Apps with dependency of Connectivity package require NSLocationAlwaysAndWhenInUseUsageDescription #40418
Description
After using this plugin for a couple of months with no problem, Apple sent me the following e-mail yesterday after sending another build:
Dear Developer, We identified one or more issues with a recent delivery for your app, "Ianum" 1.1.2 (131).
Your delivery was successful, but you may wish to correct the following issues in your next delivery: I
TMS-90683: Missing Purpose String in Info.plist - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSLocationAlwaysUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data are required to include a purpose string. If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
ITMS-90683: Missing Purpose String in Info.plist - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSLocationWhenInUseUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data are required to include a purpose string. If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
After you’ve corrected the issues, you can use Xcode or Application Loader to upload a new binary to App Store Connect.
Best regards, The App Store Team
Our app does not use the functionality of retrieving IP address, WIFI or BSSID name, and as such, I'd like to ask you the following:
- When adding strings to the
info.plistwill the user be able to see that the app accesses the location? Be it in the App Store, or the OS? I ask this because as a former Android Developer I remember that everything that we put on the manifest the user could see. - If that is the case, what can we do to not have those strings in the info.plist file?
- And finally, why is this only flagged now after using the plugin for at least 2 months with no upgrades in the meantime? Coincidentally, this happened after I upgraded to 1.9.
As a solution for this, if no other option is available, I'll create a local fork of the package that only contains the connectivity part and use it for this project.
Our app is privacy-focused and we want to be fully transparent with our users, so having permissions that we are not using without explaining it is not an option.