ios-maps-sdk icon indicating copy to clipboard operation
ios-maps-sdk copied to clipboard

Published 20 hours ago verified publisher icon googlemaps

Support App Privacy Manifest

Open triolyami opened this issue 1 year ago • 19 comments

This repo needs to provide a privacy manifest, as described here: https://developer.apple.com/news/?id=av1nevon

image

All this needs to be done by spring: https://developer.apple.com/support/third-party-SDK-requirements/

Additionally any SDK that contains an app privacy manifest must be signed (xcframeworks)

We really need this, Thanks!

triolyami avatar Feb 13 '24 16:02 triolyami

If you would like to upvote the priority of this issue, please comment below or react on the original post above with :+1: so we can see what is popular when we triage.

@triolyami Thank you for opening this issue. 🙏 Please check out these other resources that might help you get to a resolution in the meantime:

This is an automated message, feel free to ignore.

wangela avatar Feb 13 '24 16:02 wangela

So far, i haven't seen Apple state google maps to be in the list of SDKs that require the manifest, it would be nice if you could check if you fall into any usage of the APIs stipulated by Apple. I know the firebase SDK is already deep into it

https://developer.apple.com/support/third-party-SDK-requirements/

On top of that there is a requirement for code signing https://github.com/firebase/firebase-ios-sdk/issues/12238

RoblesJ avatar Feb 16 '24 12:02 RoblesJ

So far, i haven't seen Apple state google maps to be in the list of SDKs that require the manifest, it would be nice if you could check if you fall into any usage of the APIs stipulated by Apple. I know the firebase SDK is already deep into it

Hi! You are right. There is no google maps in the list. But also Apple's requirements say: "As a reminder, when you use a third-party SDK with your app, you are responsible for all the code the SDK includes in your app, and need to be aware of its data collection and use practices"

I don't really understand how we should interpret the list of SDKs. Apple requires that the whole app code comply with the policies. Does it mean that other SDKs aren't required to provide the privacy manifest and we have to do that by ourselves? - I don't know :(

In the google maps case, we don't even have source code

triolyami avatar Feb 19 '24 09:02 triolyami

here is a similar discussion

triolyami avatar Feb 19 '24 09:02 triolyami

I scanned my app binary using this tool and it looks like google maps causes a violation due to these calls:

GoogleMapsCore: lstat, mach_absolute_time, stat GoogleMaps: mach_absolute_time, NSFileCreationDate, NSFileModificationDate, NSURLContentModificationDateKey, NSUserDefaults GoogleMapsBase: NSFileSystemFreeSize, NSURLContentModificationDateKey, NSURLCreationDateKey, NSUserDefaults, stat

CrewNerd avatar Mar 15 '24 20:03 CrewNerd

when will be the next release with "Privacy manifest" support?

mammaiap avatar Mar 19 '24 10:03 mammaiap

The Google Maps Platform team is aware of Apple's announcements regarding third-party SDK privacy manifest and signature and required reason APIs. Although none of the Google Maps Platform SDKs for iOS are listed on Apple's page of "SDKs that require a privacy manifest and signature" as of the date of this message, the team is working on understanding and fulfilling the requirements in anticipation of Apple's requirements of apps that use Google Maps Platform SDKs for iOS. We cannot give a date when a version of the SDK that meets the requirements will be released.

wangela avatar Mar 20 '24 18:03 wangela

For the Privacy Manifest, we understand that you are working on them but is it possible for you to let us know the reasons for the usage of the APIs in advance in case we need to address them on our own?

mtakamura avatar Mar 25 '24 02:03 mtakamura

Also looking for an answer to when this might be released. I scanned the repo I work on that uses this Google Maps SDK with the following tool: https://github.com/bradwindy/iOS17-Required-Reason-API-Scanner

And you use the following APIs that require reasons in your privacy manifest:

