-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Feature / Proposal] Add new required attribute in podspec to provide privacy details #10325
Comments
Smart idea in my opinion. Would allow aggregating all of these details from third parties using fastlane, as you mentioned, to make sure your privacy settings are update. An even nicer idea could be warning you that installing this pod will change your App's privacy details. |
If this was a first party file format that Apple + Xcode supported, I think I'd be onboard with the level of ecosystem changes this request has. However, as you have to use Fastlane to get any of the advantages of this scale of automation, I'm not sure it's worth breaking the deployment of every current podspec. The idea is good in general, perhaps it could maybe be a trunk warning? |
@orta you don't have to use Fastlane at all to get the benefit of this feature. If you don't use Fastlane then you will still benefit from the JSON generated by CocoaPods at the end of We could totally decide on a completely different file format for the report (the JSON that If we decide on another format for the podspec attribute and/or the generated report (eg generate the report as a YAML to match the fact that other files generated by CocoaPods, like the lockfile, are also YAML) it would work just the same and provide the exact same benefit, ie allow the users to end up with a nice human readable report they could use to know what to answer when they fill the privacy report form in ADC. The only difference is that people who happen to also use Fastlane (witch is a lot of iOS devs in practice) would need to write an additional script to transform that YAML (or whatever we choose as a report format) into the JSON that Fastlane uses for its action. I agree that this file format is not an Apple or Xcode standard (if there were one we would have used it instead obviously), but since there's no such standard we have to pick an arbitrary format for the attribute and for the report. So why not pick this one 🙃 |
I think there are a couple of things that stand out, at least for the MVP of this:
|
@orta tbh when I approached @AliSoftware I didn't even know there was a fastlane action for this. My thought process was that developers shouldn't have put effort to figure out. Or more accurately, they may not have knowledge of all the internals of the pod hence can't even figure it out. So instead I though pod owners should just be clear about what they do and they do it once. Then every one can use it. I suppose also pod owners could get asked about this, so this makes it easier for them as well. I see the fastlane integration just as a very juicy and easy to deliver bonus. Having that said I think @freak4pc makes a good point
I just think that:
Perhaps we can make it optional for now then follow the approach that Apple takes and be like: Starting from 1 May 2021, pods that don't include |
Yeah I would also opt for the more "gradual rollout" approach here. Definitely need to enforce it at some point but perhaps two versions would be a good range. |
I like the gradual rollout idea 👍 |
So it seems to me there are two angles, for the two versions:
After the first two versions:
WDYT? @prohoney @AliSoftware |
Yeah I like that; tho I'm not sure where you're going with the "Consumers" aspects of this. Consumers would just run The consumers would then either never read the generated report and don't care about it, or read it to know that some pods still don't provide their privacy details yet. Agreed maybe we could consider also printing a warning to stdout upon Though I like the idea of also having that warning indeed as an additional info about that and to encourage Maintainers to add that info when Consumer will start filing issues about it on their repos when they see the warning. |
Mean this:
|
More specifically, if you just output a file (which IMO should be a flag and not the default) without emitting a stdout warning (no exit code of course, just a warning), people will usually not know this is even occurring or an issue. |
Yep very good point I like that. Regarding the generation of the report file, not sure why it wouldn't be the default and would need a flag? What's the harm in generating it in all cases? I fear that putting this being an opt-in flag would make this new feature very hard to discover, with little benefit, right? |
I'd say that at least an opt-out flag is a must. I'm personally not a fan of a tool generating files for me unless I asked for it explicitly but I can understand the discoverability angle. I don't feel strongly about it :) |
Wouldn't it be easily discoverable given that you're generating a new file — similar to a lock file? App owners would immediately see it and have to commit it and have to their repo... |
