Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apple rejects all binaries built using this package, unless ALL permissions have purposes/reasons added in the .plist, even if the app is not using most of them... #26

Closed
manuelgomes2 opened this issue Sep 17, 2018 · 63 comments

Comments

@manuelgomes2
Copy link

Apple now rejects all apps, the error is as follows:

Missing Purpose String in Info.plist File - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSContactsUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data will be required to include a purpose string.If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).

Missing Purpose String in Info.plist File - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSCalendarsUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data will be required to include a purpose string.If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).

Missing Purpose String in Info.plist File - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSAppleMusicUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data will be required to include a purpose string.If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).

Missing Purpose String in Info.plist File - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSMotionUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data will be required to include a purpose string.If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).

Missing Purpose String in Info.plist File - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSSpeechRecognitionUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data will be required to include a purpose string.If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).

@mvanbeusekom
Copy link
Member

@manuelgomes2 have you added the required permissions to your Info.plist file? You can check the Info.plist file of the example app (here) for examples?

@indiluk
Copy link

indiluk commented Oct 2, 2018

I think at least there should be an information for devs to add the required purpose strings on this Github project.

@rknell
Copy link

rknell commented Dec 7, 2018

Yeah this is a bit of a disappointment, the geolocator package uses this package and I need to specify all the permissions.

I don't care about having to specify the permissions - but I do care if Apple starts asking questions about why I need to access apple music for an app that clearly has nothing to do with music.

I think this is a ticking time bomb and should be modularised.

@elricym
Copy link

elricym commented Dec 12, 2018

This plugin handles too many permissions which is not necessary for just a geolocator. And it's not a very professional way in production. I'm very grateful for the works of the author but there should be an optimized approach of handling permissions. Or maybe simply integrate a specific permission handler inside of Geolocator. Thank you.

@firsthour
Copy link

I agree this project probably needs to be broken up, possibly one permission handler project per permission. I may tinker with ripping out everything not needed for geolocator to function.

@mortenboye
Copy link

I had the same issue, and did the quick and dirty fix that @firsthour mentioned.
Here is a fork, where everything but the location permissions are stripped out:
https://github.com/mortenboye/flutter-permission-handler

And here is a fork of geolocator that references the above fork:
https://github.com/mortenboye/flutter-geolocator

It's not pretty but it works.

@mvanbeusekom
Copy link
Member

mvanbeusekom commented Jan 22, 2019

@manuelgomes2, @indiluk, @rknell, @elricym, @firsthour, @mortenboye, I have set out some probes with Google and Apple to see if there is a way to work around this issue. The plugin implements code for all SDKs that require user permissions and therefore the Apple analytics tools think we are actually using all the SDKs in our Apps (which is not the case).

Worst case scenario is that we will convert the Geolocator component back into handling it's own permissions and add a clear disclaimer to this components readme explaining this drawback on iOS.

Hopefully I will receive some useful feedback from Google (Flutter team) and/ or Apple to add some sort of compiler directives or conditional statements which allows us to only include that code/ SDKs that we are actually interested in.

I will follow up on this as soon as possible.

P.S. if any of you have a suggestion I would love to hear it of course.

@smiLLe
Copy link

smiLLe commented Feb 20, 2019

@mvanbeusekom maybe an easy fix would be to update geolocator to use it's own permission handler? And long term would be to make permission-hanler more modular?

@rvera
Copy link

rvera commented Mar 1, 2019

👍 on this issue, my app just got rejected because of this. At the very least, make this explicit on the project documentation.

@yvanvds
Copy link

yvanvds commented Mar 6, 2019

👍 on this issue, my app just got rejected because of this. At the very least, make this explicit on the project documentation.

Same here. I wish I had known this when I implemented geolocator, instead of learning about when uploading my app to itunes (which is always the very last step because Android publishing is so much easier). Don't get me wrong: I am very grateful for you people sharing this library. But when you do explain in the docs about the location permissions, it would have helped a lot to mention this problem.

BTW: Waiting for Apple to comment on this mostly useless. They almost never answer. And the flutter team cannot do anything about this. It's been this way with iOS for as long as I know. Either you really use the permission, or you remove the offending code. I really doubt that they are willing to change that 'rule' because of flutter.

