Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Missing API declaration" warning from Apple #612

Closed
gnprice opened this issue Apr 3, 2024 · 5 comments · Fixed by #628
Closed

"Missing API declaration" warning from Apple #612

gnprice opened this issue Apr 3, 2024 · 5 comments · Fixed by #628
Assignees
Labels
a-iOS Issues specific to iOS, or requiring iOS-specific work

Comments

@gnprice
Copy link
Member

gnprice commented Apr 3, 2024

After I uploaded today's v0.0.13 release to TestFlight for our iOS beta users, we got an email from Apple with the following warning:

Although submission for TestFlight review was successful, you may want to correct the following issues in your next submission for TestFlight review. Once you've corrected the issues, upload a new binary to App Store Connect.

ITMS-91053: Missing API declaration - Your app’s code in the “Runner” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

Apple Developer Relations

So we'll need to resolve that in the next few weeks, by 2024-05-01, in order to continue publishing betas for iOS whenever we like.

Whatever "one or more APIs" they're referring to must be something in one of our dependencies, because we have zero Swift or Objective-C code of our own so far. Following links a bit: the relevant section is here, and the only API in that category is UserDefaults. I don't know offhand which of our dependencies might use that; it might be in code we never invoke.

It seems like Apple has just recently started sending these warnings. We didn't get one for the v0.0.12 release, just three weeks ago, and we don't have any new dependencies since then. Threads like flutter/flutter#145269 also suggest that many people just started getting these circa 2024-03-16, a little over two weeks ago.

To handle this:

  • The first step is to upgrade all our dependencies. That might resolve the issue — there's a way for dependencies to provide these privacy manifests (to be aggregated into the app's manifest), and it sounds like a lot of plugins have just recently added them. Which makes sense given that these warnings just started going out to the developers using the plugins.

  • If that doesn't resolve it: the plugins may nevertheless have the privacy manifests, as they don't always get automatically aggregated. Detailed steps to take are at Determine how to handle privacy manifests in packages flutter/flutter#131940 (comment) ; see also update at Determine how to handle privacy manifests in packages flutter/flutter#131940 (comment) .

  • If that doesn't resolve it, that'll mean some plugin is missing a privacy manifest it needs. At that point it's a debugging problem. The general approach needed is described here; some examples inspecting binary dependencies with nm | grep are here and in the comments after it.

Useful threads in the Flutter tracker include:

@gnprice gnprice added the a-iOS Issues specific to iOS, or requiring iOS-specific work label Apr 3, 2024
@gnprice gnprice added this to the Beta 2 milestone Apr 3, 2024
chrisbobbe added a commit to chrisbobbe/zulip-flutter that referenced this issue Apr 5, 2024
Done because it's the first step in our plan to resolve zulip#612, the
"Missing API declaration" warning from Apple.

This is the result of `tools/upgrade pod-major`. No breaking changes
requiring synchronous code changes were found.

Changelogs:
  https://pub.dev/packages/device_info_plus/changelog
  https://pub.dev/packages/file_picker/changelog
  https://pub.dev/packages/flutter_local_notifications/changelog
  https://pub.dev/packages/package_info_plus/changelog
  https://pub.dev/packages/share_plus/changelog
  https://pub.dev/packages/pigeon/changelog

All of these changelogs except `pigeon` mention adding "privacy
info" or "privacy manifest" in the version we're taking here --
exactly the kind of thing we want to see, with zulip#612 in mind. I would
guess that `pigeon` doesn't need one, as it's mainly just a code
generator tool.

Related: zulip#612
chrisbobbe added a commit to chrisbobbe/zulip-flutter that referenced this issue Apr 5, 2024
Done because it's the first step in our plan to resolve zulip#612, the
"Missing API declaration" warning from Apple.

This is the result of `tools/upgrade pod-major`. No breaking changes
requiring synchronous code changes were found.

