest I'd like to hear about them.
This looks super promising, but I'm seeing some confusing behaviour in v1.81.5 of the plugin.
One app which has recently uploaded to Apple without any warnings showed me the recommendation you mentioned and has added a PrivacyInfo list upon clicking Yes on it – though seemingly an empty one that doesn't explain anything in particular.
And a second app that did lead to Apple emailing about NSPrivacyAccessedAPICategoryUserDefaults
and NSPrivacyAccessedAPICategoryDiskSpace
shows nothing of that sort in the plugin's Recommendations.
These are the second app's plugins:
And ionic info
:
Ionic:
Ionic CLI : 7.2.0 (/Users/noel/.nvm/versions/node/v20.9.0/lib/node_modules/@ionic/cli)
Ionic Framework : @ionic/angular 7.8.1
@angular-devkit/build-angular : 17.3.2
@angular-devkit/schematics : 17.3.2
@angular/cli : 17.3.2
@ionic/angular-toolkit : 11.0.1
Capacitor:
Capacitor CLI : 5.7.4
@capacitor/android : 5.7.4
@capacitor/core : 5.7.4
@capacitor/ios : 5.7.4
Utility:
cordova-res : not installed globally
native-run : 2.0.1
System:
NodeJS : v20.9.0 (/Users/noel/.nvm/versions/node/v20.9.0/bin/node)
npm : 10.2.5
OS : macOS Unknown
from capacitor-plugins.
Hey @NoelLH, with that list of plugins in the screenshots the extension is picking that NSPrivacyAccessedAPICategoryUserDefaults
is needed. But, it doesn't find NSPrivacyAccessedAPICategoryDiskSpace
as necessary. I couldn't see which of those plugins touched disk space though so I'm unclear why Apple would flag your app.
Obviously, you can add NSPrivacyAccessedAPICategoryDiskSpace
with a reason but it would be really useful to know which code/plugin could trigger this. Perhaps you also have native code in your project?
from capacitor-plugins.
Hey @NoelLH , I think the culprit is Firebase Analytics which requires a privacy manifest for the SDK it uses. There is already an issue on its repo for it: capacitor-community/firebase-analytics#178
The plugin itself wraps the firebase SDK and doesn't cause your app to need a privacy manifest file.
from capacitor-plugins.
Thanks @dtarnawsky, I had a hunch it might be that plugin. The project's not adding any native code.
Am I right in thinking that the VS Code plugin relies on Capacitor plugins' inclusion of their own privacy manifests to build a suggested addition for the app? So the VS Code recommendations should pop up and mirror the Firebase plugin's suggested reasons for the permissions, once they add some?
from capacitor-plugins.
Plugins like firebase analytics pull in the firebaseAnalytics cocoapod dynamically (ref) and so it is actually that code that needs the privacy manifest file as its the thing that is using the disk space API.
The plugin itself doesn't touch that API (which is why the extension didn't find it).
The VSCode extension has a long list of known plugins that use particular APIs. That list was generated using this project, which scans 1149 known Capacitor/Cordova plugins for API usage.
The process to scan source code of plugins is pretty time intensive and took several hours to find the 180 plugins that access APIs Apple are interested in.
My guess is that Apple called out the particular SDKs like Firebase (here) because they may have some sort of fingerprinting based on the APIs used, it's a way to get developers to put pressure on plugin/SDK authors to avoid or justify the usage of those APIs as well as ensure that those binaries have a signature.
from capacitor-plugins.
This thread just posted by the React Native team shows that the new policy is going to be for App developers to take control of their Privacy Manifest, that plugin developers are going to have to offer Setup Instructions to their consumers on adding the required Privacy Manifest elements required by their plugin.
there will be no automatic way for a plugin to provide its privacy manifest elements.
react-native-community/discussions-and-proposals#776 (comment)
from capacitor-plugins.
@dtarnawsky Should I open a separate issue about the device plugin flagging apps for usage of the NSPrivacyAccessedAPICategoryDiskSpace API category, triggered here?
capacitor-plugins/device/ios/Sources/DevicePlugin/Device.swift
Lines 40 to 44 in 0ccb9c4
We would still be interested in a way of using some of this device plugin's features without using any privacy-impacting features.
Yes, definitely open a separate issue as it is a feature request that the team would need to evaluate.
from capacitor-plugins.
This is actively on the teams road map to add privacy codes information to plugin documentation in the coming week
from capacitor-plugins.
Related Issues (20)
- [splash-screen] Make docs usable for iOS app HOT 3
- Cannot select a printer from the Share dialogue box HOT 1
- bug(@capacitor/share): FATAL EXCEPTION java.lang.RuntimeException: Unable to start activity ComponentInfo{com.tvoydnevnik/com.tvoydnevnik.MainActivity}: java.lang.SecurityException: com.tvoydnevnik: One of RECEIVER_EXPORTED or RECEIVER_NOT_EXPORTED should be specified when a receiver isn't being registered exclusively for system broadcasts HOT 2
- Add Capacitor Webview HOT 3
- Add map events to be handled at client side HOT 2
- google.maps.Marker is deprecated HOT 1
- [Geolocation / Android] The GPS position is only updated every 5 seconds when using "watchPosition" function on Android HOT 1
- [Bug]: @capacitor/camera - Console (F12) error (undefined) clicking on the camera icon when still loading the camera or not alowing the permission yet. HOT 3
- [Feature] Deep linking for Chromebook Android (App appUrlOpen)
- @capacitor/share not work in android 14, capacitor 6 HOT 4
- feat(@capacitor/device) Request to update device plugin to remove privacy-impacting APIs HOT 1
- @capacitor/browser add a new BROWSER_CLOSED event HOT 1
- [@capacitor/filesystem] Successful Filesystem.requestPermissions prompt never resolves due to missing case in callback HOT 5
- [Feature]: native camera max weight settings
- @capacitor/share not working with capacitor v6 HOT 2
- Filesystem.copy not working con content:/ android HOT 1
- Android 14 targetted build fails with RECEIVER_EXPORTED variable error HOT 5
- Feature Request: Add support for reading files in chunks
- Camera - taking a photo with .getPhoto() in macOs is having delays HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from capacitor-plugins.