App rejected for referencing (while not using) APIs that access sensitive user data #1942
Description
Description of the problem:
It seems that @capacitor/core code references APIs that access sensitive user data. In this case it's the photo library.
I'm not calling any of the functions that request authorisation to use the API, but it seems that apple will now check the code up front and if you reference any of these sensitive API's which capacitor does with its native plugin core the will reject it with a warning.
ITMS-90683: Missing Purpose String in Info.plist - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSPhotoLibraryUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data are required to include a purpose string. If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
example in Camera.swift
func showCamera(_ call: CAPPluginCall) {
...
AVCaptureDevice.requestAccess(for: .video) { granted in
Affected platform
- Android
- [ x] iOS
- electron
- web
OS of the development machine
- Windows
- [x ] macOS
- linux
Other information:
Capacitor version:
1.2.0
node version:
v10.16.1
npm version:
6.9.0
CocoaPods version:
1.7.5
Steps to reproduce:
Remove unused privacy explanation keys in Info.plist for those API's you never call and upload to app store for a testflight.
For now I will place dummys as a workaround, but I think the core could potentially be split into modules that we can install when needed instead of having all the privacy API's up front.