iOS app rejected due to cookies without asking permission - ios

My app was recently rejected for App Store release with the following reason:
We noticed your app accesses web content you own where you collect cookies. Cookies may be used to track users, but you do not use App Tracking Transparency to request the user's permission before collecting data used to track.
The last part is correct: I do not apply App Tracking Transparency.
The first part is surprising:
I do not explicitly access cookies by HTTPCookieStorage
I show a terms-of-use webpage which is included in the app. It does not access any cookies. It has links to external sites that do, but I only navigate to these by switching to safari (using UIApplication.shared.open(...))
So: How do I figure out how/when cookies are accessed by my app, which makes apple require App Tracking Transparency?

I ended up asking Apple about the haps, and the reply stated the following:
we still find that your app indicates the collection of cookies on launch
After a bit back-and-forth, I removed some text in the bundled terms-of-use webpage - something copy-pasted from the website supporting the app, that indeed indicated collection of cookies... Completely irrelevant for the app.
That did the trick, and the app is approved.

Related

App Tracking Transparency on Flutter was rejected by Apple

I need help us
I have an problem with publish my flutter app on Apple Developer. My binary was rejected any times and i does't any more ideas about this.
The support team of apple developer says this problem:
Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing
We noticed your app accesses web content you own where you collect cookies. Cookies may be used to track users, but you do not use App Tracking Transparency to request the user's permission before collecting data used to track.
Starting with iOS 14.5, apps on the App Store need to receive the user’s permission through the AppTrackingTransparency framework before collecting data used to track them.
But, i implemented according of docs. For showing permission request dialog i have used this library:
https://pub.dev/packages/app_tracking_transparency
I'm confused because it already implemented everything that was requested.
App Tracking Transparency implemented
Permission is displayed to the user, who selects YES or NO.
App Tracking Information is updated here in the App Store Connect section, including Third Party Cookies.
My app accesses external links in a WebView and for that reason they are questioning the use of "App Tracking". But I implemented everything as requested by them.
My biggest question is if I'm forgetting something that may have gone unnoticed.
Anyone who can help me, please?
The same thing exactly happened with me twice and in both time the issue was resolved by simply sending them a video recording of the app showing the Yes/No App Tracking Transparency dialog. They just want to know when it appears to user if you implemented everything correctly. So try sending them a video recording in the resolution center as a response to that message.
App Store Review team is always questioning the "App Tracking Transparency dialog". Even if this dialog is the first thing that appears after the app launch. (I think they just haven't launched the app).
There's no need to make a video, just add the text "The App Tracking Transparency dialog is appearing after app launch" and they will approve the app.

App Tracking Transparency implementation for a iOS app based on a WebView

I did many researches on the web but I did not find a clear answer to doubts.
I need to publish an update for my iOS app.
Now it is mandatory that app implements App Tracking Transparency if the App privacy section states that the application is collecting data information.
My app consists in a WebView showing some pages of a web site.
All tracking about user information (technical cookie, third party, etc..) happens inside the web view. However in App Privacy section I set that the app is collecting user information because of the cookies present on the web sites (Facebook Pixel, Google Ads, Analytics, etc..).
Now my questions are:
Should I change the App Privacy information telling that app is not collecting information?
I implemented the App Tracking Transparency framework. What should I do if the user refuses the tracking? Is it a transparent thing as the third party cookies will not be able to track users through the IDFA? Or should I interact in some way with the website to tell it that user did not allow tracking?
You have declare it. https://developer.apple.com/app-store/app-privacy-details/#additional-guidance
Your app has web views.
Data collected via web traffic must be declared, unless you are enabling the user to navigate the open web.
By showing those WebViews your app IS collecting data (esp. if these are your "own" websites and not the "open web").
And it also reads like you can't display the website if the user did not comply to it or have another popup on the website itself.
Collection of the data occurs only in infrequent cases that are not part of your app’s primary functionality, and which are optional for the user.
And, if I'm reading correctly, your app is just a wrapper around those websites.

IOS: App rejected because of App Tracking Transparency on WebView

I'm working on an app made in React Native with Expo.
It uses a web view to show the site in the app.
Everything worked well, but when I submitted my app to the App Store, it got rejected.
The mail said:
We noticed you collect data to track after the user selects "Ask App
Not to Track" on the App Tracking Transparency permission request.
Specifically, we noticed your app accesses web content you own and
collects cookies for tracking after the user asked you not to track
them.
After that, using the expo tracking transparency library, I added a permission request to track data.
If the user doesn't accept it, I disable third party cookies on the web view.
After submitting again to the App Store, I got the exact same message.
I don't know what to do, because I can't control the site, and I'm limited to the React Native web view props
Maybe, I could enable incognito mode if the user doesn't want the app to track, but I'm not sure if this will be accepted too.
i had the same issue i solved it like this:
change the privacy of the app on apple store, go to app privacy and in data types section click edit and select Identifiers (Device ID) and set this one as used for tracking purposes. and make sure that this is the only one selected as used for tracking.
also make sure that the permission is showing on real device (so test it first on TestFlight).
another thing is you need to tell them where you show this permission send them video to tell them where you show the permission.

