App rejected for referencing (while not using) APIs that access sensitive user data

[chrene]

Description of the problem:

It seems that @capacitor/core code references APIs that access sensitive user data. In this case it's the photo library.

I'm not calling any of the functions that request authorisation to use the API, but it seems that apple will now check the code up front and if you reference any of these sensitive API's which capacitor does with its native plugin core the will reject it with a warning.

ITMS-90683: Missing Purpose String in Info.plist - Your app's code references one or more APIs that access sensitive user data. The app's Info.plist file should contain a NSPhotoLibraryUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. Starting Spring 2019, all apps submitted to the App Store that access user data are required to include a purpose string. If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. You can contact the developer of the library or SDK and request they release a version of their code that doesn't contain the APIs. Learn more (https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).

example in Camera.swift

func showCamera(_ call: CAPPluginCall) {
    ...
    AVCaptureDevice.requestAccess(for: .video) { granted in

Affected platform

• Android
• [ x] iOS
• electron
• web

OS of the development machine

• Windows
• [x ] macOS
• linux

Other information:

Capacitor version:
1.2.0

node version:
v10.16.1

npm version:
6.9.0

CocoaPods version:
1.7.5

Steps to reproduce:
Remove unused privacy explanation keys in Info.plist for those API's you never call and upload to app store for a testflight.

---

For now I will place dummys as a workaround, but I think the core could potentially be split into modules that we can install when needed instead of having all the privacy API's up front.

[naranjamecanica]

Did you remove those keys from Info.plist yourself?

In the documentation there is some description about this requirement: https://capacitor.ionicframework.com/docs/ios/configuration#managing-permissions

[chrene]

@naranjamecanica yes I removed them since I don't use them nor intend to. One workaround is to put in some dummy values, but I think it would be better if you can opt out of the ones you done use. It's more clean in my opinion.

[jcesarmobile]

Since Apple scans the code and Capacitor ships with all the plugins, it will detect that the code is present despite your app doesn't use any of those features.

The only solution would be to take the plugins out of Capacitor, not sure if that's going to happen in short therm.

[aaronwJordan]

@chrene can you elaborate on "put in some dummy values"? As in dummy values in the 'Value' section of the respective key?

[ionitron-bot]

Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Capacitor, please create a new issue and ensure the template is fully filled out.