Add Privacy Manifests and code sign Frameworks for Apple

[ChristianEdwardPadilla]

Apple will be requiring apps to include more privacy-related reasoning for "third-party SDKs" in "Spring 2024": https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests?language=objc

You can see these FlutterFire plugins included on the list of commonly used third-party SDKs here: https://developer.apple.com/support/third-party-SDK-requirements/

It's not clear if this will affect both iOS and macOS, or just iOS.

You can see examples of these manifests included in other popular Flutter plugins, for example shared_preferences: https://github.com/flutter/packages/blob/main/packages/shared_preferences/shared_preferences_foundation/darwin/Resources/PrivacyInfo.xcprivacy

[danagbemava-nc]

I'm not sure if it will fine if this is done for just the iOS sdk or if this will have to be done in this sdk as well.

This would apply to all the plugins in this repo. There is an issue tracking implementing this in the iOS sdk. See
firebase/firebase-ios-sdk#11490

cc @russellwheatley for further insight

[GJDK]

Hi Team,

Any update on this?

[Lyokone]

Hello, the underlying native ios SDK is planning to add privacy manifests before the mandatory date. To my understanding, you will just need to update the FlutterFire version once available to get privacy manifests added automatically.

[jamieastley]

looks like this should be unblocked now as firebase/firebase-ios-sdk#11490 was closed earlier, and privacy manifests are included as of the 10.22.0 release.

[Lyokone]

Closing this issue since the latest firebase_core includes 10.22.0 release

[sbt-peds]

@jamieastley @Lyokone Hello. Based on firebase/firebase-ios-sdk#12238, it looks like both privacy manifest and code signing are required to fully comply with ios privacy policy, and the new firebase_core must be released for code singning, right?

[russellwheatley]

@sbt-peds - thanks for sharing the link. I'll keep this open until code signing has also been completed upstream on the firebase-ios-sdk.

Please follow this link for further details: firebase/firebase-ios-sdk#12238

[jamieastley]

@russellwheatley codesigning should be available now in 10.24.0

firebase/firebase-ios-sdk#12238 (comment)

[russellwheatley]

@jamieastley - We are working on getting this updated. It isn't quite as straight forward as changing the SDK version. Hopefully, next week's release will have the update 🙏

[ChristianEdwardPadilla]

Just want to flag a potential issue: while the underlying Firebase SDK includes a manifest firebase_messaging itself uses a Required Reason API, NSUserDefaults (here). I think, to be safe, that firebase_messaging should add its own privacy manifest.

[paul678]

I can confirm the above. The firebase_messaging plugin contains R.R API and it has no privacy manifest. It's also statically linked so it means it will show up as Runner when ITMS-91053 is returned.
Checking the symbols table to the runner using the plugin will show NSUserDefaults used, as soon as I remove it this will go away as expected.

Any plans to fix this issue as it's currently forcing all plugin users to create their own privacy manifest just to account for this 😢

[russellwheatley]

@paul678 - thanks for the report, I'll get this updated 🙏

[russellwheatley]

@paul678 - Could you explain how you were able to validate the privacy manifest appropriately? It seems to me that I need to go through app distribution process to find out if there are any issues which seems overkill 🤔

Here is the PR as it stands: #12665

[jamieastley]

@russellwheatley there's a forever-evolving comment from the Flutter team here that has some ongoing updates around this that may help (point 2 iv.).

AFAIK there's no other easy ways to validate compliance without submitting a build, it's insane to me that this wasn't shipped in XCode prior to these requirements being enforced..