  • lstat
  • mach_absolute_time
  • NSFileCreationDate
  • NSFileModificationDate
  • NSFileSystemFreeSize
  • NSURLContentModificationDateKey
  • NSURLCreationDateKey
  • NSUserDefaults
  • stat

These require you to include a privacy manifest explaining your use of this, as they fall under the following privacy API types:

  • NSPrivacyAccessedAPICategorySystemBootTime
  • NSPrivacyAccessedAPICategoryFileTimestamp
  • NSPrivacyAccessedAPICategoryUserDefaults
  • NSPrivacyAccessedAPICategoryDiskSpace

bradwindy avatar Mar 25 '24 07:03 bradwindy

The installation instructions for Google Maps Platform SDKs for iOS now have download links and instructions for manually adding Privacy Manifest files for use with the latest versions of the SDKs. If you receive feedback from Apple regarding the contents of these privacy manifests, please report that feedback on this Issue Tracker issue. Find instructions and manifests for each SDK at the links below:

wangela avatar Apr 03 '24 22:04 wangela

Is there a reason why we need to manually add maps privacy manifest to main app bundle, instead of the SDK include the manifest itself? Apple's documentation specifically says that SDKs should provide their own manifests

VladOrackle avatar Apr 24 '24 10:04 VladOrackle

Apple recommends this method to distribute static frameworks starting with Xcode 15, as described here: https://developer.apple.com/documentation/xcode/creating-a-static-framework.

The previous guide references https://developer.apple.com/documentation/bundleresources/privacy_manifest_files, where they explain how to include privacy manifest for a static library: Screenshot 2024-04-24 at 18 57 03

Have you explored this method? I wonder if this could solve the warnings.

igled7 avatar Apr 24 '24 17:04 igled7

  • Hi guys, I don't think to manually download & add it to project is an ideal way either.
  • Could GoogleMaps add it to the SDK itself so that we can install via SPM or Cocoapods?
  • Apple just released a doc to point out the proper location for the file.
  • Then GoogleMaps can declare it in podspec file (for Cocoapods) like Firebase for instance.

harrynguyen22 avatar Apr 26 '24 07:04 harrynguyen22

Greetings, using the suggested configuration implementing the privacy report inside my own project i got some warnings from apple.

ITMS-91055: Invalid API reason declaration - The PrivacyInfo.xcprivacy for the “GoogleMaps_GoogleMapsTarget.bundle/GoogleMaps.bundle/GMSCoreResources.bundle/GMSShaders.metallib” file contains “C617.1” as the value for a NSPrivacyAccessedAPITypeReasons key instead of a valid reason code for using an API in the NSPrivacyAccessedAPICategoryUserDefaults category. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, values for NSPrivacyAccessedAPITypeReasons keys in your app’s privacy manifest must be valid reason codes for the corresponding API category. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

ITMS-91055: Invalid API reason declaration - The PrivacyInfo.xcprivacy for the “GoogleMaps_GoogleMapsTarget.bundle/GoogleMaps.bundle/GMSCoreResources.bundle/GMSShadersSim.metallib” file contains “C617.1” as the value for a NSPrivacyAccessedAPITypeReasons key instead of a valid reason code for using an API in the NSPrivacyAccessedAPICategoryUserDefaults category. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, values for NSPrivacyAccessedAPITypeReasons keys in your app’s privacy manifest must be valid reason codes for the corresponding API category. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

RoblesJ avatar Apr 26 '24 13:04 RoblesJ

ITMS-91054: Invalid API category declaration - The PrivacyInfo.xcprivacy for the “GoogleMapsResources.bundle/GoogleMaps.bundle/GMSCoreResources.bundle/GMSShaders.metallib” file contains “NSPrivacyAccessAPICategoryUserDefaults” as the value for a NSPrivacyAccessedAPIType key, which is invalid. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, values for NSPrivacyAccessedAPIType keys in your app’s privacy manifest must be valid API categories. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

