Mail from App Store Connect about Facebook App Events

caminoninja · February 16, 2021, 7:58pm

Please provide the following:

SDK Version: 40
Platforms(Android/iOS/web/all): iOS

Hi,

I just received an email from App Store Connect about them aving an issue with Facebook App Events SDKs being bundled with my app. Here is the letter:

Feb 16, 2021 at 4:55 PM

From Apple

Issues with your app privacy details on the App Store

Hello,

We noticed some possible issues with your answers to the app privacy questions in App Store Connect and want to help you make the appropriate changes. The App Store provides users with important information about your app’s privacy practices based on your answers to these questions. This information helps users better understand your app’s privacy practices before they download it on an Apple platform.

Your app appears to integrate code from third-party SDKs or libraries, such as Facebook App Events. It is possible these SDKs collect and track device or user data. Your answers to the app privacy questions indicate that your app does not collect any kind of user or device data.

You are responsible for everything in your app, including code from third-party partners like ad networks, analytics tools, and third-party SDKs. To make sure future submissions are fully compliant, carefully choose your third-party partners and review their privacy practices. You’ll need to know the types of data they collect from your app to accurately answer the app privacy questions in App Store Connect. Once you have this information, please update your answers as necessary. You do not need to reply to this message once your privacy information has been updated.

Learn more about what you’ll need to know to provide accurate answers to the privacy questions.

If your app’s privacy practices aren’t accurately disclosed in future submissions, your app may be rejected for not being compliant with App Store Review Guidelines 2.3 - Accurate Metadata and 5.1.2 - Data Use and Sharing.

Best regards,

App Store Review

caminoninja · February 17, 2021, 3:12am

Additionally. I’m not using Facebook App Events in my App.

caminoninja · February 17, 2021, 3:14am

And I guess my question is, is it possible to remove Facebook App Events from my App?

Best
Andy

adamjnav · February 17, 2021, 7:03pm

Hey @caminoninja, can you take a look at this guide and make sure you’ve followed it correctly?

Cheers,
Adam

caminoninja · February 17, 2021, 11:40pm

Yes, the guide says I have to say “Yes, we collect data from this app.”.

Only thing is, the App does not collect any data, and that is pretty important. However, some modules in the App might, or at least that is how Apple sees it.

How do I remove those modules? I do not want an app that potentially collects data.

Best
Andy

anthonylavado · February 18, 2021, 4:50am

I also have the same concerns. I work with an app that has a privacy focus. We don’t use Expo Notifications, we don’t use the update mechanism, and we don’t have any kind of advertising. Is there any way to remove these modules from compilation, or is ejecting the only way to go?

caminoninja · February 18, 2021, 10:20pm

No, Flutter is probably the better option if this is not resolved.

notbrent · February 18, 2021, 10:31pm

run expo eject if you want to have full control over what is included. otherwise, we’ll be launching preview support for managed expo apps on “EAS Build” in a couple months. you can read more about the current state of libraries in managed apps here: https://expo.fyi/managed-app-size

kemikalgeneral · February 26, 2021, 10:45am

Hi @adamjnav & @notbrent,

Could you please elaborate on this?

That documentation only states:

" Select Device ID
- Managed standalone apps include the Facebook, Facebook Ads, and Google AdMob SDKs, which still access the IDFA."

…but that opens a can of worms in itself as we have to ‘Setup the Device ID’, asking:

how device ID’s are collected?
Are they linked to a user’s identity?
Are they used for tracking purposes?

For code that is hidden within the SDK, so, how are we supposed to answer them?

My app is purely reference and education, but this ‘hidden’ collection of data makes it seem like something dodgy is going on.

Any help with this would be very much appreciated as my submission is awaiting it.

Thanks,

notbrent · February 26, 2021, 6:02pm

hello! this doc explains how the managed workflow currently works: https://expo.fyi/managed-app-size

tl;dr: we include every package in the sdk in your binary. unfortunately this leads to some false positives because the code is there even though it’s not used. there are good reasons to do this but we ultimately decided that this isn’t the best tradeoff and we’re working on changing this behavior in EAS Build. support for managed apps in EAS Build should be available around the beginning of q2.

follow the app store submission guide here: Deploying to App Stores - Expo Documentation

caminoninja · February 26, 2021, 7:11pm

Would it be possible to make expo-updates in a way that would not be considdered a privacy issue for Apple? Or at least have an option not to be that somehow?

notbrent · February 26, 2021, 7:27pm

this doesn’t have anything to do with expo-updates, they’re concerned about the inclusion of the code from the facebook sdk, but that is included in every managed app as mentioned in the above doc

caminoninja · March 15, 2021, 11:46pm

Well that means all Expo Apps have privacy issues according to Apple.

ide · March 16, 2021, 1:33am

If this issue affects your app, you can eject your project, remove the Facebook-related libraries, and compile your app. At the end of the day, you have full control over the code that goes into your app.

Most developers have not encountered this and following the guidelines here (Deploying to App Stores - Expo Documentation) is empirically working well for most people.

caminoninja · April 11, 2021, 9:51am

This is a really unserious comment on a very serious thread. Please stop yourself.

@notbrent is actually trying to give adequate insights to the problem here. If Apple think it is a problem, it is a problem. And it affects all Expo users.

notbrent · April 11, 2021, 11:41pm

i don’t think it was @ide’s intention to downplay the seriousness of an issue that expo users think is important. some news that is relevant to this issue is that we will be launching managed support for eas build in the next few weeks, and that will allow you to remove any libraries from your app when building a standalone app, without needing to eject.

anthonylavado · April 16, 2021, 5:43pm

When the update to EAS is available, will there be a guideline/list of what we have to remove, or will it be automatic?

Seems like a good entry to the documentation of you ask me

notbrent · April 16, 2021, 7:27pm

only libraries included in your node_modules will be included in managed builds with eas build

caminoninja · April 16, 2021, 8:18pm

I read late Q1 as an estimated release somwhere in the documentation. Is there a newer estimate? I have a hanging issue and have to push a new version to the App Stores.

notbrent · April 16, 2021, 10:55pm

you can try it out on sdk 41 from our release notes post:

Improvements were made across the SDK to ensure compatibility with EAS Build. A big part of this SDK has been making the necessary underlying changes to support EAS Build for managed projects. We’re still working through a few remaining loose ends, and you can expect an announcement with more information about official support for SDK 41+ managed projects in EAS Build soon!

the only caveats right now are:

we haven’t written up documentation specific to managed workflow in eas build
you should ensure you have installed expo-splash-screen in your app (expo install expo-splash-screen) - there’s an open PR so this won’t be required but it hasn’t landed yet

if you do try it, please let me know how that works out for you. we don’t plan a lot of changes between now and when we announce this, so it’s in a pretty good spot right now.

https://blog.expo.io/expo-sdk-41-12cc5232f2ef