It's a developer tool but it doesn't mean it shouldn't have nice UI (even if that isn't a GUI). Generating a file and expecting the end-user to understand they need to do something about this is the wrong way to go IMHO. If it's auto opt-in I would expect a "Generated privacy details into Pods/Podfile.privacy.json" message along with "Some of your dependencies (X, Y, Z) did not specify privacy details". These things need to be laid out to the consumer. Two more things about the output file:
|
@freak4pc Very good note that this a developer tool and right from the command line things should be apparent. Is the following something we can agree on:
|
@freak4pc @orta @AliSoftware I also made a medium size edit onto the issue about how we intend to merge the privacy_details between root specs and sub specs. |
This recent article by @k0nserv |
Hey 👋🏼 I've attached an example API response(it's for Instagram). This example contains privacy types with the identifiers This jq query extracts all data types use to track: jq '.privacy_details.attributes.privacyDetails.privacyTypes[0].dataCategories[].dataTypes[]' 389801252.json This one extracts all data types from jq '.privacy_details.attributes.privacyDetails.privacyTypes[1].purposes[].dataCategories[].dataTypes[]' 389801252.json In total there are 32 data types in 14 data categories JSON Categories and Data Types{
"IDENTIFIERS": [
"Device ID",
"User ID"
],
"USAGE_DATA": [
"Advertising Data",
"Product Interaction",
"Other Usage Data"
],
"DIAGNOSTICS": [
"Other Diagnostic Data",
"Performance Data",
"Crash Data"
],
"CONTACT_INFO": [
"Name",
"Physical Address",
"Email Address",
"Phone Number",
"Other User Contact Info"
],
"PURCHASES": [
"Purchase History"
],
"LOCATION": [
"Coarse Location",
"Precise Location"
],
"USER_CONTENT": [
"Customer Support",
"Gameplay Content",
"Photos or Videos",
"Emails or Text Messages",
"Audio Data",
"Other User Content"
],
"CONTACTS": [
"Contacts"
],
"OTHER": [
"Other Data Types"
],
"BROWSING_HISTORY": [
"Browsing History"
],
"SEARCH_HISTORY": [
"Search History"
],
"HEALTH_AND_FITNESS": [
"Fitness",
"Health"
],
"FINANCIAL_INFO": [
"Payment Info",
"Other Financial Info",
"Credit Info"
],
"SENSITIVE_INFO": [
"Sensitive Info"
]
} There are 4 privacy types(no data collected, data linked to the user, data not linked to the user, and data used to track the user) and 6 purposes(app functionatlity, analytics, developers advertising, other purposes, product personalization, and third party advertising). The exact identifiers used by Apple's API is in the blog post. If you have specific questions I can try to help answer them. EDIT: You can also see examples of the API request and response by opening e.g. Facebook's app store listing on the web and looking at the XHR traffic in the browser developer tools when clicking "See Details" in the "App Privacy" section EDIT2: Has Apple added support for app privacy details to the App Store Connect API? If so that seems like the best thing to align to |
@joshdholtz hey man! any ideas if Apple added ASC APIs for the new App Privacy stuff? Is Fastlane already doing some work in that direction? Thanks <3 |
@freak4pc note that there's a link in the footnote of this PR description to fastlane's own PR adding the feature which already uses the ASC API 😉 This is where we borrowed the inspiration for the podspec attribute actually, borrowing it from the format fastlane uses, which no doubt borrowed it from the ASC API I'm guessing (given that's what they then interact with to automate the submission)? 😛 (Just to reiterate in case this was not clear though: this CocoaPods feature we're proposing here is completely independent of Fastlane and is useful in its own right whatever format we end up using for the attribute and the report file. But since we need to settle on a given format for those anyway, our reasoning was: "why not use the one used by ASC API and by fastlane rather than reinventing a separate format on our own"; that's where the link with fastlane's PR came in the picture) |
@AliSoftware @freak4pc The format is something I put together The privacy endpoints most likely won't ever hit official ASC API |
By 'privacy endpoints' you mean the And what do you mean it won't ever hit official ASC API? You mean even in future if the official ASC API accepts a json then still the privacy endpoints won't be used? |
@prohoney The API endpoint that action uses require the Apple ID auth that fastlane has been using for a while. It's not the official App Store Connect API. The official App Store Connect API is the one that uses the JWT auth. This is the one that Apple has doc for 🙂 Here - https://developer.apple.com/documentation/appstoreconnectapi The upload privacy details most likely won't get official API support with the JWT auth and will require the Apple ID auth. I'm not sure if this matters to this PR or not. I've had a newborn in my arms all morning so I haven't been able to look to deeply at this 🤷♂️ |