Changelogs:
  https://pub.dev/packages/device_info_plus/changelog
  https://pub.dev/packages/file_picker/changelog
  https://pub.dev/packages/flutter_local_notifications/changelog
  https://pub.dev/packages/package_info_plus/changelog
  https://pub.dev/packages/share_plus/changelog
  https://pub.dev/packages/pigeon/changelog

All of these changelogs except `pigeon` mention adding "privacy
info" or "privacy manifest" in the version we're taking here --
exactly the kind of thing we want to see, with zulip#612 in mind. I would
guess that `pigeon` doesn't need one, as it's mainly just a code
generator tool.

Related: zulip#612
chrisbobbe added a commit to chrisbobbe/zulip-flutter that referenced this issue Apr 5, 2024
Done because it's the first step in our plan for zulip#612, the "Missing
API declaration" warning from Apple.

This is the result of `tools/upgrade pod-major`. No breaking changes
requiring synchronous code changes were found.

Changelogs:
  https://pub.dev/packages/device_info_plus/changelog
  https://pub.dev/packages/file_picker/changelog
  https://pub.dev/packages/flutter_local_notifications/changelog
  https://pub.dev/packages/package_info_plus/changelog
  https://pub.dev/packages/share_plus/changelog
  https://pub.dev/packages/pigeon/changelog

All of these changelogs except `pigeon` mention adding "privacy
info" or "privacy manifest" in the version we're taking here --
exactly the kind of thing we want to see, with zulip#612 in mind. And
`pigeon` shouldn't need one, as it's a dev dependency only, not part
of the actual build.

Related: zulip#612
chrisbobbe added a commit to chrisbobbe/zulip-flutter that referenced this issue Apr 6, 2024
Done because it's the first step in our plan for zulip#612, the "Missing
API declaration" warning from Apple.

This is the result of `tools/upgrade pod-major`. No breaking changes
requiring synchronous code changes were found.

Changelogs:
  https://pub.dev/packages/device_info_plus/changelog
  https://pub.dev/packages/file_picker/changelog
  https://pub.dev/packages/flutter_local_notifications/changelog
  https://pub.dev/packages/package_info_plus/changelog
  https://pub.dev/packages/share_plus/changelog
  https://pub.dev/packages/pigeon/changelog

All of these changelogs except `pigeon` mention adding "privacy
info" or "privacy manifest" in the version we're taking here --
exactly the kind of thing we want to see, with zulip#612 in mind. And
`pigeon` shouldn't need one, as it's a dev dependency only, not part
of the actual build.

Related: zulip#612
chrisbobbe added a commit to chrisbobbe/zulip-flutter that referenced this issue Apr 23, 2024
Actually, I have a hunch that this will be enough for zulip#612,
'"Missing API declaration" warning from Apple'. As that issue says,
the only category of "required reason APIs" that Apple is alerting
about is "user defaults APIs". There's just one API in this
category: `NSUserDefaults`. Using Step 4 in these instructions from
a Flutter maintainer --
  flutter/flutter#145269 (comment)
-- I found that firebase_messaging and flutter_local_notifications,
but no other dependencies, have calls to NSUserDefaults without
declaring reasons in this category in a "privacy manifest" file.

Moreover, unlike in zulip-mobile, our Podfile calls
`use_frameworks!`, which should mean we don't have to manually copy
anything from our dependencies into a privacy manifest file of our
own. See zulip/zulip-mobile#5859 for a link to a mention in the
Flutter project about `use_frameworks!`.

So I'm hoping that the following upgrades, made here, will address
Apple's alerts:

- firebase_messaging to v14.9.0, in which that dependency gets a
  privacy manifest that declares a reason for using "user defaults
  APIs":
    https://github.com/firebase/flutterfire/releases/tag/firebase_messaging-v14.9.0

- flutter_local_notifications to v17.1.0. In v17.0.1, a "user
  defaults APIs" reason declaration was added to this dependency's
  privacy manifest:
    https://github.com/MaikuB/flutter_local_notifications/releases

Fixes: zulip#612
@gnprice
Copy link
Member Author

gnprice commented Apr 25, 2024

We just got the same email from Apple today, after I sent v0.0.14 to TestFlight. So this issue is still present after #628.

It's likely that we're affected here by the same App Store Connect bug discussed at zulip/zulip-mobile#5859 . In that case, the workaround for now is to include our own privacy manifest compiled manually.

