Add privacy manifest

[calda]

This PR adds a privacy manfiest (PrivacyInfo.xcprivacy), which will be required for privacy-impacting SDKs (including Lottie) starting in spring 2024. Fixes #2213.

We can include the manifest as a resource in our dependency definitions and Xcode project schemes. I verified that Lottie.framework and Lottie.xcframework build products now include the privacy manifest file.

We will additionally need to code sign Lottie.xcframework, but that will come later in a follow-up.

[calda]

This comes from ZIPFoundation, which we embed: https://github.com/weichsel/ZIPFoundation/blob/development/Sources/ZIPFoundation/Resources/PrivacyInfo.xcprivacy#L24

[calda]

For now I think we can just manually incorporate this into our manifest

[thedrick]

LGTM @calda

[TheRogue76]

Heya! Lottie React Native maintainer here.

Had a couple of questions regarding this and i figured this might be the best place to ask:

• Do you know when you might release a new version with this change included so i can bump the dependency back in LRN's repo? Is there anything blocking that i can help with?
• Was there any sort of gotcha that you guys ran into while implementing this that i can benefit from knowing? LRN is more or less a separate SDK, so i figure i would need to do the same back there as well and i would really appreciate knowing if there is any specific thing that might become a headache.

Cheers and thanks for the response in advance

[calda]

I currently plan on releasing 4.4.0 once a production Xcode version that includes the Apple Vision Pro SDK is released, since that will let us add support for Apple Vision Pro to lottie-spm. I imagine this will be within the next month.

No gotchas so far, although the implementation in this PR wasn't quite correct according to #2268.

[calda]

Oh, Xcode 15.2 already includes the visionOS SDK. Great! I'll release 4.4.0 after sorting out visionOS support then.

[TheRogue76]

Thank you. Sounds good. Yeah, i read the other PR as well. I'll keep it in mind.
BTW, i just saw how many issues for LRN had been opened in this repo. Sorry for the headache they caused. Feel free to ping if it looks like someone is being particularly difficult.

[dcacenabes]

Hey! I know this is already marked as resolved but I am not 100% confident of the solution for Cocoapods. Merged solution is using .resource, and depending on how you are integrating the library in your project you might end up overriding the privacy file from the main app or other frameworks. From their docs:

resourcesmulti-platform
A list of resources that should be copied into the target bundle.
For building the Pod as a static library, we strongly recommend library developers to adopt resource bundles as there can be name collisions using the resources attribute. Moreover, resources specified with this attribute are copied directly to the client target and therefore they are not optimised by Xcode.

Would it be possible to use resource_bundles instead?

s.resource_bundles = {
    'LottiePrivacy' => ['PrivacyInfo.xcprivacy'],
}

[maurovc]

Additionally to @dcacenabes' comment here's a great summary of the issue of using resource vs resource_bundle

[calda]

@dcacenabes, any interest in submitting a PR with that update?

[dcacenabes]

@dcacenabes, any interest in submitting a PR with that update?

100% Will ship it shortly

[dcacenabes]

#2288 👍

[calda]

We released Lottie 4.4.0, which now includes a privacy manifest. https://github.com/airbnb/lottie-ios/releases/tag/4.4.0

[TheRogue76]

We released Lottie 4.4.0, which now includes a privacy manifest. https://github.com/airbnb/lottie-ios/releases/tag/4.4.0

Beautiful. I'll bump it up in our podspec. Thank you for the ping @calda !

[honkmaster]

Could you explain why Lottie is privacy-impacting? Of course, Apple may think it is, but isn't Lottie just a UI framework?

[calda]

Lottie does not impact user privacy in any way because it doesn't collect or track any data. We are providing a privacy manifest because it is required by Apple: https://developer.apple.com/support/third-party-SDK-requirements/

[honkmaster]

Lottie does not impact user privacy in any way because it doesn't collect or track any data. We are providing a privacy manifest because it is required by Apple: https://developer.apple.com/support/third-party-SDK-requirements/

Ok, so you guys are like me with SVProgressHUD. I'm still trying to understand why we're on the list. Seems like maybe it's just due to popularity and not real privacy concerns which is … interesting. Thanks @calda.

[calda]

Yeah, I believe it's related to popularity. Fortunately it is really easy to provide a privacy manifest, especially if it's mostly empty! Adopting code signing was more difficult (#2259, necessary for us since we distribute precompiled binaries via lottie-spm).

[Anbu-iOS]

Hi, still the issue is persist in the latest 4.4.0.
no rule to process file '../Source/Pods/lottie-ios/Sources/PrivacyInfo.xcprivacy' of type 'text.xml' for architecture 'arm64' (in target 'lottie-ios' from project 'Pods')

[tscholze]

Do I need to reference the privacy manifest somewhere else? I still get the error from the App Store Connect. :/

[rawan92my]

Hello! I'm facing an issue with using latest Lottie version and I have to include Privacy file, since my app min deployment target is iOS 12 :( any help in that ?