@joshdholtz I see. That's very good to know. I actually wasn't aware that there was either an (official or unofficial) ASC API but yeah I don't think it would matter much for this issue. As to your last paragraph, that's wonderful news. Yet I don't get it, that implies you have 2 extra hands to type with... |
Adds privacy manifests to all iOS plugins. While we only *need* to do the plugins listed [here](https://developer.apple.com/support/third-party-SDK-requirements/) for now, the wording of the page: > The following are commonly used SDKs in apps on the App Store suggests that the list of things for which this is required is just an arbitrary cutoff rather than a conceptual distinction, so it seems safest to just assume the list will grow over time and do all of them. To ensure that, this includes new repo tooling to check that a manifest is specified in the podspec. The large caveat is that we do not currently know if this actually works. This is the method of inclusion that seems to be [the consensus among people using Cocoapods](CocoaPods/CocoaPods#10325), as bundling it directly as a `resource` causes problems for clients who do not use `use_frameworks`. (In theory it seems like a manifest would not actually be *required* in that case since there is no framework, but it has the potential to actually stomp top-level resources.) Hopefully the automated analysis that Apple will eventually roll out will tolerate the file being bundled in a resource bundle in the framework rather than a top-level manifest file. If not, however, it's not clear how Cocoapods can be supported, so we can adopt this common approach for now under the assumption that eventually tooling will adapt to the reality of the ecosystem, and revisit the exact bundling later if necessary. Only `shared_preferences` has a non-empty manifest, as it is our only plugin that uses a required reason API, and none of our plugins themselves collect private data. Ideally for that plugin we would instead use `C56D.1`, which is for wrappers, but as currently written we can't use it since it's exclusively a wrapper. If that changes in the future based on our pending request, we can revisit. For now, however, this reason should suffice since we don't currently allow reading from other app groups. Fixes flutter/flutter#131495 Fixes flutter/flutter#139756 Fixes flutter/flutter#139757 Fixes flutter/flutter#139758 Fixes flutter/flutter#139759 Fixes flutter/flutter#139760 See also flutter/flutter#139761
Added `resource_bundles` in Cocoapods to include the PrivacyInfo file to the bundle to support static linking. Can refer to the related discussion from the below links. SnapKit/SnapKit#798 CocoaPods/CocoaPods#10325 (comment) Co-authored-by: Hyun Joon Park <hystericcore@icloud.com>
### Motivation The library already includes Privacy.xcprivacy in SPM, but when used with CocoaPods (mandatory in Flutter), these files are not exported as the podspec does not include that file as a resource bundle. ### Description Listing the PrivacyInfo.xcprivacy file inside the resource_bundles specification in the podspec allows to distribute the file correctly. Ref. CocoaPods/CocoaPods#10325 (comment) This GitHub issue contains the entire discussion on how to add these xcprivacy files and is referenced in multiple places; many libraries already follow this approach: https://github.com/firebase/firebase-ios-sdk/blob/main/FirebaseCrashlytics.podspec SDWebImage/SDWebImage#3649 flutter/packages#5846 Baseflow/flutter-permission-handler#1291 Baseflow/flutter-geolocator#1462
#3775) ### Motivation The library already includes Privacy.xcprivacy in SPM, but when used with CocoaPods (mandatory in Flutter), these files are not exported as the podspec does not include that file as a resource bundle. ### Description Listing the PrivacyInfo.xcprivacy file inside the resource_bundles specification in the podspec allows to distribute the file correctly. Ref. CocoaPods/CocoaPods#10325 (comment) This GitHub issue contains the entire discussion on how to add these xcprivacy files and is referenced in multiple places; many libraries already follow this approach: https://github.com/firebase/firebase-ios-sdk/blob/main/FirebaseCrashlytics.podspec SDWebImage/SDWebImage#3649 flutter/packages#5846 Baseflow/flutter-permission-handler#1291 Baseflow/flutter-geolocator#1462 Co-authored-by: Sergio Durban Belmonte <sergio@durban.cat>
Adds privacy manifests to all iOS plugins. While we only *need* to do the plugins listed [here](https://developer.apple.com/support/third-party-SDK-requirements/) for now, the wording of the page: > The following are commonly used SDKs in apps on the App Store suggests that the list of things for which this is required is just an arbitrary cutoff rather than a conceptual distinction, so it seems safest to just assume the list will grow over time and do all of them. To ensure that, this includes new repo tooling to check that a manifest is specified in the podspec. The large caveat is that we do not currently know if this actually works. This is the method of inclusion that seems to be [the consensus among people using Cocoapods](CocoaPods/CocoaPods#10325), as bundling it directly as a `resource` causes problems for clients who do not use `use_frameworks`. (In theory it seems like a manifest would not actually be *required* in that case since there is no framework, but it has the potential to actually stomp top-level resources.) Hopefully the automated analysis that Apple will eventually roll out will tolerate the file being bundled in a resource bundle in the framework rather than a top-level manifest file. If not, however, it's not clear how Cocoapods can be supported, so we can adopt this common approach for now under the assumption that eventually tooling will adapt to the reality of the ecosystem, and revisit the exact bundling later if necessary. Only `shared_preferences` has a non-empty manifest, as it is our only plugin that uses a required reason API, and none of our plugins themselves collect private data. Ideally for that plugin we would instead use `C56D.1`, which is for wrappers, but as currently written we can't use it since it's exclusively a wrapper. If that changes in the future based on our pending request, we can revisit. For now, however, this reason should suffice since we don't currently allow reading from other app groups. Fixes flutter/flutter#131495 Fixes flutter/flutter#139756 Fixes flutter/flutter#139757 Fixes flutter/flutter#139758 Fixes flutter/flutter#139759 Fixes flutter/flutter#139760 See also flutter/flutter#139761
Adds privacy manifests to all iOS plugins. While we only *need* to do the plugins listed [here](https://developer.apple.com/support/third-party-SDK-requirements/) for now, the wording of the page: > The following are commonly used SDKs in apps on the App Store suggests that the list of things for which this is required is just an arbitrary cutoff rather than a conceptual distinction, so it seems safest to just assume the list will grow over time and do all of them. To ensure that, this includes new repo tooling to check that a manifest is specified in the podspec. The large caveat is that we do not currently know if this actually works. This is the method of inclusion that seems to be [the consensus among people using Cocoapods](CocoaPods/CocoaPods#10325), as bundling it directly as a `resource` causes problems for clients who do not use `use_frameworks`. (In theory it seems like a manifest would not actually be *required* in that case since there is no framework, but it has the potential to actually stomp top-level resources.) Hopefully the automated analysis that Apple will eventually roll out will tolerate the file being bundled in a resource bundle in the framework rather than a top-level manifest file. If not, however, it's not clear how Cocoapods can be supported, so we can adopt this common approach for now under the assumption that eventually tooling will adapt to the reality of the ecosystem, and revisit the exact bundling later if necessary. Only `shared_preferences` has a non-empty manifest, as it is our only plugin that uses a required reason API, and none of our plugins themselves collect private data. Ideally for that plugin we would instead use `C56D.1`, which is for wrappers, but as currently written we can't use it since it's exclusively a wrapper. If that changes in the future based on our pending request, we can revisit. For now, however, this reason should suffice since we don't currently allow reading from other app groups. Fixes flutter/flutter#131495 Fixes flutter/flutter#139756 Fixes flutter/flutter#139757 Fixes flutter/flutter#139758 Fixes flutter/flutter#139759 Fixes flutter/flutter#139760 See also flutter/flutter#139761
This PR description has been edited to take into account the feedback that was later given by comments below. You can find the original posting here
Motivation
Starting from December 8, 2020, Apple has required new apps and app updates to include App privacy details on the App Store. App owners have to go through every pod and all its dependency's readmes or if nothing is revealed then reach out to pod creators to just figure out what information the pod collects. The current process is not transparent nor easy.