@rvera
Copy link

rvera commented Mar 8, 2019

👍 on this issue, my app just got rejected because of this. At the very least, make this explicit on the project documentation.

Same here. I wish I had known this when I implemented geolocator, instead of learning about when uploading my app to itunes (which is always the very last step because Android publishing is so much easier). Don't get me wrong: I am very grateful for you people sharing this library. But when you do explain in the docs about the location permissions, it would have helped a lot to mention this problem.

BTW: Waiting for Apple to comment on this mostly useless. They almost never answer. And the flutter team cannot do anything about this. It's been this way with iOS for as long as I know. Either you really use the permission, or you remove the offending code. I really doubt that they are willing to change that 'rule' because of flutter.

@mortenboye made a fork which removes the extra fluff, I forked this and made this Swift 4.2 compatible if you wanna take a took and need a quick solution.

@lifenautjoe
Copy link

@baseflowit do you have plans on updating this? It's pretty unusable atm... 🙏

@marilozgz
Copy link

Hi, any update?? Apple rejected all the time, all the strings added to plist, but still rejected.

@nabeelof
Copy link

@mortenboye your solution seems good for me but how to implement this fork in flutter. I didn't deal with forks before.I have read the readme but there is no different dependencies
Thank you

@mortenboye
Copy link

@nabeelof you would have to reference the git repo directly:

dependencies:
  geolocator:
    git: 'git@github.com:mortenboye/flutter-geolocator.git'

@smiLLe
Copy link

smiLLe commented Apr 10, 2019

@nabeelof
non androidX

geolocator:
    git:
      url: https://github.com/mortenboye/flutter-geolocator.git
      ref: cd3de2ada46b0f124039c8a39298df1e4edada33

@nabeelof
Copy link

@mortenboye @smiLLe
I couldn't use git@github.com directly
I used
geolocator: git: url: https://github.com/mortenboye/flutter-geolocator.git ref: 0d635c3ddcc4fec775e85fc3971c87b486240a99
after I get the latest ref sha using
curl -i https://api.github.com/repos/mortenboye/flutter-geolocator/git/refs/

then I uploaded a new binary with new build number
but apple rejected with same email
sorry guys this is not working

@j3g
Copy link

j3g commented Apr 13, 2019

from what I am understanding, this library only works for Android at this time. Someone please update the documentation.

@mvanbeusekom
Copy link
Member

We are currently in the process of splitting up the permission_handler in smaller packages to work around this issue. These will become available to the open-source community and can be found here. At the moment we have extracted the code to request permissions for the location services and published it as a separate plugin. This means we will slowly be phasing out this plugin.

@smiLLe, @mortenboye, @nabeelof, we have recently release version 4.0.0 of the Geolocator plugin which now uses the location_permissions plugin to handle permissions. Meaning we no longer use the permission_handler to prevent this issue.

@j3g
Copy link

j3g commented Apr 23, 2019

right on, i'm still newbie in dart and flutter or I would contribute...I'll try to share back in the future

@chenxianqi
Copy link

We are currently in the process of splitting up the permission_handler in smaller packages to work around this issue. These will become available to the open-source community and can be found here. At the moment we have extracted the code to request permissions for the location services and published it as a separate plugin. This means we will slowly be phasing out this plugin.

@smiLLe, @mortenboye, @nabeelof, we have recently release version 4.0.0 of the Geolocator plugin which now uses the location_permissions plugin to handle permissions. Meaning we no longer use the permission_handler to prevent this issue.

Hasn't other permissions been modularized separately yet?

@zhancheng
Copy link

why not delete the info.list in package and let user add their want in their project?

@jeanmatthieud
Copy link

FYI, I published two apps with dummy reasons in the plist file for all the permissions I'm not using, and Apple approved the releases.

@mZadorskii
Copy link

@chris-wickens
Copy link

Are there any consequences to the user for adding permission strings that we don't use? For instance, if I add a geolocation permission string but never request geolocation, would users be warned on the app store that the app may request their location?

@ThinkDigitalSoftware
Copy link

@Rekubot I want to know this too. I believe Apple shows the messages only when used, so it wouldn't be shown. I just feel weird making up fake reasons.

@kinex
Copy link

kinex commented Jul 22, 2019

@Rekubot @ThinkDigitalSoftware I have a clear opinion about this: you should absolutely NOT do it.