ITMS-91054: Invalid API category declaration - The PrivacyInfo.xcprivacy for the “GoogleMapsResources.bundle/GoogleMaps.bundle/GMSCoreResources.bundle/GMSShadersSim.metallib” file contains “NSPrivacyAccessAPICategoryUserDefaults” as the value for a NSPrivacyAccessedAPIType key, which is invalid. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, values for NSPrivacyAccessedAPIType keys in your app’s privacy manifest must be valid API categories. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

I'm receiving this for my app - seems that the iOS Maps SDK has included incorrect declarations. The value is NSPrivacyAccessedAPICategoryUserDefaults, not NSPrivacyAccessAPICategoryUserDefaults (Accessed vs Access). See: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api#4278401

dballance avatar Apr 29 '24 15:04 dballance

ITMS-91054: Invalid API category declaration - The PrivacyInfo.xcprivacy for the “GoogleMapsResources.bundle/GoogleMaps.bundle/GMSCoreResources.bundle/GMSShaders.metallib” file contains “NSPrivacyAccessAPICategoryUserDefaults” as the value for a NSPrivacyAccessedAPIType key, which is invalid. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, values for NSPrivacyAccessedAPIType keys in your app’s privacy manifest must be valid API categories. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api. ITMS-91054: Invalid API category declaration - The PrivacyInfo.xcprivacy for the “GoogleMapsResources.bundle/GoogleMaps.bundle/GMSCoreResources.bundle/GMSShadersSim.metallib” file contains “NSPrivacyAccessAPICategoryUserDefaults” as the value for a NSPrivacyAccessedAPIType key, which is invalid. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, values for NSPrivacyAccessedAPIType keys in your app’s privacy manifest must be valid API categories. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

I'm receiving this for my app - seems that the iOS Maps SDK has included incorrect declarations. The value is NSPrivacyAccessedAPICategoryUserDefaults, not NSPrivacyAccessAPICategoryUserDefaults (Accessed vs Access). See: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api#4278401

Greetings, i figured the issue with my previous comment... apparently the way the reasons are declared does not work for xcode 15.2(something to do with how xcode abbreviates the codes) then you would have to modify the privacy plist in order to take the entire string described on the apple sites...

an easier way to solve this is to just update to 15.3 where it works correctly

RoblesJ avatar Apr 29 '24 21:04 RoblesJ

I'm not sure why no one from Google hasn't posted this here, but I had a look through Google's Issue Tracker this morning and found this P1 issue:

https://issuetracker.google.com/issues/323059684

Comment number 7 links to this help page on how to add the privacy manifest for Google Maps to your project:

https://developers.google.com/maps/documentation/ios-sdk/config#add-apple-privacy-manifest-file

This seems to have fixed the final warnings for us (or at least I haven't had any emails yet 😅). If this is the way Apple is expecting us to have to do it, I'm not sure, but it works. 🤷‍♂️

Baza207 avatar Apr 30 '24 09:04 Baza207

@Baza207 FWIW, I pushed a new release yesterday without any recent modifications to the Privacy Manifest, and didn't get a Privacy Manifest related warning email this time, despite getting one about two weeks ago with a previous release. I think Apple just took a break sending them, at least temporarily.

dhritzkiv avatar Apr 30 '24 16:04 dhritzkiv

@dhritzkiv I hope for people's general sanity that this is the case. For us we upload multiple builds a daily to TestFlight (I've been getting 10-12 emails a day since March 🙈) and it only stopped when I followed the linked instructions this morning. The silence in my inbox is bliss. 😅

Baza207 avatar Apr 30 '24 18:04 Baza207

This is a courtesy copy of the closing comment on the Public Issue Tracker issue.

  • The Apple Privacy Manifest file is now included in the resources bundle for the SDK. For more information, see "Inspect the privacy manifest file" for the SDK you are using:
  • As of the release date of v9.0.0, Apple does not list Google Maps Platform SDKs for iOS among the third-party SDKs required to contain a signature in order for apps to pass App Store Connect review, so this version of the SDK does not contain a signature.

wangela avatar Jun 03 '24 23:06 wangela