include NSPrivacyAccessedAPICategoryDiskSpace & NSPrivacyAccessedAPICategoryFileTimestamp Information

[yachtwave]

Summary

Starting today (3/14/2024) apple is sending an email when publishing a new version of an app that complains about the NSPrivacyAccessedAPICategoryDiskSpace & NSPrivacyAccessedAPICategoryFileTimestamp - ITMS-91053: Missing API declaration (See email message below). How can we set this with Expo? They will no longer accept the builds after May 1st.

ITMS-91053: Missing API declaration - Your app’s code in the “YachtWave” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryDiskSpace. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

ITMS-91053: Missing API declaration - Your app’s code in the “YachtWave” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

Link to the related docs page

https://docs.expo.dev/

Anything else?

No response

[felipemelendez]

I too received such an email but I got more missing declarations than that.
Here is a list or all the missing API declarations:
NSPrivacyAccessedAPICategoryFileTimestamp.
NSPrivacyAccessedAPICategorySystemBootTime.
NSPrivacyAccessedAPICategoryDiskSpace.
NSPrivacyAccessedAPICategoryUserDefaults.

I am not recording boot time, or accessing disk space information, or accessing user defaults.
And, I am only using dependencies from the Expo library, and I have been submitting with the same dependencies for a while. Not sure how to address these, someone please share some guidance.
Thanks in advance for any guidance shared

[sumit1317]

I got the similar one..it seems we need to add some information in app.json file. But what and where exactly within the expo object ?

[bgbahoue]

Same issue here. There API declarations seems to come from @react-native-community/async-storage module.

On Discord another developer mentioned that they tried to add a NSPrivacyAccessedAPITypes key to the iOS.infoPlist object but what I'm getting from Apple docs is that it should be declared in a (new?) file called PrivacyInfo.xcprivacy (see https://developer.apple.com/documentation/bundleresources/privacy_manifest_files#4284009)

Any suggestion on how to solve that?

[aliza-khu]

@bgbahoue, For you reference: react-native-async-storage/async-storage#1061.

[mluiten]

For what it's worth -- the only module in my project that exposes a PrivacyInfo.xcprivacy resource file is @sentry/react-native and the file can be found here; https://github.com/getsentry/sentry-cocoa/blob/main/Sources/Resources/PrivacyInfo.xcprivacy. Seems like they reference it from the Podspec and bundle it with their pod, which seems to work? Not sure if you can have only one of these PrivacyInfo files per project though...

Edit: so according to Apple, all third-party SDK's should make their own privacy file and it would be merged together to create a privacy report: https://developer.apple.com/support/third-party-SDK-requirements/ -- not sure if this works correctly in Expo though as it depends on using frameworks and embedding libraries (I'm not an expert)? I'm getting these emails even though I'm using sentry-react-native, which seems to expose a privacy file for one of the required keys. edit: it actually seems like the version of sentry-react-native did not include that specific key, and the other keys are not in the warning mail, so my assumption is that, if a component author adds these files, it should work correctly. will test it some more.

[milch-shake]

I believe that the component developers are currently working on this. At the moment it is not yet dramatic, as the API declaration is only relevant from May 1st - it is just an indication.

[mluiten]

1,5 months is actually pretty soon -- and as Apple will actively start rejecting apps that don't (fully) comply, I imagine you can't just fix it in the latest version, but also have to port it back to at least expo 49 compatible versions, and maybe even earlier? Not sure what the policy for supported versions is, but otherwise it's basically a mandatory (major) upgrade for everyone :)

[fobos531]

Yup, there should probably be a new section in the Expo CNG process which generates this privacy manifest information

[fobos531]

Expo team is already working on this, see: https://discord.com/channels/695411232856997968/1217655160340349081/1218162473027371038

[Developer1970]

I am amazed that Apple is giving so little time to developers to role this out! Anyhow, I am using Expo 49, so hopefully this change would be downported to 49 as well.

[trucuit]

same issue

[kurucaner]

same issue

[dvthust]

same issue

[matheusbento]

same here

[johnhatvani]

@bgbahoue

Same issue here. There API declarations seems to come from @react-native-community/async-storage module.

its not just async-storage you can use these tools (here & here) to search your binary/codebase for usages of these API's / symbols

from the results there I can see that there's a few locations where expo has to provide declarations for usage of these API/Symbols

Used symbols in binary ./EXConstants/EXConstants.framework/EXConstants: NSUserDefaults
Used symbols in binary ./EXFileSystem/EXFileSystem.framework/EXFileSystem: NSURLVolumeAvailableCapacityForImportantUsageKey, NSURLVolumeTotalCapacityKey
Used symbols in binary ./EXApplication/EXApplication.framework/EXApplication: NSFileCreationDate

./node_modules/expo-file-system/ios/EXFileSystem/EXFileSystemAssetLibraryHandler.m:    result[@"modificationTime"] = @(asset.modificationDate.timeIntervalSince1970);
./node_modules/expo/node_modules/expo-file-system/ios/EXFileSystem/EXFileSystemAssetLibraryHandler.m:    result[@"modificationTime"] = @(asset.modificationDate.timeIntervalSince1970);
./node_modules/expo-file-system/ios/EXFileSystem/EXFileSystemLocalFileHandler.m:    result[@"modificationTime"] = @(attributes.fileModificationDate.timeIntervalSince1970);
./node_modules/expo/node_modules/expo-file-system/ios/EXFileSystem/EXFileSystemLocalFileHandler.m:    result[@"modificationTime"] = @(attributes.fileModificationDate.timeIntervalSince1970);

(https://developer.apple.com/documentation/foundation/fileattributekey/1410058-modificationdate)

Some of these could be false positives but at least gives a starting point to investigate.
Thanks!

[Georg7]

Same issue

[younes0]

@Georg7 @NxsHbb @vanhoai127, please avoid making comments like these, as they trigger email notifications for all subscribers. Instead, use the thumbs up button on the OP's first comment Thank you for your understanding.

[keith-kurak]

Hi all! We've got the team actively engaged with this issue that really affects the whole iOS developer ecosystem, working on updating packages we have control of providing guidance on what to do if a 3rd party package you use is not updated). To keep communication clear on this, we have a tracking issue open at #27796. Please watch this tracking issue to keep up-to-date as we have more details about action you can take to mitigate this warning and keep building past May 1.

[jp928]

This is annoying I am not using @react-native-community/async-storage how could I know which library using those privacies.

[Ainias]

@jp928 we use https://github.com/Wooder/ios_17_required_reason_api_scanner to determine which library uses the privacies