Firstly, it simply does not make any sense. Basic idea of permissions is that you add only permission you need. Otherwise we would not need permissions at all. There are good reasons why required permissions need to be defined for each app. It is question of user's privacy and security.

Most importantly it may be a security risk to user's device if there is an app with all possible permissions. Even if your own app behaves correctly, some other app (malware) or even a 3rd party lib you are using could in theory use your app (as it has all permissions) to attack user's device. Maybe it is possible in iOS, maybe not. But better not to give them even a chance. If I knew some app in my device has all permissions even if it doesn't really use them, I would uninstall it immediately, give it 1 star and most probably also report the app to Apple as a possible malware.

So adding all permissions is the worst workaround ever. Don't do it.

@ThinkDigitalSoftware
Copy link

ThinkDigitalSoftware commented Jul 22, 2019 via email

@kinex
Copy link

kinex commented Jul 23, 2019

@ThinkDigitalSoftware You can fork this plugin and remove extra stuff as suggested in earlier comments. There are also other similar plugins available, not sure if they have the same issue. Or wait until this plugin gets fixed. I have not started my iOS project yet, so my own plan is still open.

@yanqiuLove
Copy link

嗨,任何更新?Apple一直拒绝,所有字符串都添加到plist中,但仍被拒绝。

在info.plist中添加相关配置如果APP实际用不到这些权限的话肯定会被拒的,苹果要求每一项权限都有合理的使用地方

@remoteportal
Copy link

I'm using a DIFFERENT permissions package but it has the SAME problem; permission_handler.

@ty0x2333
Copy link
Contributor

ty0x2333 commented Dec 26, 2019

@martijn00 @mvanbeusekom I submitted a pull request to solve this problem: #182

@GioPan04
Copy link

If anyone is interested in getting just storage permissions, y just forked the repo into a new one where I removed all the permissions but storage. The new repo is flutter-storage-permission-handler.

You can include it in your project by adding this dependency to your pubscpec.yaml file:

dependencies:
  flutter:
    sdk: flutter

  permission_handler:
    git: https://github.com/ramoncardena/flutter-sotrage-permission-handler

@ramoncardena In Android I get PermissionStatus.unknown when I try to check the storage permission

@GioPan04
Copy link

GioPan04 commented Dec 26, 2019

I used @ty0x2333 PR, and works perfectly. Thanks!
I don't know why they refused the PR in the code review...

@mvanbeusekom
Copy link
Member

As of version 4.1.0 (released 10th of January) it is now possible to use the solution provided by @ty0x2333 to remove not needed permissions.

@yamdkh
Copy link

yamdkh commented Mar 27, 2020

Hello dears I have found the solution for this issue, Just go to this path down

ios/.symlinks/plugins/permission_handler/ios/Classes/PermissionHandlerEnums.h

  • then change the permission you don't want to 0 instead of one -

then clean and restart your idea then build

Thanks,

@VictorUvarov
Copy link

Flutter 1.20 changed the podfile and the solution no longer works

@xafgun
Copy link

xafgun commented Aug 11, 2020

Flutter 1.20 changed the podfile and the solution no longer works

+1 I have tried changes which writen on IOS side at plugin; but it doesn't work.

@scaraux
Copy link

scaraux commented Aug 24, 2020

Flutter 1.20 changed the podfile and the solution no longer works

+1 I have tried changes which writen on IOS side at plugin; but it doesn't work.

I am using Flutter 1.20.2, and the following Podfile configuration works. If it does not, then you probably have one more library requesting unwanted permissions.

post_install do |installer|
  installer.pods_project.targets.each do |target|
    target.build_configurations.each do |config|
      config.build_settings['ENABLE_BITCODE'] = 'NO'
      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= [
        '$(inherited)',
        ## dart: PermissionGroup.calendar
        'PERMISSION_EVENTS=0',

        ## dart: PermissionGroup.reminders
        'PERMISSION_REMINDERS=0',

        ## dart: PermissionGroup.contacts
        # 'PERMISSION_CONTACTS=0',

        ## dart: PermissionGroup.camera
        'PERMISSION_CAMERA=0',

        ## dart: PermissionGroup.microphone
        'PERMISSION_MICROPHONE=0',

        ## dart: PermissionGroup.speech
        'PERMISSION_SPEECH_RECOGNIZER=0',

        ## dart: PermissionGroup.photos
        'PERMISSION_PHOTOS=0',

        ## dart: [PermissionGroup.location, PermissionGroup.locationAlways, PermissionGroup.locationWhenInUse]
        'PERMISSION_LOCATION=0',

