-
-
Notifications
You must be signed in to change notification settings - Fork 869
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apple rejects all binaries built using this package, unless ALL permissions have purposes/reasons added in the .plist, even if the app is not using most of them... #26
Comments
@manuelgomes2 have you added the required permissions to your |
I think at least there should be an information for devs to add the required purpose strings on this Github project. |
Yeah this is a bit of a disappointment, the geolocator package uses this package and I need to specify all the permissions. I don't care about having to specify the permissions - but I do care if Apple starts asking questions about why I need to access apple music for an app that clearly has nothing to do with music. I think this is a ticking time bomb and should be modularised. |
This plugin handles too many permissions which is not necessary for just a geolocator. And it's not a very professional way in production. I'm very grateful for the works of the author but there should be an optimized approach of handling permissions. Or maybe simply integrate a specific permission handler inside of Geolocator. Thank you. |
I agree this project probably needs to be broken up, possibly one permission handler project per permission. I may tinker with ripping out everything not needed for geolocator to function. |
I had the same issue, and did the quick and dirty fix that @firsthour mentioned. And here is a fork of geolocator that references the above fork: It's not pretty but it works. |
@manuelgomes2, @indiluk, @rknell, @elricym, @firsthour, @mortenboye, I have set out some probes with Google and Apple to see if there is a way to work around this issue. The plugin implements code for all SDKs that require user permissions and therefore the Apple analytics tools think we are actually using all the SDKs in our Apps (which is not the case). Worst case scenario is that we will convert the Geolocator component back into handling it's own permissions and add a clear disclaimer to this components readme explaining this drawback on iOS. Hopefully I will receive some useful feedback from Google (Flutter team) and/ or Apple to add some sort of compiler directives or conditional statements which allows us to only include that code/ SDKs that we are actually interested in. I will follow up on this as soon as possible. P.S. if any of you have a suggestion I would love to hear it of course. |
@mvanbeusekom maybe an easy fix would be to update geolocator to use it's own permission handler? And long term would be to make permission-hanler more modular? |
👍 on this issue, my app just got rejected because of this. At the very least, make this explicit on the project documentation. |
Same here. I wish I had known this when I implemented geolocator, instead of learning about when uploading my app to itunes (which is always the very last step because Android publishing is so much easier). Don't get me wrong: I am very grateful for you people sharing this library. But when you do explain in the docs about the location permissions, it would have helped a lot to mention this problem. BTW: Waiting for Apple to comment on this mostly useless. They almost never answer. And the flutter team cannot do anything about this. It's been this way with iOS for as long as I know. Either you really use the permission, or you remove the offending code. I really doubt that they are willing to change that 'rule' because of flutter. |
@mortenboye made a fork which removes the extra fluff, I forked this and made this Swift 4.2 compatible if you wanna take a took and need a quick solution. |
@BaseFlowIT do you have plans on updating this? It's pretty unusable atm... 🙏 |
Hi, any update?? Apple rejected all the time, all the strings added to plist, but still rejected. |
@mortenboye your solution seems good for me but how to implement this fork in flutter. I didn't deal with forks before.I have read the readme but there is no different dependencies |
@nabeelof you would have to reference the git repo directly:
|
@nabeelof
|
@mortenboye @smiLLe then I uploaded a new binary with new build number |
from what I am understanding, this library only works for Android at this time. Someone please update the documentation. |
We are currently in the process of splitting up the @smiLLe, @mortenboye, @nabeelof, we have recently release version 4.0.0 of the Geolocator plugin which now uses the |
right on, i'm still newbie in dart and flutter or I would contribute...I'll try to share back in the future |
Hasn't other permissions been modularized separately yet? |
why not delete the info.list in package and let user add their want in their project? |
FYI, I published two apps with dummy reasons in the plist file for all the permissions I'm not using, and Apple approved the releases. |
Are there any consequences to the user for adding permission strings that we don't use? For instance, if I add a geolocation permission string but never request geolocation, would users be warned on the app store that the app may request their location? |
@Rekubot I want to know this too. I believe Apple shows the messages only when used, so it wouldn't be shown. I just feel weird making up fake reasons. |
@Rekubot @ThinkDigitalSoftware I have a clear opinion about this: you should absolutely NOT do it. Firstly, it simply does not make any sense. Basic idea of permissions is that you add only permission you need. Otherwise we would not need permissions at all. There are good reasons why required permissions need to be defined for each app. It is question of user's privacy and security. Most importantly it may be a security risk to user's device if there is an app with all possible permissions. Even if your own app behaves correctly, some other app (malware) or even a 3rd party lib you are using could in theory use your app (as it has all permissions) to attack user's device. Maybe it is possible in iOS, maybe not. But better not to give them even a chance. If I knew some app in my device has all permissions even if it doesn't really use them, I would uninstall it immediately, give it 1 star and most probably also report the app to Apple as a possible malware. So adding all permissions is the worst workaround ever. Don't do it. |
The alternative is not to use this plugin or not to publish. My app doesn’t have any code to access these unused permissions and it doesn’t request them either. Even still, the user would have to allow them at the time of use first, which makes my app actually safer than any others that request these permissions and actually use them, right?
… On Jul 22, 2019, at 2:28 PM, kinex ***@***.***> wrote:
@Rekubot <https://github.com/Rekubot> @ThinkDigitalSoftware <https://github.com/ThinkDigitalSoftware> I have a clear opinion about this: you should absolutely NOT do it.
Firstly, it simply does not make any sense. Basic idea of permissions is that you add only permission you need. Otherwise we would not need permissions at all. There are good reasons why required permissions need to be defined for each app. It is question of user's privacy and security.
Most importantly it may be a security risk to user's device if there is an app with all possible permissions. Even if your own app behaves correctly, some other app (malware) or even a 3rd party lib you are using could in theory use your app (as it has all permissions) to attack user's device. Maybe it is possible in iOS, maybe not. But better not to give them even a chance. If I knew some app in my device has all permissions even if it doesn't really use them, I would uninstall it immediately, give it 1 star and most probably also report the app to Apple as a possible malware.
So adding all permissions is the worst workaround ever. Don't do it.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#26>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFPYO7J6ZQV5EV4YEV7KP6DQAYRATANCNFSM4FVQWVWQ>.
|
@ThinkDigitalSoftware You can fork this plugin and remove extra stuff as suggested in earlier comments. There are also other similar plugins available, not sure if they have the same issue. Or wait until this plugin gets fixed. I have not started my iOS project yet, so my own plan is still open. |
在info.plist中添加相关配置如果APP实际用不到这些权限的话肯定会被拒的,苹果要求每一项权限都有合理的使用地方 |
I'm using a DIFFERENT permissions package but it has the SAME problem; permission_handler. |
@martijn00 @mvanbeusekom I submitted a pull request to solve this problem: #182 |
@ramoncardena In Android I get PermissionStatus.unknown when I try to check the storage permission |
I used @ty0x2333 PR, and works perfectly. Thanks! |
As of version 4.1.0 (released 10th of January) it is now possible to use the solution provided by @ty0x2333 to remove not needed permissions. |
Hello dears I have found the solution for this issue, Just go to this path down
then clean and restart your idea then build Thanks, |
Flutter 1.20 changed the podfile and the solution no longer works |
+1 I have tried changes which writen on IOS side at plugin; but it doesn't work. |
I am using Flutter 1.20.2, and the following Podfile configuration works. If it does not, then you probably have one more library requesting unwanted permissions.
Please see 671992982 |
If there is any other library that is using the permission, then is there any way we can identify which library is that? |
any solution? |
@ty0x2333 @mvanbeusekom Does this mean this package can be used without the risk of getting rejected by apple. I need access to location, bluetooth and camera in my app. I am a bit confused after going through this post as I am new to app development. Regards, |
@smolugu you have likely already tested this but for the sake of answering the question for others, yes this does prevent rejection by Apple. |
I've got my app rejected with a message "ITMS-90683: Missing Purpose String in Info.plist - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSContactsUsageDescription key with a user-facing purpose string explaining clearly and..." I use
What may cause a problem? I need help |
`config.build_settings['ENABLE_BITCODE'] = 'NO'
I had add these, but Apple reject it also. how to resolve it? |
My app was rejected by NSAppleMusicUsageDescription. |
This issue has been resolved some time ago. Instructions on how to setup iOS correctly can be found in the README under the "iOS" section. It requires you to register some macros in your Of course you still need to make sure you add valid descriptions to your |
@mvanbeusekom the solution doesn't work. I enabled only the used permissions in my pod file and i'm still getting rejected for stuff i'm not asking for such as media, movement and more. This is the relevant part of my podfile
Getting rejected for NSAppleMusicUsageDescription, NSMotionUsageDescription and NSSpeechRecognitionUsageDescription being missing. |
@EinatK, which version of the permission_handler are you using? Could you open a new issue with the following information:
Note that specifically enabling permissions is only supported from version 8.0.0. In versions before 8.0.0 the logic was switch around and permissions where enabled by default and you had to explicitly disable permission in your podfile. |
Apple now rejects all apps, the error is as follows:
Missing Purpose String in Info.plist File - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSContactsUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data will be required to include a purpose string.If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
Missing Purpose String in Info.plist File - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSCalendarsUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data will be required to include a purpose string.If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
Missing Purpose String in Info.plist File - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSAppleMusicUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data will be required to include a purpose string.If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
Missing Purpose String in Info.plist File - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSMotionUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data will be required to include a purpose string.If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
Missing Purpose String in Info.plist File - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSSpeechRecognitionUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data will be required to include a purpose string.If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
The text was updated successfully, but these errors were encountered: