Prompt user with iOS AppTrackingTransparency in managed workflow

Please provide the following:

  1. SDK Version: 40
  2. Platforms(Android/iOS/web/all): iOS
  3. iOS IDFA/ATTrackingManager

According to recent apple update, ALL apps published to AppStore since 26.4.2021, are required to use App Tracking Transparency framework, if they are requiring user name, email, phone or any user generated content.

Our app requires user name, email and phone number to register user into the app in order to use it. We are not using Segment, AdMob or FacebookAds in our app, but since these libraries can be used in expo managed, we are obliged to check the boxes which custom user content we use, when deploying the app to the AppStore. (Deploying to App Stores - Expo Documentation)

According to Apple Tracking Transparency I have set the infoPlist key in app.json, but can’t figure out how to show the alert dialog, since ATTrackingManager class, which prompts the user permission is not present in expo and haven’t found this type of permission in expo-permissions either. Any clue on how to approach this issue? Thanks a bunch.

7 Likes

We received an e-mail requiring the implementation of AppTrackingTransparency in the next version, bumping this question to know how we are supposed to proceed.

just found out expo-ads-admob is able to requestPermissionsAsync() and getPermissionsAsync() in Expo 41

2 Likes

Thanks for following up with the answer here, @vaclav.ryska :clap:

1 Like

So, from what I understood, it seems like this admob package is gonna be mandatory for any iOS app that collect user data in any form ( at least that’s what they say in the e-mail ), is this right? I didn’t really want to add another package just to prompt the user for tracking permission.
We don’t even show ads to our users, shouldn’t we have a non package specific solution to this?

2 Likes

With the upcoming public release of iOS 14.5, iPadOS 14.5, and tvOS 14.5, all apps must use the AppTrackingTransparency framework to request the user’s permission to track them or to access their device’s advertising identifier. Unless you receive permission from the user to enable tracking, the device’s advertising identifier value will be all zeros and you may not track them.

if you’re not tracking the user (eg: for ads) then it shouldn’t be needed. are you being told otherwise during submission?

Yes, I was told that after submitting my app today.
But we don’t use ads.
Can anyone give me an example on how to set up the requestPermissionsAsync()?
Where to import it from?

That sort of information is in the Admob docs but that seems to be to be the wrong way to go about this.

Since you’re not using ads, I think you should look into using EAS Build. See in particular this part of the blog post:

For now you need to subscribe to a Priority plan. They do plan to have a free tier in future, but they’re still busy improving the service at the moment.

I looked in the docs but couldn’t find. Can you point that out to me.
So does EAS guarantee that Expo won’t track the user and Apple will accept the app ?

So the only 2 options currently is install and use the admob package, or get a priority plan and use the EAS build? These both seem…not great. Is there a planned update to the Permissions module for this?

1 Like

EAS removes native code you are not using. So if you’re not using ads then EAS should produce an app that does not include that code, so Apple should accept it.

But in theory it should not be necessary to use EAS. Since you’re not using ads, getting the device’s advertising identifier or otherwise tracking them across other companies’ apps/websites/etc., the wording makes it sound like there should not be a problem. If you do want the advertising ID then as far as I know you will need to use Admob.requestPermissionsAsync(). I am no expert on what Apple allows or requires for apps to get into the App Store, though.

image

This is the rejection message we got from Apple yesterday:

We noticed you do not use App Tracking Transparency to request the user’s permission before tracking their activity across apps and websites. The app privacy information you provided in App Store Connect indicates you collect data in order to track the user, including Device ID.

Starting with iOS 14.5, apps on the App Store need to receive the user’s permission through the AppTrackingTransparency framework before collecting data used to track them. This requirement protects the privacy of App Store users.

Next Steps

Here are two ways to resolve this issue:

We do not use tracking for any marketing purposes. We do not track our users at all.

So, should we change to “NO, we don’t collect data” in the App configuration?