        ## dart: PermissionGroup.notification
        # 'PERMISSION_NOTIFICATIONS=0',

        ## dart: PermissionGroup.mediaLibrary
        'PERMISSION_MEDIA_LIBRARY=0',

        ## dart: PermissionGroup.sensors
        'PERMISSION_SENSORS=0'
      ]
    end
    flutter_additional_ios_build_settings(target)
  end
end

Please see 671992982

@AnkitPanchal10
Copy link

Flutter 1.20 changed the podfile and the solution no longer works

+1 I have tried changes which writen on IOS side at plugin; but it doesn't work.

I am using Flutter 1.20.2, and the following Podfile configuration works. If it does not, then you probably have one more library requesting unwanted permissions.

post_install do |installer|
  installer.pods_project.targets.each do |target|
    target.build_configurations.each do |config|
      config.build_settings['ENABLE_BITCODE'] = 'NO'
      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= [
        '$(inherited)',
        ## dart: PermissionGroup.calendar
        'PERMISSION_EVENTS=0',

        ## dart: PermissionGroup.reminders
        'PERMISSION_REMINDERS=0',

        ## dart: PermissionGroup.contacts
        # 'PERMISSION_CONTACTS=0',

        ## dart: PermissionGroup.camera
        'PERMISSION_CAMERA=0',

        ## dart: PermissionGroup.microphone
        'PERMISSION_MICROPHONE=0',

        ## dart: PermissionGroup.speech
        'PERMISSION_SPEECH_RECOGNIZER=0',

        ## dart: PermissionGroup.photos
        'PERMISSION_PHOTOS=0',

        ## dart: [PermissionGroup.location, PermissionGroup.locationAlways, PermissionGroup.locationWhenInUse]
        'PERMISSION_LOCATION=0',

        ## dart: PermissionGroup.notification
        # 'PERMISSION_NOTIFICATIONS=0',

        ## dart: PermissionGroup.mediaLibrary
        'PERMISSION_MEDIA_LIBRARY=0',

        ## dart: PermissionGroup.sensors
        'PERMISSION_SENSORS=0'
      ]
    end
    flutter_additional_ios_build_settings(target)
  end
end

Please see 671992982

If there is any other library that is using the permission, then is there any way we can identify which library is that?

@bartekpacia
Copy link

any solution?

@smolugu
Copy link

smolugu commented Sep 24, 2020

@ty0x2333 @mvanbeusekom
As of version 4.1.0 (released 10th of January) it is now possible to use the solution provided by @ty0x2333 to remove not needed permissions.

Does this mean this package can be used without the risk of getting rejected by apple.

I need access to location, bluetooth and camera in my app.

I am a bit confused after going through this post as I am new to app development.

Regards,
Shyam.

@cormalenv
Copy link

@smolugu you have likely already tested this but for the sake of answering the question for others, yes this does prevent rejection by Apple.

@Antol
Copy link

Antol commented Nov 6, 2020

I've got my app rejected with a message

"ITMS-90683: Missing Purpose String in Info.plist - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSContactsUsageDescription key with a user-facing purpose string explaining clearly and..."

I use permission_handler: 5.0.0+hotfix.4
But I turned off usage of Contacts in Podfile

    ## dart: PermissionGroup.contacts    
    'PERMISSION_CONTACTS=0',    

What may cause a problem? I need help

@NieYinlong
Copy link

NieYinlong commented Dec 21, 2020

`config.build_settings['ENABLE_BITCODE'] = 'NO'
# Here are some configurations automatically generated by flutter # You can remove unused permissions here

        # for more infomation: https://github.com/BaseflowIT/flutter-permission-handler/blob/develop/ios/Classes/PermissionHandlerEnums.h