Proposal
Each Pod should mention their privacy details, so upon
pod install
/pod update
a report file is generated where the different categories along with the purposes of every pod used are mentioned for each target. To acheive this the following changes need to be made:PodSpec changes
Add a new array attribute to the the podspec named
privacy_details
Expected structure for this attribute (Inspiration: [1])
Handling Subspecs
Note that the new
privacy_details
attribute will be allowed both at the root level of the podspec as well as for the definition of each subspec, if any. In such cases, the resolved privacy details for each subspec will be the result of merging the value of attribute defined at the root level (if one is defined there) with the value defined at the subspecies level.Then the privacy detail you get upon installation of a pod depends on which subspecies gets included:
pod 'CoolKit'
(by default it would install all pods):NAME
,EMAIL
,AUDIO
,SENSITIVE_INFO
.pod 'CoolKit/SoundKit'
:NAME
,EMAIL
,AUDIO
.pod 'CoolKit/Model'
:NAME
,EMAIL
,SENSITIVE_INFO
.If your intention is that if only
SoundKit
is installed then onlyAUDIO
to be reported as your privacy detail, then you have to restructure yourPodSpec
accordingly, and removes.privacy_details
from the spec's root and instead only addNAME
andEMAIL
onto the Model's sub specs.Example of a Podspec when not all specs share common privacy details
Gradual rollout for requiring the attribute
privacy_details
attribute in each of their subspecs. Mention which of the 32 data types (along with its purpose and data protection) they are collecting. Ifprivacy_details
isn't stated, then a message will be written tostdout
.Versioning Pods
privacy_details
then patches are not welcomed. At least a minor version update should happen.Generated Report file
pod install
orpod update
, a json is generated for each target of thePodfile
.$PROJECT_DIRECTORY/Pods/Target Support Files/Pods-$target-name/privacy_details.json
stdout
uponpod install
pod install --no-privacy-details
.Example of a multi-target report file
/// $PROJECT_DIRECTORY/Pods/Target Support Files/Pods-targetFoo/privacy_details.json
/// $PROJECT_DIRECTORY/Pods/Target Support Files/Pods-targetBar/privacy_details.json
Note: Every included permutation (of data types, purpose and data protection) should contain a key named "collectors". This provides app owners granularity to see what data each pod is collecting.
Podfile changes
Podfile
. Name ittarget_privacy_details
. App owners can then add their privacy details. Then uponpod install/update
do a union with what’s generated from the pods.target_privacy_details
can be set either a root option or a target configuration. The value provided for the target configuration will merge with the root option value if set.privacy_details
then at least a minor version update should happen (not just a patch bump).Backwards Compatibility
PrivacyDetails.json
would mention all the values for updated pods and include a key namedunknown_privacy_details
(included in the sample report file) for the (old) pods that don't have it set.Ways to bypass this
pod trunk push
performsprivacyDetails
label on repos. It will take some time from the community to get use to this process.Other notes
We're looking for feedbacks on this and see if maybe the CocoaPods team have been working on this. If not we're keen to implement the PR for this feature and would like to know what files to look into to start development on this
Based on my mediocre Ruby knowledge, is the following a good starting point:
add a new
attribute
to Pod::Specification::DSL like this:and then fix any error that I get through
pod ipc spec <podspec>
[1]: On Dec 3rd, 2020, fastlane added a new action
upload_app_data_usage_to_app_store
(PR link). It requires a json with a similar shape, which can include a single category or multiple or none. The format/structure of the JSON we're using in this issue/proposal is directly inspired by the one expected by fastlane, both for consistency and so that it provides us the additional benefit of interoperability, as users could then use the JSON generated by CocoaPods via this new feature to feed it as an input for their fastlane actions directly 👌The text was updated successfully, but these errors were encountered: