I just received an email from App Store Connect about them aving an issue with Facebook App Events SDKs being bundled with my app. Here is the letter:
Feb 16, 2021 at 4:55 PM
From Apple
Issues with your app privacy details on the App Store
Hello,
We noticed some possible issues with your answers to the app privacy questions in App Store Connect and want to help you make the appropriate changes. The App Store provides users with important information about your appâs privacy practices based on your answers to these questions. This information helps users better understand your appâs privacy practices before they download it on an Apple platform.
Your app appears to integrate code from third-party SDKs or libraries, such as Facebook App Events. It is possible these SDKs collect and track device or user data. Your answers to the app privacy questions indicate that your app does not collect any kind of user or device data.
You are responsible for everything in your app, including code from third-party partners like ad networks, analytics tools, and third-party SDKs. To make sure future submissions are fully compliant, carefully choose your third-party partners and review their privacy practices. Youâll need to know the types of data they collect from your app to accurately answer the app privacy questions in App Store Connect. Once you have this information, please update your answers as necessary. You do not need to reply to this message once your privacy information has been updated.
If your appâs privacy practices arenât accurately disclosed in future submissions, your app may be rejected for not being compliant with App Store Review Guidelines 2.3 - Accurate Metadata and 5.1.2 - Data Use and Sharing.
Yes, the guide says I have to say âYes, we collect data from this app.â.
Only thing is, the App does not collect any data, and that is pretty important. However, some modules in the App might, or at least that is how Apple sees it.
How do I remove those modules? I do not want an app that potentially collects data.
I also have the same concerns. I work with an app that has a privacy focus. We donât use Expo Notifications, we donât use the update mechanism, and we donât have any kind of advertising. Is there any way to remove these modules from compilation, or is ejecting the only way to go?
run expo eject if you want to have full control over what is included. otherwise, weâll be launching preview support for managed expo apps on âEAS Buildâ in a couple months. you can read more about the current state of libraries in managed apps here: fyi/managed-app-size.md at main ¡ expo/fyi ¡ GitHub
tl;dr: we include every package in the sdk in your binary. unfortunately this leads to some false positives because the code is there even though itâs not used. there are good reasons to do this but we ultimately decided that this isnât the best tradeoff and weâre working on changing this behavior in EAS Build. support for managed apps in EAS Build should be available around the beginning of q2.
Would it be possible to make expo-updates in a way that would not be considdered a privacy issue for Apple? Or at least have an option not to be that somehow?
this doesnât have anything to do with expo-updates, theyâre concerned about the inclusion of the code from the facebook sdk, but that is included in every managed app as mentioned in the above doc
If this issue affects your app, you can eject your project, remove the Facebook-related libraries, and compile your app. At the end of the day, you have full control over the code that goes into your app.
This is a really unserious comment on a very serious thread. Please stop yourself.
@notbrent is actually trying to give adequate insights to the problem here. If Apple think it is a problem, it is a problem. And it affects all Expo users.
i donât think it was @ideâs intention to downplay the seriousness of an issue that expo users think is important. some news that is relevant to this issue is that we will be launching managed support for eas build in the next few weeks, and that will allow you to remove any libraries from your app when building a standalone app, without needing to eject.
I read late Q1 as an estimated release somwhere in the documentation. Is there a newer estimate? I have a hanging issue and have to push a new version to the App Stores.
you can try it out on sdk 41 from our release notes post:
Improvements were made across the SDK to ensure compatibility with EAS Build. A big part of this SDK has been making the necessary underlying changes to support EAS Build for managed projects. Weâre still working through a few remaining loose ends, and you can expect an announcement with more information about official support for SDK 41+ managed projects in EAS Build soon!
the only caveats right now are:
we havenât written up documentation specific to managed workflow in eas build
you should ensure you have installed expo-splash-screen in your app (expo install expo-splash-screen) - thereâs an open PR so this wonât be required but it hasnât landed yet
if you do try it, please let me know how that works out for you. we donât plan a lot of changes between now and when we announce this, so itâs in a pretty good spot right now.