react-native-vision-camera icon indicating copy to clipboard operation
react-native-vision-camera copied to clipboard

Published 20 hours ago verified publisher icon mrousavy

💭 Apple Privacy Info

Open ISnowFoxI opened this issue 10 months ago • 4 comments

Question

Does react-native-vision-camera have the newly added PrivacyInfo.xcprivacy file or is it something we have to handle it ourselves?

What I tried

Not sure what to try for this, as the API used by the library is not clear to me.

VisionCamera Version

v4.0.1

Additional information

ISnowFoxI avatar Apr 24 '24 07:04 ISnowFoxI

I don't know.

mrousavy avatar Apr 25 '24 11:04 mrousavy

RN v0.73.7 added a new PrivacyInfo.xcprivacy file to the ios directory. All libs and SDKs need to have privacy manifest as far as I can tell. For example, Sentry added one to their SDK. I think RNVC needs this kind of manifest file because it uses file system APIs and such.

Official Apple documentation is here: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files

ISnowFoxI avatar Apr 25 '24 11:04 ISnowFoxI

I see, well if someone contributes / submits a PR for that we can take it from there

mrousavy avatar Apr 25 '24 11:04 mrousavy

Just took a look at Apple's doc of Privacy manifest files and I don't feel like RNVC needs that. In a nut shell that manifest is for libs that collects data about the person using apps, which RNVC apparently is not capable of.

The file system API stuff is about reading file info for arbitrary file and system disk space, etc, RNVC mostly just insert image/video into the cache or camera roll which, as I understand, has nothing to do with the user's privacy.

zzz08900 avatar Apr 26 '24 13:04 zzz08900

Aren't photo and video files from the camera considered user data? It is either that, or we have to specify the usage of it. It has to be either in the SDK or the project itself. It makes more sense to have it in the project itself as the usage could change from app to app.

ISnowFoxI avatar Apr 29 '24 09:04 ISnowFoxI

Aren't photo and video files from the camera considered user data?

did you find anything about that in the documentation of the privacy manifest?

Thanks for taking a look @zzz08900 - I also don't think we need it. VisionCamera only writes files, and captures from the camera (which is already declared as a permission in Info.plist/AndroidManifest.xml), but we'll see.

mrousavy avatar Apr 29 '24 09:04 mrousavy

Well kinda. I am not sure. We know VC can use location data too on top of video, photo, and audio. This link describes those: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests Screenshot 2024-04-29 at 14 26 22

Well, VC doesn't collect any data without the app. This confuses me. Why can't we describe it in one place and be done with it?

ISnowFoxI avatar Apr 29 '24 10:04 ISnowFoxI

ah yea;

Screenshot 2024-04-29 at 12 55 13

mrousavy avatar Apr 29 '24 10:04 mrousavy

So if I want to make a PR, I only need to add this privacy file to package/ios, right? pretty new to the whole contribution stuff.

ISnowFoxI avatar Apr 29 '24 12:04 ISnowFoxI

I'm sorry I am not sure if this works, I have not worked with the privacy files at all. But if you tried this on your end by just adding that file to the react-native-vision-camera node modules package locally and it works, then yes, just add it here to package/ios, and also add it in the files section in package.json so it gets published to npm.

mrousavy avatar Apr 29 '24 13:04 mrousavy

okay, I'll do it on my project first and see what Apple says about it, if all is well, I'll make a PR like you said. Thank you

ISnowFoxI avatar Apr 29 '24 13:04 ISnowFoxI

Well, VC doesn't collect any data without the app. This confuses me. Why can't we describe it in one place and be done with it?

Some SDKs contain proprietary codes and do shady stuff in the background without the developer of the App even knowing. Probably Apple want to tight that end too, so they can be clear who is there to blame.

zzz08900 avatar Apr 29 '24 16:04 zzz08900

Maybe its a little late but from what I understand, you only need to declare that manifest if you are trying to "collect" location data, which should mean read location data, store it on the phone or send it to a server for later processing.

Simply write location data to photo/video's meta info is not considered as "collecting location data" as I see it.

Well I'm kinda stuck on V2 now so I'll try publish new versions to App Store without the privacy manifest and I'll let you guys know if Apple does not approve my new versions.

zzz08900 avatar Apr 29 '24 16:04 zzz08900

Thank you, but starting May 1st Apple will reject all apps that don't have privacy manifest files. That is why rn v0.73.7 adds this manifest file when you install pods

ISnowFoxI avatar Apr 29 '24 16:04 ISnowFoxI

Thank you, but starting May 1st Apple will reject all apps that don't have privacy manifest files.

Yeah sure I'll update my app to include that manifest, along with other "suspicious" libs including RNFS and react-native-device-info.

I ran a scan of RNVC V2 using https://github.com/Wooder/ios_17_required_reason_api_scanner It didn't find anything.

Now I have all declaration of use of required reason APIs (at least I covered everything mentioned by Apple in the mail) in one of my apps.

Sad we have to wait until May 1st to see how this goes.

zzz08900 avatar Apr 29 '24 20:04 zzz08900

Quick update. We sent an update to App Store Connect and it did get approved. Not sure if this means no manifest file is required or if they just haven't caught up. I'll try to look into a bit more this weekend if I can.

ISnowFoxI avatar May 02 '24 16:05 ISnowFoxI

We're using expo(v50.0.17) + react-native-vision-camera(v4.0.1), here's our result:

  1. do nothing: after upload to app connect, will receive an email about "NSLocationWhenInUseUsageDescription" privacy not explaining clearly
  2. add enableLocation: false in app.config.js, also got the warning email
  3. use yarn patch to modify VisionCamera.podspec directly, not receiving any warning email. Hope that is helpful.

patch file

diff --git a/VisionCamera.podspec b/VisionCamera.podspec
index 23ddf8658abd2526e9c8f99fa511cb94e3646bf4..c41aa49808544026a62c20efb993b7e735465045 100644
--- a/VisionCamera.podspec
+++ b/VisionCamera.podspec
@@ -6,7 +6,7 @@ nodeModules = File.join(File.dirname(`cd "#{Pod::Config.instance.installation_ro

 Pod::UI.puts "[VisionCamera] Thank you for using VisionCamera ❤️"

-enableLocation = true
+enableLocation = false
 if defined?($VCEnableLocation)
   Pod::UI.puts "[VisionCamera] $VCEnableLocation is set to #{$VCEnableLocation}!"
   enableLocation = $VCEnableLocation
@@ -14,7 +14,7 @@ else
   Pod::UI.puts "[VisionCamera] $VCEnableLocation is not set, enabling CLLocation APIs by default..."
 end

-enableFrameProcessors = true
+enableFrameProcessors = false
 if defined?($VCEnableFrameProcessors)
   Pod::UI.puts "[VisionCamera] $VCEnableFrameProcessors is set to #{$VCEnableFrameProcessors}!"
   enableFrameProcessors = $VCEnableFrameProcessors

chunghe avatar May 03 '24 02:05 chunghe

The change in Podfile has nothing to do with NSLocationWhenInUseUsageDescription, so this is just coincidence.

NSLocationWhenInUseUsageDescription is set by your app in Info.plist. Maybe you just didn't put an explanation in there.

mrousavy avatar May 03 '24 08:05 mrousavy

I'm also seeing the same issue, receiving apple NSLocationWhenInUseUsageDescription everytime even if I have "enableLocation": false. The thing is, I even tried to have have "enableLocation": false in my app.config.js and also <Camera enableLocation={true} /> and it is still working. Clearly something in app.config.js plugin configuration is not working. @chunghe @mrousavy I just saw that there was a commit only 2 days ago that changed "enableLocationPermission" into "enableLocation" (https://github.com/mrousavy/react-native-vision-camera/commit/f8b40fd7c7df33d9436ce62cdb2eaa01a652c238). The docs are saying to use "enableLocation" (https://react-native-vision-camera.com/docs/guides/location#enable-or-disable-location-apis) so maybe this is the explanation of why it is throwing issues on Apple side everytime?

edmbn avatar May 05 '24 07:05 edmbn

Yes. It was using the wrong name. If you used TypeScript you should've noticed the issue on your end, but apparently not everyone uses TS.

It's fixed on main now.

mrousavy avatar May 05 '24 10:05 mrousavy

I'm using typescript and using app.config.ts with version 4.0.1 and when I type "enable" it isn't showing the hint or error for "enableLocation", thats why I was trying to follow blindly the docs. On the component side there wasn't any hint or error either. I don't see how we can get noticed of this before building. Thank you for confirming the issue.

edmbn avatar May 05 '24 11:05 edmbn

@mrousavy I understand that typescript works if you use "withVisionCamera" plugin. But if you add the plugin through Expo via:

{
  "name": "my app",
  "plugins": [
    [
      "react-native-vision-camera",
      {
        // ...
        "enableLocation": false,
      }
    ]
  ]
}

There aren't typescript hint or error helpers, right? I know this isn't the issue to talk about this. I would be happy to open a new issue or something else in order to help. I just want to help because if people use 4.0.1 from NPM and follows the documentation will face the same issue since they are out of sync. Current documentation is for the main branch not for the release on NPM, right? If I can do anything else to help just tell me. Thank you for your time.

edmbn avatar May 05 '24 13:05 edmbn

Ah gotcha yea through JSON it might not work. Maybe app.config.js? I don't know.

Either way will release an update soon

mrousavy avatar May 06 '24 08:05 mrousavy