        # eg when you don't need camera permission, just add 'PERMISSION_CAMERA=0'

        config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= [ '$(inherited)',

        ## dart: PermissionGroup.calendar

          'PERMISSION_EVENTS=0',

        ## dart: PermissionGroup.reminders

          'PERMISSION_REMINDERS=0',

        ## dart: PermissionGroup.contacts

          'PERMISSION_CONTACTS=0',

        ## dart: PermissionGroup.microphone

          'PERMISSION_MICROPHONE=0',

        ## dart: PermissionGroup.speech

          'PERMISSION_SPEECH_RECOGNIZER=0',

        ## dart: PermissionGroup.photos

          'PERMISSION_PHOTOS=0',

        ## dart: PermissionGroup.notification

          'PERMISSION_NOTIFICATIONS=0',

        ## dart: PermissionGroup.mediaLibrary

          'PERMISSION_MEDIA_LIBRARY=0',

        ## dart: PermissionGroup.sensors

          'PERMISSION_SENSORS=0' ]`

I had add these, but Apple reject it also. how to resolve it?

@LucasHenriqueAbreu
Copy link

My app was rejected by NSAppleMusicUsageDescription.

@mvanbeusekom
Copy link
Member

My app was rejected by NSAppleMusicUsageDescription.

This issue has been resolved some time ago. Instructions on how to setup iOS correctly can be found in the README under the "iOS" section. It requires you to register some macros in your ios/Podfile and enable the permissions you require in your project.

Of course you still need to make sure you add valid descriptions to your ios/Runner/Info.plist file for the permissions your project requires.

@EinatK
Copy link

EinatK commented Sep 21, 2021

@mvanbeusekom the solution doesn't work. I enabled only the used permissions in my pod file and i'm still getting rejected for stuff i'm not asking for such as media, movement and more.

This is the relevant part of my podfile

post_install do |installer|
  installer.pods_project.targets.each do |target|
    flutter_additional_ios_build_settings(target)
    target.build_configurations.each do |config|
      config.build_settings['IPHONEOS_DEPLOYMENT_TARGET'] = '11.0'
      config.build_settings["EXCLUDED_ARCHS[sdk=iphonesimulator*]"] = "arm64"
      
      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= [
        '$(inherited)',

        ## dart: PermissionGroup.calendar
         'PERMISSION_EVENTS=1',

        ## dart: PermissionGroup.reminders
        # 'PERMISSION_REMINDERS=1',

        ## dart: PermissionGroup.contacts
         'PERMISSION_CONTACTS=1',

        ## dart: PermissionGroup.camera
         'PERMISSION_CAMERA=1',

        ## dart: PermissionGroup.microphone
        # 'PERMISSION_MICROPHONE=1',

        ## dart: PermissionGroup.speech
        # 'PERMISSION_SPEECH_RECOGNIZER=1',

        ## dart: PermissionGroup.photos
         'PERMISSION_PHOTOS=1',

        ## dart: [PermissionGroup.location, PermissionGroup.locationAlways, PermissionGroup.locationWhenInUse]
         'PERMISSION_LOCATION=1',

        ## dart: PermissionGroup.notification
         'PERMISSION_NOTIFICATIONS=1',

        ## dart: PermissionGroup.mediaLibrary
        # 'PERMISSION_MEDIA_LIBRARY=1',

        ## dart: PermissionGroup.sensors
        # 'PERMISSION_SENSORS=1',

        ## dart: PermissionGroup.bluetooth
         'PERMISSION_BLUETOOTH=1',

        ## dart: PermissionGroup.appTrackingTransparency
        # 'PERMISSION_APP_TRACKING_TRANSPARENCY=1',

        ## dart: PermissionGroup.criticalAlerts
        # 'PERMISSION_CRITICAL_ALERTS=1'
      ]
    end
  end
end

Getting rejected for NSAppleMusicUsageDescription, NSMotionUsageDescription and NSSpeechRecognitionUsageDescription being missing.

@mvanbeusekom
Copy link
Member

@EinatK, which version of the permission_handler are you using? Could you open a new issue with the following information:

  1. The version of the permission_handler you are using;
  2. The relevant part of your ios/Podfile (as listed above);
  3. The output of the flutter doctor -v command.

Note that specifically enabling permissions is only supported from version 8.0.0. In versions before 8.0.0 the logic was switch around and permissions where enabled by default and you had to explicitly disable permission in your podfile.

@Baseflow Baseflow locked as resolved and limited conversation to collaborators Sep 22, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests