日前苹果已经官宣,将于北京时间 4 月 21 日以在线形式举行今年的春季新品发布会。那么意味着新的系统 iOS 14.5 正式版也会到来,因为 iOS 14.5 系统苹果明确了在此系统上线后将会采用新的 IDFA 政策,没有正面拥抱变化的我们,理所应当在最近的一次提审中因为用户隐私数据的问题被拒了。
下面便是邮件的内容:
Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing
We found in our review that your app collects user and device information to create a unique identifier for the user's device. Apps that fingerprint the user's device in this way are in violation of the Apple Developer Program License Agreement and are not appropriate for the App Store.
Specifically, your app uses algorithmically converted device and usage data to create a unique identifier in order to track the user. The device information collected by your app may include some of the following: kCLLocationAccuracyBest, getifaddrs, NSTimeZone, serviceSubscriberCellularProviders, and NSFileSystemSize.
Per section 3.3.9 of the Apple Developer Program License Agreement, neither you nor your app can use any permanent, device-based identifier, or any data derived therefrom, for purposes of uniquely identifying a device.
Next Steps
To resolve this issue, remove any functionality from your app that uses algorithmically converted device and usage data to create a unique identifier for the user's device. You should also remove any related code or implemented SDKs that support this functionality.
Please note that attempting to hide or obfuscate code designed to fingerprint the user's device, or otherwise evade the review process, may result in the termination of your Apple Developer Program account. Review the Terms & Conditions of the Apple Developer Program to learn more about our policies regarding termination.
Resources
Learn more about our requirements for apps that track users.
其中有提到说违反了开发者协议中的第 3.3.9 条款,下面是第 3.3.9 条款的内容:
3.3.9 You and Your Applications (and any third party with whom You have contracted to serve advertising)
may not collect user or device data without prior user consent, whether such data is obtained directly from
the user or through the use of the Apple Software, Apple Services, or Apple SDKs, and then only to provide
a service or function that is directly relevant to the use of the Application, or to serve advertising in
accordance with Sections 3.3.12. You may not broaden or otherwise change the scope of usage for
previously collected user or device data without obtaining prior user consent for such expanded or otherwise
changed data collection. You may not use analytics software in Your Application to collect and send device
data to a third party. Further, neither You nor Your Application will use any permanent, device-based
identifier, or any data derived therefrom, for purposes of uniquely identifying a device.
大概的意思其实就是说我们在没有经过用户同意的情况下就收集用户的设备信息作为唯一标识来提供广告服务。
我们猜测这可能是由两种情况导致的:
- 苹果机器审核扫描到我们使用了相关的 IDFA 的 API 却未使用 IDFA 权限申请弹窗以告知用户我们需要使用访问 IDFA 数据;
- 三方 SDK 接入了 CAID ,虽然中国广告协会表示 CAID 解决方案并不会违反苹果隐私管理政策,但是苹果对于 CAID 方案的态度是明令禁止的;
随后我们立刻采取了相应的应对措施:
- 排查项目中代码,删除被拒邮件中提到的
kCLLocationAccuracyBest、getifaddrs、NSTimeZone、serviceSubscriberCellularProviders和NSFileSystemSize关键字相关代码(只删除项目中不必要的方法类库,必要的代码还是暂时先保留); - 首次启动的隐私弹窗中添加上 IDFA 数据收集的相关描述,文言大致如下;
感谢您选择****!
我们非常重视个人信息包保护,请您阅读并同意《用户协议》和《隐私政策》内所有的条款及内容。如同意以上协议,请点击同意。
首次安装时,我们将向您询问是否授权:
1、设备标识信息(IDFA):用于统计和内容服务;
2、定位:用于为您提供精准的定位信息服务;
3、通知:方便我们及时并准确提供资讯信息。
- 联系三方 SDK 合作商,询问近期是否有相关应对方案的更新版本,并将 SDK 更新到最新能够过审的版本,特别是通过代码扫描发现包含 CAID 的 SDK;
审核结果:
顺利通过审核(其实还是应该提前拥抱变化,尽量提前做一些适配苹果新审核政策和新系统的方案);
参考文章:
新一轮的应用商店拒绝潮表明iOS 14.5、新iPad可能即将面世
关于第三方潜在SDK导致的5.1.2Data use sharing
全面解读 iOS 14 ATT和SKAdNetwork
为 AppTrackingTransparency 做好准备
苹果或禁用CAID,中国科技巨头挑战苹果隐私新规宣告失败?