firebase-ios-sdk: Rejection from Apple review team because of Your app implements the App Tracking Transparency framework

I can confirm that an update to one of my kids category apps was facing this rejection.

I switched to using 7.9.0-k2 and resubmitted. I was approved within a few hours.

🚀

Will Firebase please create their own test app that uses FirebaseAnalytics.framework and GoogleAppMeasurement.framework and submit it to the app store as a kids category app so that they can communicate directly with Apple about the issue instead of us being the middle people? Firebase can chose a manual submission so it doesn’t actually end up on the app store when Apple approves it. Especially when we don’t have visibility into the Firebase code, we’re just submitting blind and the process is slowed by us relaying the message from Apple to Firebase.

Hi everyone, apologies for the delay. We’ve put together a short-term fix to unblock app submissions and are working hard on a longer-term solution for all package managers. The following one-off build is based on the 7.9.0 release but has excluded the APIs flagged by App Review.

CocoaPods

In your Podfile, update the version specifier on Firebase/Analytics and any other Firebase/* pod to 7.9.0-k2.

pod 'Firebase/Analytics', '7.9.0-k2'

Then, run pod update and check your Podfile.lock to ensure the -k2 suffix exists on the FirebaseAnalytics and GoogleAppMeasurement Pods.

Zip Integration

Please download the following tar.gz files and replace the .xcframeworks in your project:

• FirebaseAnalytics-7.9.0-k1.tar.gz
• GoogleAppMeasurement-7.9.0-k1.tar.gz

Note: k1 here and k2 in CocoaPods are identical.

Swift Package Manager

If you’re using Swift Package Manager, using the above tar.gz downloads and replacing them in your .build directory may be sufficient, but if you have issues please let us know.

Further Updates

If you pass App Review using this new artifact, can you please add a rocket emoji reaction (🚀) to this post letting us know you were successful and are now unblocked? If this doesn’t work for you, please reply to this thread with the rejection notice if possible and we’ll respond ASAP.

Apologies once again, we’ll update this thread with further instructions when the longer-term solution is in place. Thank you.

We’re sorry you’re seeing rejections. Google Analytics for Firebase has provided AddSupport as an optional feature for a long time, and introduced optional support for AppTrackingTransparency last year. Our approach has been to use NSClassFromString and NSSelector to detect the presence of these frameworks - this approach is now resulting in App Store rejections. Our team is working on decoupling this detection and providing more transparency on the product behavior.

We are also getting rejections for App Tracking Transparency framework violations. From quick scan of the GoogleAppMeasurement framework, it looks like the binary still contains runtime loading of the ATTrackingManager class and API calls, but obfuscated and loaded with NSClassFromString and NSSelectorFromString.

Some transparency from Firebase would be appreciated here about what changes are being made, as it is getting a bit embarrassing submitting new builds without knowing what has changed. (Is this new version just more of the same obfuscation etc?)

The way forward here would be to open source the parts of the frameworks that contain the violating code, and allow us as users to add #defines in the Cocoapod compile step to exclude the parts, just like other Analytics frameworks have been doing for a long time to exclude any code relating to ASIdentifierManager for example.

We’re also a kids app being rejected with 7.8.1. Apple told us “the ATTrackingManager and trackingAuthorizationStatus dynamic usage remains in place via concatenation in block code associated with -[APMIdentity updateIdentifiers].”

Could you help us resolve this issue ASAP? Thanks

Is it possible to release a strict version of the framework? Like Appsflyer does. Without any tracking or suspicious things. Just to keep the kids happy?

Thanks. Hmm, we haven’t received any other reports about 7.8.1 causing rejections. Was there anything else in the Apple rejection providing detail the symbols that they are objecting to?

Another option, both to narrow it down and maybe move forward if you don’t need Analytics, would be to remove FirebaseAnalytics.framework and GoogleAppMeasurement.framework and resubmit.

I would assume they are objecting to the fact that the ATTrackingManager references are still in the binaries, just split into multiple strings.

I can confirm that submitting without FirebaseAnalytics.framework and GoogleAppMeasurement.framework does pass review, but is not very helpful in other ways than narrowing down the location of the problem, since we do actually use Firebase Analytics…

Thanks, firebase team! After we updated the firebase SDK to 7.9.0-k2, My app was approved by Apple.

I can also confirm that submitting without FirebaseAnalytics.framework and GoogleAppMeasurement.framework does pass the review.

Thank you for the update. We got our child’s app approved yesterday using this SDK version on Cordova.

Thank you so much ❤️ I’ll update you once the app is approved.

So far the fix is only in 7.9.0-k2. We’re working on a longer term solution that will part of regular releases, but it will likely take a few more releases. Until then, we recommend that Kids apps stay on 7.9.0-k2.

Hi @jfinkelstein-ixl Firebase, FirebaseAnalytics, and GoogleAppMeasurement should all be the -k2 version.

After adding the following to the Analytics Quickstart Podfile:

  pod 'Firebase/Analytics', '7.9.0-k2'
  pod 'Firebase/Crashlytics', '7.9.0-k2'

I see

In the meantime, we’re doing additional tests on our end to try to isolate any remaining issues.

@paulb777 If RNFB users set a variable in their Podfile that we look for in our RNFBAnalytics.podspec, we include the new subspec you all publish with no ad ids, otherwise they get the original Firebase/Analytics dependency

I put guards in requiring 7.11.0 min and also verify in RNFBAdMob that they did not set the variable as that would make no sense.

Examination of Podfile.lock with and without the variable shows expected results (Analytics and AppMeasurement either with or without ad ids, depending)

So I think it’s all set, at long last! Quite the odyssey on this one.

Thank you! We got approved with the archive release.

Thanks. Hmm, we haven’t received any other reports about 7.8.1 causing rejections. Was there anything else in the Apple rejection providing detail the symbols that they are objecting to?

There are some reports: https://github.com/firebase/quickstart-unity/issues/994#issuecomment-800924057 and https://github.com/firebase/quickstart-unity/issues/989#issuecomment-800919375. It is about Unity-based package, but I guess it is built on the top of the firebase-is-sdk 7.8.1

Another option, both to narrow it down and maybe move forward if you don’t need Analytics, would be to remove FirebaseAnalytics.framework and GoogleAppMeasurement.framework and resubmit.

Last time I’ve tried to remove analytics and/or GoogleAppMeasurement I’ve ended up with no luck. Looks like other frameworks depend on problematic ones, and I need to disable them (FirebaseABTesting, FirebaseCrashlytics, FirebaseDynamicLinks, etc.)

I will try again and report the results.