Apple rejected for use of Facebook in a kids apps

kbradford · January 17, 2021, 1:23am

Well this is a new one to us. We updated one of our kids apps that uses Facebook Login and got this rejection:

Third-party analytics or third-party advertising with the ability to collect, transmit or share identifiable information, including, for example, IDFA. Specifically, we found that your app references the [ASIdentifierManager API](https://developer.apple.com/documentation/adsupport/asidentifiermanager), which provides access to a user's IDFA, in the following location(s) in your binary:

    • Frameworks/FBSDKCoreKit.framework/FBSDKCoreKit

    To resolve this issue, it would be appropriate to remove all instances of “ASIdentifierManager” from your app, even if they are not utilized in your app's functionality.

We also saw some discussion of this exact issue here:

github.com/facebook/facebook-ios-sdk

Kids Category Rejections due to Apple's 1.3. Kids Safety Rule

opened 09:19AM - 12 Dec 20 UTC

closed 04:50PM - 10 Feb 21 UTC

Legoless

## Checklist - [x] I've updated to the latest released version of the SDK - …[x] I've searched for existing [GitHub issues](https://github.com/facebook/facebook-ios-sdk/issues) - [x] I've looked for existing answers on [Stack Overflow](https://facebook.stackoverflow.com), the [Facebook Developer Community Forum](https://developers.facebook.com/community/) and the [Facebook Developers Group](https://www.facebook.com/groups/fbdevelopers) - [x] I've read the [Code of Conduct](https://github.com/facebook/facebook-ios-sdk/blob/master/CODE_OF_CONDUCT.md) - [x] This issue is not security related and can safely be disclosed publicly on GitHub ## Environment This issue is not tied to any specific Xcode or Swift version, or integration. ## Goals Our app has been in Kids Category of apps since mid 2017. Apple announced very strict rules regarding those type of apps in 2019 and the rule came into the effect in mid 2020. These rules mean, no third party advertising tracking and no third party analytics, including Facebook. At the time, we've disabled all analytics functionality from Facebook and IDFA collection to comply with the rule, which are a setting features of Facebook SDK. We've kept Facebook SDK for login features only. After fixing this, we also spoke with Apple and they say login is fine, as long as no IDFA is collected. We had many successful updates released without any issues until November 2020, when we started getting rejected by Apple much more harshly based on their 1.3 Kids Safety rule. Now apparently the problem is bigger, as Apple is rejecting our app with the following information: ``` Third-party analytics or third-party advertising with the ability to collect, transmit or share identifiable information, including, for example, IDFA. Specifically, we found that your app references the ASIdentifierManager API, which provides access to a user's IDFA, in the following location(s) in your binary: FBSDKCoreKit.framework/ ``` So we fixed this in our own [fork](https://github.com/blubblub/facebook-ios-sdk/commits/master) and removed the code references, since they are not in use any way. But now, there is another problem: ``` Network traffic to Facebook indicates that IDFA collection is disabled yet includes an ID labeled as “anon_id”, which matches the format of IDFA. ``` So, the thing in question is the anonymous ID Facebook generates and sends. I did not investigate WHEN exactly does this happen, as all analytics and IDFA collection is disabled. Not sure if we're allowed to remove this on our end, according to Facebook's developer agreement. Please advise!

Any ideas on this? Is there a way to disable this part of the Facebook SDK?