How to enable app on apple app store to view-able on browser?

This is the first time I upload an app to apple app store. After weeks for reviewing, finally, I get my app listed on apple app store. But the problem is, now seems like my app app-store page is only viewable from iTunes. When I try to open it in a browser, it will shows "Connecting to the iTunes Store...". Why is it my app can't be the view from the browser? Why did another app can? How to fix it?
Short answer: It seems, you cannot fully predict the behavior of an app store link for a certain user. You being redirected doesn't mean other people will be redirected right away as well. Your app's country/language availability, users' app store region and language settings, the specificity of the app store link (which has optional components and alternative styles), and the browser cache all seem to have a say.
Added details: After experimenting with this a lot, it seems to me that the behavior of the link (or rather the response from the Apple server to requesting it) depends on the language/country version being requested, my own current country/language defined in iTunes/my app store account, plus some caching issues. So, whether a preview page is shown in the browser, or iTunes is attempted to be opened right away depends on several factors and doesn't always have the same result (for different users). In fact, two consecutive attempts to open the same URL can have different redirect behavior.
I noticed that a full app store link like https://itunes.apple.com/us/app/keynote/id361285480 more likely leads to the preview web page, if the app is available in the language/country referenced ("us" in the example) and there is no prior request cached in which I clicked through to the app in iTunes. If the app isn't available in the referenced location, or any other information is missing in the link for the Apple server to identify a particular language version on the preview website, or there is cached data that makes Apple confident enough to redirect you to iTunes directly (or it's Friday 13th and the moon is right behind the sun by pure chance...) then you may see a redirect instead.
For posting app store links in the likes of Facebook, Apple's app linker seems to produce URLs with the nicest preview snippets (and not: "Connecting to the iTunes store"), when putting in the right country. So, these generated URLs seem to be most complete/specific.
If your app is intended for a specific region, AppStore connect will still give you a URL with .../us/... in it. Changing it to the respective local region seems to fix the problem for me.
For an example,
given URL: https://apps.apple.com/us/app/yourcompany/id123456
If the app is for Norway region, change the URL to: https://apps.apple.com/no/app/yourcompany/id123456

Deep link after iOS app installed (Deferred deep linking)

How can you solve this scenario:
User is using Safari on iOS. They click a link on a website that says
"View Profile on our app". The user does not have the app, they are
taken to the app store to download the app. After they open the app,
the app immediately loads the profile screen (instead of the main
screen).
Currently in order for us to solve this problem, when the app is installed we immediately open Safari to grab the session cookie, if it matches the one on the server we load the right screen. However, Apple is now rejecting our app (and others) for loading Safari at startup.
What is a valid solution that won't get rejected by Apple?
(Also note that we were exploring IDFA - which would have worked - but Apple is rejecting apps that use IDFA if the app isn't using Ads)
This is definitely possible without the IDFA.
Basically, create a URL endpoint on your server that will 302 to the App Store on GET. When a user clicks this link, collect IP Address, OS, OS version, device model, screen size and other parameters and store it as a browser fingerprint.
Then, after the user installs your app, send the same array of meta data to your server as a device fingerprint. Your server can then match this device fingerprint to the browser fingerprint. If there's a match, you can be very certain that the user originated from your link.
Just to give you an idea of numbers, we (at Branch) give this service away for free and now process hundreds of millions of these match queries per day. We've seen that if a user will install, 99% of them will do it within the first 60 minutes. Just empirically, we estimate that this mechanism, with a short window of 2 hours is very close to 100% accurate.
For an added benefit, if you collect IDFA, you can drop a cookie on the browser on redirect and then store the matched pair to the IDFA to create a semi-permanent alternative to the fingerprinting mechanism I mentioned above. If someone clicks your link again, and you've got a cookie stored in the browser, you'll know who they are when they send their IDFA back to your service on install because you've seen that story play out before.
The best solution requires IDFA, which you are in fact allowed to collect for the purpose of deferred deep linking. The "Apple IDFA Scare" was a bit overblown in the media, and Apple revised its T&Cs to make it more clear. Apple also allows you to collect IDFA if you are an advertiser, for attributing installs, or for attributing post-install actions. In other words, you don't have serve ads in your own app in order to collect IDFAs.
Here's a link to the current Apple policy (https://developer.apple.com/news/?id=08282014a ), and this article from AdExchanger goes into a little more detail (http://www.adexchanger.com/mobile/apple-throws-a-bone-to-app-marketers-blesses-idfa-for-attribution/ )

Resources