How to handle AppStore Warning - Missing Purpose String, because of third party library?

Question

I have uploaded new build of the application that was in the App Store for severals years.

Received following email from iTunes Connect:

Your delivery was successful, but you may wish to correct the following issues in your next delivery: ITMS-90683: Missing Purpose String in Info.plist -

NSLocationAlwaysUsageDescription NSLocationWhenInUseUsageDescription

The application is not using location for any purpose.

It may be caused:

• one of the pods I updated, has added usage of Location (admob?)
• apple started to perform this check very recently

I have looked for Location and CoreLocation stuff in the project but no results. It might be compiled binary using it. But how to know which and for what purpose?

What is the developer supposed to write in the purpose string if it's some 3rd party lib using that permission?

PD: From what I know for AdMob, at least on Android, it's been using location since long time ago. https://developers.google.com/admob/ios/targeting#location https://support.google.com/admob/answer/6373176?hl=en

PD2: Just found this

7.8.1 2016‑05‑11 Added SDK support for automatically using location data when a user has explicitly enabled an app's location permissions.

In release notes: https://developers.google.com/admob/ios/rel-notes

PD3: Just found the issue on Google Groups forum of AdMob: https://groups.google.com/forum/#!category-topic/google-admob-ads-sdk/ios/byShbNTrumk

Answer 1

Another place with related issue: https://github.com/OneSignal/OneSignal-iOS-SDK/issues/368

Tried removing OneSignal pod and uploading a new build. This time all worked without any email from apple.

Answer 2

But how to know which and for what purpose?

You can use nm to look at the symbols of the libraries/frameworks you're linking against. Try

nm <frameworkname> | grep CoreLocation

To find all binary archives in your Pods folder, run

find . -type file | xargs file | grep "Mach-O.*ar archive" | 
  awk '{print $1}' | tr -d : | xargs nm | grep CoreLocation

Once you find the offending lib, you can try to figure out what purpose location data has and then decide whether you can get rid of it, or continue using it and add the required permission strings, as @Rob explains.

Answer 3

What is the developer supposed to write in the purpose string if it's some 3rd party lib using that permission?”

I’d suggest something that captures precisely what that third party library is doing with the location data, e.g. “Used to present offers and ads unique to your current location” or “So our corporate overlords can track your every movement” (just kidding ... sort of).

If you never actually request location services, this likely will never be presented to the user (presumably AdMob doesn’t actually request location services, but just avails itself of them when available), so, from an end-user’s perspective, it might not matter too much what text you use here.

But I’d still encourage some string here that captures all the ways that the location data will be used. If you later add your own location services features (triggering this disclosure to be presented), this will remind you (or some future developer) to disclose not only the app’s intended use of location data, but also disclose all ways the location data may be used. We want our customers to be able to make informed privacy decisions. And by filling in these usage strings now, it minimizes the chance that we forget later about how AdMob (or whatever) is using the data.