Mail from App Store Connect about Facebook App Events

caminoninja · February 16, 2021, 7:58pm

Please provide the following:

SDK Version: 40
Platforms(Android/iOS/web/all): iOS

Hi,

I just received an email from App Store Connect about them aving an issue with Facebook App Events SDKs being bundled with my app. Here is the letter:

Feb 16, 2021 at 4:55 PM

From Apple

Issues with your app privacy details on the App Store

Hello,

We noticed some possible issues with your answers to the app privacy questions in App Store Connect and want to help you make the appropriate changes. The App Store provides users with important information about your app’s privacy practices based on your answers to these questions. This information helps users better understand your app’s privacy practices before they download it on an Apple platform.

Your app appears to integrate code from third-party SDKs or libraries, such as Facebook App Events. It is possible these SDKs collect and track device or user data. Your answers to the app privacy questions indicate that your app does not collect any kind of user or device data.

You are responsible for everything in your app, including code from third-party partners like ad networks, analytics tools, and third-party SDKs. To make sure future submissions are fully compliant, carefully choose your third-party partners and review their privacy practices. You’ll need to know the types of data they collect from your app to accurately answer the app privacy questions in App Store Connect. Once you have this information, please update your answers as necessary. You do not need to reply to this message once your privacy information has been updated.

Learn more about what you’ll need to know to provide accurate answers to the privacy questions.

If your app’s privacy practices aren’t accurately disclosed in future submissions, your app may be rejected for not being compliant with App Store Review Guidelines 2.3 - Accurate Metadata and 5.1.2 - Data Use and Sharing.

Best regards,

App Store Review

caminoninja · February 17, 2021, 3:12am

Additionally. I’m not using Facebook App Events in my App.

caminoninja · February 17, 2021, 3:14am

And I guess my question is, is it possible to remove Facebook App Events from my App?

Best
Andy

adamjnav · February 17, 2021, 7:03pm

Hey @caminoninja, can you take a look at this guide and make sure you’ve followed it correctly?

Cheers,
Adam

caminoninja · February 17, 2021, 11:40pm

Yes, the guide says I have to say “Yes, we collect data from this app.”.

Only thing is, the App does not collect any data, and that is pretty important. However, some modules in the App might, or at least that is how Apple sees it.

How do I remove those modules? I do not want an app that potentially collects data.

Best
Andy

anthonylavado · February 18, 2021, 4:50am

I also have the same concerns. I work with an app that has a privacy focus. We don’t use Expo Notifications, we don’t use the update mechanism, and we don’t have any kind of advertising. Is there any way to remove these modules from compilation, or is ejecting the only way to go?

caminoninja · February 18, 2021, 10:20pm

No, Flutter is probably the better option if this is not resolved.

notbrent · February 18, 2021, 10:31pm

run expo eject if you want to have full control over what is included. otherwise, we’ll be launching preview support for managed expo apps on “EAS Build” in a couple months. you can read more about the current state of libraries in managed apps here: https://expo.fyi/managed-app-size

kemikalgeneral · February 26, 2021, 10:45am

Hi @adamjnav & @notbrent,

Could you please elaborate on this?

That documentation only states:

" Select Device ID
- Managed standalone apps include the Facebook, Facebook Ads, and Google AdMob SDKs, which still access the IDFA."

…but that opens a can of worms in itself as we have to ‘Setup the Device ID’, asking:

how device ID’s are collected?
Are they linked to a user’s identity?
Are they used for tracking purposes?

For code that is hidden within the SDK, so, how are we supposed to answer them?

My app is purely reference and education, but this ‘hidden’ collection of data makes it seem like something dodgy is going on.

Any help with this would be very much appreciated as my submission is awaiting it.

Thanks,

notbrent · February 26, 2021, 6:02pm

hello! this doc explains how the managed workflow currently works: https://expo.fyi/managed-app-size

tl;dr: we include every package in the sdk in your binary. unfortunately this leads to some false positives because the code is there even though it’s not used. there are good reasons to do this but we ultimately decided that this isn’t the best tradeoff and we’re working on changing this behavior in EAS Build. support for managed apps in EAS Build should be available around the beginning of q2.

follow the app store submission guide here: Deploying to App Stores - Expo Documentation

caminoninja · February 26, 2021, 7:11pm

Would it be possible to make expo-updates in a way that would not be considdered a privacy issue for Apple? Or at least have an option not to be that somehow?

notbrent · February 26, 2021, 7:27pm

this doesn’t have anything to do with expo-updates, they’re concerned about the inclusion of the code from the facebook sdk, but that is included in every managed app as mentioned in the above doc