@chrisbobbe
Copy link
Collaborator

chrisbobbe commented Apr 26, 2024

It's likely that we're affected here by the same App Store Connect bug discussed at zulip/zulip-mobile#5859 . In that case, the workaround for now is to include our own privacy manifest compiled manually.

Yes, that seems right. From the description quoted there, the bug:

is mainly impacting SDKs distributed as static frameworks (which includes some Flutter plugins, or in the case of Flutter apps that do not use `use_frameworks!' almost all plugins)

Our Flutter app does call use_frameworks! in its Podfile. But by searching ~/.pub-cache/hosted/pub.dev, I do find two items that have s.static_framework = true in their Podspecs: firebase_core and firebase_messaging. Only the latter uses NSUserDefaults, which is the only "required reason API" that Apple's email was alerting us about. And, as we found in 92f5dd5, firebase_messaging does have a "privacy manifest" file.

So if the Apple bug is the issue, then we should try copying the reasons from firebase_messaging's privacy manifest into our own privacy manifest. It declares one reason, CA92.1.

@chrisbobbe
Copy link
Collaborator

(Oh, and: firebase_messaging in its repo's master branch still has s.static_framework = true in its podspec.)

satyam372 pushed a commit to satyam372/zulip-flutter that referenced this issue May 1, 2024
Actually, I have a hunch that this will be enough for zulip#612,
'"Missing API declaration" warning from Apple'. As that issue says,
the only category of "required reason APIs" that Apple is alerting
about is "user defaults APIs". There's just one API in this
category: `NSUserDefaults`. Using Step 4 in these instructions from
a Flutter maintainer --
  flutter/flutter#145269 (comment)
-- I found that firebase_messaging and flutter_local_notifications,
but no other dependencies, have calls to NSUserDefaults without
declaring reasons in this category in a "privacy manifest" file.

Moreover, unlike in zulip-mobile, our Podfile calls
`use_frameworks!`, which should mean we don't have to manually copy
anything from our dependencies into a privacy manifest file of our
own. See zulip/zulip-mobile#5859 for a link to a mention in the
Flutter project about `use_frameworks!`.

So I'm hoping that the following upgrades, made here, will address
Apple's alerts:

- firebase_messaging to v14.9.0, in which that dependency gets a
  privacy manifest that declares a reason for using "user defaults
  APIs":
    https://github.com/firebase/flutterfire/releases/tag/firebase_messaging-v14.9.0

- flutter_local_notifications to v17.1.0. In v17.0.1, a "user
  defaults APIs" reason declaration was added to this dependency's
  privacy manifest:
    https://github.com/MaikuB/flutter_local_notifications/releases

Fixes: zulip#612
@gnprice
Copy link
Member Author

gnprice commented May 8, 2024

It's likely that we're affected here by the same App Store Connect bug discussed at zulip/zulip-mobile#5859 . In that case, the workaround for now is to include our own privacy manifest compiled manually.

It looks like Apple has backed down on this. With a week to go, and as part of a "reminder" with no mention that it's a change of plan — classic Apple on both counts.

Here's the announcement, which I found via that Flutter issue 145269 linked from zulip/zulip-mobile#5859.

The upshot is that for now this only affects dynamic frameworks (not static frameworks, which were affected by that App Store Connect bug), moreover only newly added such frameworks, and moreover only those that are on their list of popular third-party SDKs. So the warning quoted above, for "Runner" which is our app's own main framework, shouldn't appear.

Presumably Apple will later come back and expand the scope. Hopefully by then they fix that bug, so that things go smoothly. In any event, for now things should just work, and we shouldn't need the workaround described above.

Leaving this issue open until we next attempt a release and confirm that it's resolved.

@gnprice gnprice modified the milestones: Beta 2, B2: Summer 2024 May 9, 2024
@gnprice gnprice removed the status in Flutter app May 9, 2024
@gnprice
Copy link
Member Author

gnprice commented May 16, 2024

I've sent v0.0.15 for TestFlight review, and we don't seem to have one of these warning emails. So this indeed seems fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
a-iOS Issues specific to iOS, or requiring iOS-specific work
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

2 participants