iOS NSPrivacyTrackingDomains

[noangel]

Description

I need to fill NSPrivacyTrackingDomains in my app privacy manifest.
I found how to detect URLs app trying to connect like this: https://developer.apple.com/documentation/xcode/detecting-when-your-app-contacts-domains-that-may-be-profiling-users

And it shows: "Fault: app-measurement.com is not listed in your app’s NSPrivacyTrackingDomain key in any privacy manifest. It may be following users across multiple apps and websites to create a profile about users of apps that contact this domain." multiple times. So I added app-measurement.com to tracking domains and looks like it doesn't show any more. Is it the only one, or there are more exist? If You have some link with a list of tracking domains, please leave it here.
Thanks.

Reproducing the issue

No response

Firebase SDK Version

6.20

Xcode Version

15.2

Installation Method

N/A

Firebase Product(s)

Analytics, Messaging

Targeted Platforms

iOS

Relevant Log Output

No response

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet

Replace this line with the contents of your Podfile.lock!

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[paulb777]

Firebase's privacy manifest support is still in progress. Details are available at #11490.

Would you share the details about your use case and how to reproduce the error message?

In the meantime, the documentation at https://firebase.google.com/docs/ios/app-store-data-collection may be helpful.

[noangel]

I'm using Firebase SDK for receiving push notifications and Analytics is also required for third-party Ad SDK.

To reproduce error message I run an app with Firebase SDK from Xcode using Profile mode. Then select instrument Network, and press record. It will give popup about recording HTTP traffic, press Record Anyway. When I run app after Firebase initialize Xcode profiler gives some items on Points of Interest track. If I click one of these it opens Detail area with error message in it. Error message says there is a request looks like tracking and I need to add it to NSPrivacyTrackingDomain key of privacy manifest. After adding domain name, error disalpears. I just want to confirm if someone knows where list of such domains located in docs for Firebase.

I understand that Firebase SDK with privacy manifest in it will be released, but I'm trying to use older SDK version and merge required info to privacy manifest on app side. I'm using Firebase as static library, so it may be ok to do it that way to save a time. It's an old app, so I don't want to upgrade everything to latest version just for privacy manifest if possible.

[paulb777]

Thanks for the explanation. Are you seeing an error or a non-blocking warning?

[noangel]

@paulb777 It marked as "Fault" in Xcode profiler, but I think it does not matter. If it detected by Apple tool it means Apple app review team will find it and reject my app. Just wanted to know if there is only one tracking domain for Firebase. For now I added "app-measurement.com" to tracking domains in privacy manifest.

[masashi972]

@paulb777 Hello,

I hope this message finds you well.

I am currently working on addressing PrivacyManifests for our application. Following a similar approach as described here, I implemented URL detection in our app, utilizing Firebase SDK version v6.23.1. As a result, the following issue was flagged:

"Fault: firebase-settings.crashlytics.com is not listed in your app’s NSPrivacyTrackingDomain key in any privacy manifest. It may be following users across multiple apps and websites to create a profile about users of apps that contact this domain."

Could you please confirm if my understanding is correct that this issue will no longer be flagged in future updates? We believe that this URL should not be defined in the app's NSPrivacyTrackingDomains.

Additionally, I'd like to mention that "app-measurement.com" is no longer flagged after recent updates.

Thank you for your attention to this matter. Looking forward to your response.

[ncooke3]

Hi @masashi972, the Crashlytics SDK does not perform tracking, so this domain is incorrectly flagged.

Could you please confirm if my understanding is correct that this issue will no longer be flagged in future updates?

I'm not sure there is a way to silence these warnings for endpoints that are falsely flagged. The issue may go away by updating to Firebase 10.22 or later and trying again as Crashlytics's privacy manifest contains no tracking domains, so that may silence the warning.

We believe that this URL should not be defined in the app's NSPrivacyTrackingDomains.

I agree.

[Digipom]

I'm still getting the alerts with Firebase 10.23.1.

[ncooke3]

Hi @Digipom, IIUC, these alerts do not block app submission, correct?

[Digipom]

@ncooke3 Not yet, but it says that it will starting from May 1st.

[ncooke3]

@Digipom, which domains are being flagged in your project?

[Digipom]

Sorry, I should have posted on the other issue. I don't have any URLs being flagged, just APIs at the moment.

[masashi972]

@ncooke3 Thank you for your reply.

As of now, even with the latest version v6.23.1 installed, the issue is still being flagged.

Do you have any plans to release an update for Crashlytics within this month? If there are any upcoming updates scheduled, I would like to try again with that version.

Looking forward to your response.

[ncooke3]

@masashi972, Crashlytics v10.24.0 is tentatively scheduled to release next week. I'd be curious if this issue is happening on the latest Firebase versions. I filed a feedback ticket to Apple asking about ways to handle false positives reported by the domain profiler.

[masashi972]

@ncooke3 Thank you.

I will proceed with the update to Crashlytics v10.24.0 and confirm if the same issue occurs. I will share the results with you once I have completed the verification.

[misteu]

Any updates regarding the tracking domains that have to be added to NSPrivacyTrackingDomains?

Or is every single developer asked to inspect network traffic and find out on their own?

[salvatoreboemia]

Any news on tracking domain?

I got this error

Thanks

[ncooke3]

Crashlytics does not use any tracking domains so these are false positives from Xcode's profiler. I learned from Apple that there is no way to silence/allowlist these messages. These messages should not block app function or submission.

[SwiftNativeDeveloper]

@ncooke3

Crashlytics does not use any tracking domains so these are false positives from Xcode's profiler. I learned from Apple that there is no way to silence/allowlist these messages. These messages should not block app function or submission.

If you open up an Apple Feedback for that capability I'd write one up and reference your ID in mine as the 'downstream' customer.

[masashi972]

@ncooke3 Hello,

I have updated to SDK v10.24.0 and conducted the verification again. Unfortunately, the results remain unchanged, and the same issue persists.

[salvatoreboemia]

Crashlytics does not use any tracking domains so these are false positives from Xcode's profiler. I learned from Apple that there is no way to silence/allowlist these messages. These messages should not block app function or submission.

So we don't need to add the domain in our Manifest?

I'm worried about this

Basically, each domain URL inside the privacy manifest will be blocked by Apple if the user does not grant during the ATT Alert.

What do you think?

[Limwin94]

It's currently detected by the instrument tool, and I think it makes sense to add it to the tracking domain list if you think it's ambiguous.
It's better than having the feature not work or rejecting submissions just in case.
If the false positives (as they claim to be) are resolved in the future, I don't think it's too late to remove it.

I guess firebase isn't sure about this because of the risk. Is this true?

[aserdobintsev]

Although the instruments only display firebase-settings.crashlytics.com in the Points of Interest section, there are other domains used by Firebase, which can be seen in the AppName Active Tasks section.

Here are the domains used by Firebase:

firebase-settings.crashlytics.com
firebaseremoteconfig.googleapis.com
device-provisioning.googleapis.com
app-analytics-services.com
app-analytics-services-att.com
fcmtoken.googleapis.com
firebaseinstallations.googleapis.com
firebasedynamiclinks.googleapis.com
firebaselogging-pa.googleapis.com

Which of them are used for tracking?

In the current version of Firebase 10.25.0, none of these domains are listed in the NSPrivacyTrackingDomains section

The tracking domains must be specified in the Privacy Manifest NSPrivacyTrackingDomains array, as is done, for example, in Facebook/Apphud/AppsFlyer/AppMetrica sdks.

[ncooke3]

@salvatoreboemia,

So we don't need to add the domain in our Manifest?

No, it is not a tracking domain and therefore should not be added to any privacy manifest.

[AdriOrma]

@ncooke3 So is Firebase SKD going to add the analytics domains to the privacy manifest? Or should we do it on our project's manifest?
Isn't this a bit strange?

[ncooke3]

Regarding the list of domains shared by @aserdobintsev, the app-analytics-services-att.com domain may be declared in an app level privacy manifest by developers who collect IDFA using Google Analytics for Firebase. I don't see a reason why any of the other domains would need to be declared.

For more details regarding Google Analytics for Firebase and privacy manifests, see https://support.google.com/analytics/answer/10285841#privacy-manifests.

---

Regarding the original Fault: ... message from Xcode, I filed a feedback ticket with Apple to make the warning sound less harsh as the "fault" wording makes it sound like every domain it finds is a tracking domain.

[MohamedAhmed122]

@aserdobintsev
I am having the same issue that I can't release for that issue ITMS-91064 NSPrivacyTracking must be true if NSPrivacyTrackingDomains isn‘t empty. Keys and values
and I wonder what should I do to?

is the solution to create PrivacyInfo.xcprivacy and add the following ?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>NSPrivacyTrackingDomains</key>
   <array>
      <string>firebase-settings.crashlytics.com</string>
      <string>firebaseremoteconfig.googleapis.com</string>
      <string>device-provisioning.googleapis.com</string>
      <string>app-analytics-services.com</string>
      <string>app-analytics-services-att.com</string>
      <string>fcmtoken.googleapis.com</string>
      <string>firebaseinstallations.googleapis.com</string>
      <string>firebasedynamiclinks.googleapis.com</string>
      <string>firebaselogging-pa.googleapis.com</string>
   </array>
	
	<key>NSPrivacyTracking</key>
	<true/>
</dict>
</plist>

or there's something else I should do?

I also updated to react-native-firebase/analytics to 19.2.2

[aserdobintsev]

As mentioned by @ncooke3, the only tracking domain is app-analytics-services-att.com. Therefore, you can remove the others from the array.

Also, as I understand it, you need to set NSPrivacyTracking to true and add app-analytics-services-att.com to NSPrivacyTrackingDomains only if you use IDFA in the Firebase SDK.

In one of the apps I'm developing, I use IDFA in the Firebase SDK and must add the tracking information.
In the other app, I don’t use IDFA at all (but use Firebase Crashlytics), so just set NSPrivacyTracking to false and NSPrivacyTrackingDomains to an empty array.