Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Mobile] [iOS] Declare NSPrivacyAccessedAPICategorySystemBootTime API Usage in onnxruntime-objc #20519

Open
dthaibao opened this issue Apr 30, 2024 · 4 comments
Open

[Mobile] [iOS] Declare NSPrivacyAccessedAPICategorySystemBootTime API Usage in onnxruntime-objc #20519

dthaibao opened this issue Apr 30, 2024 · 4 comments
Labels
platform:mobile issues related to ONNX Runtime mobile; typically submitted using template stale issues that have not been addressed in a while; categorized by a bot

Comments

@dthaibao
Copy link

Describe the issue

When adding onnxruntime-objc to an iOS app and submitting to the Apple App Store, Apple has flagged the usage of the NSPrivacyAccessedAPICategorySystemBootTime API. According to App Store review guidelines, any usage of sensitive APIs requires a declaration of the reason for the API's usage.

One way of deal with this issue is declare onnxruntime-objc at the dynamic library. However, I cannot do that because onnxruntime-objc depends on static libraries.

To reproduce

  1. Declare the library onnxruntime-objc in Podfile
    pod 'onnxruntime-objc', '1.17.3'
  2. Run pod install
  3. Submit your app to TestFlight in AppleStoreConnect for beta review
  4. Apple send an email warning that the usage of NSPrivacyAccessedAPICategorySystemBootTime is not declared in privacy app manifest with the message:
ITMS-91053: Missing API declaration - Your app's code in the
XXX file references one or more APIs that require reasons, including the following API categories:
NSPrivacyAccessedAPICategorySystemBootTime. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app's privacy manifest to provide approved reasons for these APls used by your app's code. For more details about this policy, including a list of required reason APIs and approved reasons for
usage, visit:
https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

Urgency

This is urgent, since the library must include the reason before May 1, 2024.

Platform

iOS

OS Version

any iOS version

ONNX Runtime Installation

Released Package

Compiler Version (if 'Built from Source')

No response

Package Name (if 'Released Package')

onnxruntime-objc/onnxruntime-c

ONNX Runtime Version or Commit ID

1.17.3

ONNX Runtime API

Objective-C/Swift

Architecture

ARM64

Execution Provider

Default CPU

Execution Provider Library Version

No response
@dthaibao dthaibao added the platform:mobile issues related to ONNX Runtime mobile; typically submitted using template label Apr 30, 2024
@skottmckay skottmckay mentioned this issue May 1, 2024
Merged
skottmckay added a commit that referenced this issue May 1, 2024
@skottmckay
Remove usage of 'required reason' iOS API from protobuf (#20529)
f9febc4 
### Description
<!-- Describe your changes. -->

Using certain APIs is about to require a [privacy
manifest](https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api)
to be added to a package.

Our version of protobuf uses `mach_absolute_time`. Patch as per
protocolbuffers/protobuf#15662 to remove usage.

### Motivation and Context
<!-- - Why is this change required? What problem does it solve?
- If it fixes an open issue, please link to the issue here. -->
Usage of API will require a privacy manifest for an iOS app to be
accepted as of 5/1/2024
#20519
@skottmckay
Copy link
Contributor

skottmckay commented May 1, 2024
edited
Loading

This is coming indirectly from the protobuf library that CoreML uses to define the model format.

Have added changes to patch the protobuf headers in the version of protobuf we're using to avoid the issue. More details in the PR.

Will be in the next release in a few weeks. Unfortunately that's the soonest we can fix it.

Short-term alternative would be to build the onnxruntime-c pod locally with those changes. On a mac, if you checkout the onnxruntime repo you can run this script to do that

python3 tools/ci_build/github/apple/build_apple_framework.py --build_dir build/iOS_framework_full tools/ci_build/github/apple/default_full_ios_framework_build_settings.json

@skottmckay
Copy link
Contributor

Sorry - one correction. That script will build an xcframework. To build the cocoapods locally you'd need to run
python3 tools/ci_build/github/apple/build_and_assemble_apple_pods.py --variant Full --build-settings-file tools/ci_build/github/apple/default_full_apple_framework_build_settings.json

usage: build_and_assemble_apple_pods.py [-h] [--build-dir BUILD_DIR] [--staging-dir STAGING_DIR] [--pod-version POD_VERSION] [--variant {Full,Mobile,Training}] [--test]
                                        [--include-ops-by-config INCLUDE_OPS_BY_CONFIG] --build-settings-file BUILD_SETTINGS_FILE [-b BUILD_APPLE_FRAMEWORK_EXTRA_ARGS]

Builds an iOS framework and uses it to assemble iOS pod package files.

optional arguments:
  -h, --help            show this help message and exit
  --build-dir BUILD_DIR
                        The build directory. This will contain the iOS framework build output. (default: /Users/me/src/github/ort/build/apple_framework)
  --staging-dir STAGING_DIR
                        The staging directory. This will contain the iOS pod package files. The pod package files do not have dependencies on files in the build directory. (default:
                        /Users/me/src/github/ort/build/apple_pod_staging)
  --pod-version POD_VERSION
                        The version string of the pod. The same version is used for all pods. (default: 1.19.0-local)
  --variant {Full,Mobile,Training}
                        Pod package variant. (default: Mobile)
  --test                Run tests on the framework and pod package files. (default: False)

iOS framework build arguments:
  See the corresponding arguments in build_apple_framework.py for details.

  --include-ops-by-config INCLUDE_OPS_BY_CONFIG
  --build-settings-file BUILD_SETTINGS_FILE
                        The positional argument of build_apple_framework.py. (default: None)
  -b BUILD_APPLE_FRAMEWORK_EXTRA_ARGS, --build-apple-framework-arg BUILD_APPLE_FRAMEWORK_EXTRA_ARGS
                        Pass an argument through to build_apple_framework.py. This may be specified multiple times. (default: [])

@dthaibao
Copy link
Author

dthaibao commented May 2, 2024

thanks @skottmckay for a quick response

yihonglyu pushed a commit that referenced this issue May 4, 2024
@skottmckay @yihonglyu
Remove usage of 'required reason' iOS API from protobuf (#20529)
90a2c26 
### Description
<!-- Describe your changes. -->

Using certain APIs is about to require a [privacy
manifest](https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api)
to be added to a package.

Our version of protobuf uses `mach_absolute_time`. Patch as per
protocolbuffers/protobuf#15662 to remove usage.

### Motivation and Context
<!-- - Why is this change required? What problem does it solve?
- If it fixes an open issue, please link to the issue here. -->
Usage of API will require a privacy manifest for an iOS app to be
accepted as of 5/1/2024
#20519
TedThemistokleous pushed a commit to TedThemistokleous/onnxruntime that referenced this issue May 7, 2024
@skottmckay
Remove usage of 'required reason' iOS API from protobuf (microsoft#20529
ab0dc35 
)

### Description
<!-- Describe your changes. -->

Using certain APIs is about to require a [privacy
manifest](https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api)
to be added to a package.

Our version of protobuf uses `mach_absolute_time`. Patch as per
protocolbuffers/protobuf#15662 to remove usage.

### Motivation and Context
<!-- - Why is this change required? What problem does it solve?
- If it fixes an open issue, please link to the issue here. -->
Usage of API will require a privacy manifest for an iOS app to be
accepted as of 5/1/2024
microsoft#20519
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 1, 2024

This issue has been automatically marked as stale due to inactivity and will be closed in 30 days if no further activity occurs. If further support is needed, please provide an update and/or more details.

@github-actions github-actions bot added the stale issues that have not been addressed in a while; categorized by a bot label Jun 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
platform:mobile issues related to ONNX Runtime mobile; typically submitted using template stale issues that have not been addressed in a while; categorized by a bot
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@skottmckay @dthaibao