If that’s the case, it’s against what Expo itself recommends on App stores best practices - Expo Documentation, where it states that we should choose Yes, we collect data from this app because managed apps include " Facebook, Facebook Ads, and Google AdMob SDKs, which still access the IDFA".

Not sure how we should proceed here.

2 Likes

So, should we change to “NO, we don’t collect data” in the App configuration?

If you’re building with EAS Build, as opposed to classic build (expo build), and you don’t use Facebook, Facebook Ads, or Google AdMob SDKs, then you do not need to say you collect data if and only if you don’t otherwise collect any relevant data.

The reason that guide states to answer yes for managed workflow apps built with expo build is because the native code for accessing the IDFA is technically present in the binary, even though it may be completely dead code (depending on your app). The question on “Do you collect data” is different from “Does your app access the IDFA” though, but I’m not 100% certain on whether Apple considers those two separate questions, or the same one phrased differently

how to use it:

import * as ExpoAdsAdmob from 'expo-ads-admob';

const permission = await ExpoAdsAdmob.requestPermissionsAsync();

if (permission.status == 'granted) {
     // profit
}

Wrote up a quick explainer on this + the new upcoming unimodule here: Implementing iOS 14.5 Tracking Transparency in Expo SDK41 - DEV Community 👩‍💻👨‍💻

2 Likes

Has anyone tried to submit managed app with classic expo build and answered NO?

Are the Facebook and Google libraries accessing the IDFA by default in all expo build apps?

In the @expo/config-types/build/ExpoConfig.d.ts it says that the default value for googleMobileAdsAutoInit is false. Also facebookAutoInitEnabled is said to be false by default.
For the facebookAdvertiserIDCollectionEnabled config option it says:
“Whether the Facebook SDK should collect advertiser ID properties, like the Apple IDFA and Android Advertising ID, automatically. If you don’t set this property, Facebook’s default policy will be used. (Applicable only to standalone apps.)”
Don’t know what that means then in practice by default. But if I’d set that config option to be false in app.json, would that then mean that neither Facebook nor Google would actually read the IDFA? (Meaning it might be possible that Apple would approve “No we are not tracking” answer)

In very simple terms can someone validate the following logic?

If I build using EAS Build and I am not using the Device ID to track the user in any way, please note I am using however the push notification device id that expo provides me which hopefully is completely different.

Then can it be said that if I choose to answer No in Apple’s questions that if we track the users or not, then will the app be approved.

@idrlmartian if you don’t collect any of the data that Apple specifies (including your in your dependencies), then you choose No and you should be approved. But no one can answer this question for sure besides Apple themselves

No, they are not. Unless you call into the code, this code is never run and is essentially dead. However it could be that just the presence of the code alone, even though it’s never used, could cause Apple to say you need to state that it’s collected.

If you’re building with expo build and do collect any tracking info

Request permissions to do so with either the specific library you’re using for tracking, or with expo-tracking-transparency.

If you’re building with expo build and do not collect any tracking info

I can’t say with absolute certainty that Apple will not flag your app just due to the native code for collecting the IDFA being present, even though you never collect it. According to Apple, without asking for permission, the IDFA would just return all 0s so you technically don’t even have the capability of collecting it.

If you don’t use those libraries listed, I would suggest trying to submit your app and say that you do not collect info for tracking, and if Apple approves you then let me know. If your app is rejected, which is quite possible, you can respond explaining that although there is native code present for tracking the IDFA, it is in a dependency of yours and the code is never run, since your app has no need for tracking the user.

If you’re building with eas build

Only your specified dependencies are included in your builds, so you don’t have to account for any special cases. If your app tracks the user, you have to follow Apple’s guidelines

2 Likes

We submitted our app (version update, not first submission) with normal expo build and answered No to the tracking question. Apple approved it just fine. However, from past experience I know that sometimes they might answer differently to similar submissions. But like said, for us, they approved it.

2 Likes