RxSwift
RxSwift copied to clipboard
ReactiveX
Any support/plan of Privacy Manifest?
Following the same topic in RxSwift offical slack. According to the definition of "third-party SDKs" that as mentioned in the WWDC23, new documents: Privacy manifest files | Apple Developer Documentation and the new announcement from Apple. It seems like RxSwift/RxCocoa/RxRelay require a privacy manifest and signature as well.
I was wondering if the Privacy Manifest update will be introduce in following updates, and, whether it is possible for us to know the schedule so that we can plan and manage our app releases more effectively.. Deeply appreciated.
Platform/Environment
- [x] iOS
- [ ] macOS
- [ ] tvOS
- [ ] watchOS
- [ ] playgrounds
Installation method:
- [x] CocoaPods
- [ ] Carthage
- [ ] Git submodules
Level of RxSwift knowledge: (this is so we can understand your level of knowledge and formulate the response in an appropriate manner)
- [x] just starting
- [ ] I have a small code base
- [ ] I have a significant code base
Agree that this needs to be added, there are still a lot of apps using RxSwift I think.
Definitely something we'll add by the deadline. There's almost a year by then. Thanks!
If one of you who has already looked into this could add it, that would be fantastic. If you have any questions about the library itself. Reach out to me on Slack.
Yeah, actually if anyone wants to open a relevant PR that would help immensely 🙏 thanks!
Here's an example, even though RxSwift doesn't track anything or does any API calls on its own, so there's really no privacy content to describe: https://github.com/BranchMetrics/ios-branch-sdk-spm/blob/main/BranchSDK/PrivacyInfo.xcprivacy
@freak4pc
I simply looked it up, and it seems like 'mach_absolute_time' is used, did I make a mistake?
@freak4pc
I simply looked it up, and it seems like 'mach_absolute_time' is used, did I make a mistake?
Might be missing something but what's the privacy concern with mach time ?
I was just looking up the API list in the Apple document in the RxSwift project.
The way I did it is as follows.
- Clone the RxSwift project to my computer
- I opened the project using Xcode.
- Through the entire search, the API was searched one by one. (If the above method is wrong, please let me know.)
I checked and found that 'mach_absolute_time' exists in the 'Tests' folder, isn't this a problem??
Not a problem. It just needs a reason for being there.
The RxSwift tests harness uses
mach_absolute_time()in order to test performance only; it is not used in the production code and is not sent off device.
@danielt1263
Here's an example, even though RxSwift doesn't track anything or does any API calls on its own, so there's really no privacy content to describe:
Oh, I'm afraid I didn't say it correctly. It's my mistake to say "problem." (I am not good at English.)
I mean... @freak4pc said 'so there's really no privacy content to description', shouldn't we write down the description in PrivacyInfo if RxSwift use 'mach_absolute_time'??
Yes, the description needs to be added to the privacy info. I provided you the description above.
if mach_absolute_time() is the only API that is used in the project, mentioned by @wlxo0401, I think we just need to declare the use of the API and its purpose in the privacy file, as mentioned by Apple. then it should work?
For reference, this is a PR of Kingfisher, adding privacy manifest to the project: https://github.com/onevcat/Kingfisher/pull/2156
I can try to work on this on the 1st week of 2024, if anyone is free to work it out these days, feel free to create a PR.
@tommyming
Apple specifically mentioned RxSwift, but within the RxSwift ecosystem, there are various related libraries like RxCocoa, RxRelay, RxBlocking, RxTest, and RxSwift-Dynamic, among others. (And we can only choose what we want.)
The question is whether you should include PrivacyInfo documentation for each of these libraries separately or if a single PrivacyInfo entry is sufficient.
(Use Chat GPT for translation)
@tommyming
Apple specifically mentioned RxSwift, but within the RxSwift ecosystem, there are various related libraries like RxCocoa, RxRelay, RxBlocking, RxTest, and RxSwift-Dynamic, among others. (And we can only choose what we want.)
The question is whether you should include PrivacyInfo documentation for each of these libraries separately or if a single PrivacyInfo entry is sufficient.
(Use Chat GPT for translation)
According to the Apple's Article: RxCocoa, RxRelay, RxSwift is on the list.
If that's the case, I think adding privacy files to these 3 libraries should do the job?
@tommyming
Thank you so much for your quick response.
I have another question about Privacy Manifest, not Rx content...
- If Apple does not mention the library, but there is something to record in 'PrivacyInfo'
- If Apple mentions it but there is nothing to record in 'PrivacyInfo'
- If Apple doesn't mention it and doesn't have anything to write in "PrivacyInfo"
What happens to each of the above situations?
As far as I know, Privacy Manifest is compulsory for third-party libraries, but when I look at other library communities, I'm confused because some places can't even be mentioned.
As far as I know, Privacy Manifest is compulsory for third-party libraries, but when I look at other library communities, I'm confused because some places can't even be mentioned.
May I know the reference from Apple that Privacy Manifest is compulsory for 3rd party libraries? If that's the case, then many old libraries in cocoapods may require updates, which may cause a massacre of the whole community.
According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.
@tommyming
From Fall 2023 you’ll receive an email from Apple if you upload an app to App Store Connect that uses required reason API without describing the reason in its privacy manifest file. From Spring 2024, apps that don’t describe their use of required reason API in their privacy manifest file won’t be accepted by App Store Connect.
It is part of the contents of the above document.
The contents that can be included in 'PrivacyInfo' are as follows. [NSPrivacyTracking, NSPrivacyTrackingDomain, NSPrivacyCollectedDataType, NSPrivacyAccessAPType]
However, in the case of 'NSPrivacyAccessAPType', the document had the above contents.
I understood that, 'All third party libraries should add Privacy Manifest if they have a 'Describing use of required reason API'.
Did I get it too differently?
All third-party libraries should add a Privacy Manifest if they have a 'Describing use of required reason API'
Agree on this.
But I think Apple understands that a massacre will be summoned if they enforce all 3rd party libraries need to add Privacy Manifest lol. So that's why they provided a list of must-provide SDKs.
A bit off-topic. I will try to add a privacy manifest to the 3 repositories mentioned by Apple next week.
Please feel free to provide info related to this issue, thanks.
Seems @wlxo0401 has created a PR (as mentioned above), please feel free to take a look.
According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.
Actually, all libraries or SDK which use this functions Apple Doc have to add Privacy Manifest, Apple just mentioned few of them which are common libraries, so all SDK developers should review their own SDK whether they are mentioned by Apple or not. CMIIW
According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.
Actually, all libraries or SDK which use this functions Apple Doc have to add Privacy Manifest, Apple just mentioned a few of them which are common libraries, so all SDK developers should review their own SDK whether they are mentioned by Apple or not. CMIIW
Agree on this.
But then Apple announced a list(on early December 2023) of libraries/SDK that need to add privacyInfo, or else the app cannot submitted to app store. That's why I used the word compulsory in the statement.
Clarify one thing is, I agree that eventually all 3rd party SDK may need to add the file. I just worried about the long-term ongoing progress of the review process.
Thanks for the info @lambda123254! Much appreciated.
I discovered a new while testing.
Until now, most of the libraries that have added PrivacyInfo have not been marked in PrivacyReport.
However, when an item is added to the 'Privacy Nutrition Label Types', the library name is displayed in the PrivacyReport.
Many libraries have updated PrivacyInfo without adding anything from 'Privacy Nutrition Label Types'.
Does anyone know about this? Is 'Privacy Nutrition Label Types' a must-have item?
Or is it not necessary to display it in the privacy report?
Please feel free to leave opinion.
(I used a translator.)
I guess this is something from HealthKit, where this type of info should treated properly?
I guess this is something from HealthKit, where this type of info should treated properly?
I didn't use HealthKit.
The comment I posted seems to have a translation error, so I corrected it again.😭
I discovered a new while testing.
Until now, most of the libraries that have added PrivacyInfo have not been marked in PrivacyReport.
However, when an item is added to the 'Privacy Nutrition Label Types', the library name is displayed in the PrivacyReport.
Many libraries have updated PrivacyInfo without adding anything from 'Privacy Nutrition Label Types'.
Does anyone know about this? Is 'Privacy Nutrition Label Types' a must-have item?
Or is it not necessary to display it in the privacy report?
Please feel free to leave opinion.
(I used a translator.)
May I know wdym by PrivacyReport? Thanks.
May I know wdym by PrivacyReport? Thanks.
The 'PrivacyReport' I'm talking about can be downloaded as a PDF if you archive the app.
https://developer.apple.com/videos/play/wwdc2023/10060/ Please refer to 3:20.
-
Open your project in Xcode.
-
Choose Product > Archive. Xcode creates the archive and reveals it in the organizer.
-
Control-click the archive in the organizer and choose Generate Privacy Report.
May I know wdym by PrivacyReport? Thanks.
The 'PrivacyReport' I'm talking about can be downloaded as a PDF if you archive the app.
https://developer.apple.com/videos/play/wwdc2023/10060/ Please refer to 3:20.
- Open your project in Xcode.
- Choose Product > Archive. Xcode creates the archive and reveals it in the organizer.
- Control-click the archive in the organizer and choose Generate Privacy Report.
Understand, could you provide a sample project which can reproduce this condition? That could help on the investigation.
The privacy report is organized in a similar way to Privacy Nutrition Labels.
I think what you mean is something here: reference
I am just guessing the privacy labels can only be seen when you upload the app to the app store connect page, and let them help you make the thing.
@tommyming Um... I'm sorry. I think I asked a question without really understanding 'PrivacyRport' and 'Privacy Nutrition Label Types'. Let me find out again.😥
@tommyming Um... I'm sorry. I think I asked a question without really understanding 'PrivacyRport' and 'Privacy Nutrition Label Types'. Let me find out again.😥
Huge thanks to @wlxo0401 for putting together https://github.com/ReactiveX/RxSwift/pull/2572, it's very much appreciated 🙏 I've worked with Privacy Manifests a fair bit, and I'd be very surprised if any of the Rx repos were accessing any of the data on this list. There's maybe a tiny chance that they're accessing data in the Identifiers and/or Diagnostics categories- but again, that sounds very unlikely. Anything I might be overlooking @freak4pc @danielt1263?
