Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

App Store rejection due to Firebase phone auth

Our app uses Firebase phone auth. The App Store review has rejected the app due to pushes being required:

Guideline 4.5.4 - Design - Apple Sites and Services

We noticed that your app requires push notifications in order to function.

Specifically, we noticed if the Push Notifications setting was not enabled on our device, we encountered an error message after entering our phone number within the app.

Next Steps

Push notifications must be optional and must obtain the user's consent to be used within the app.

And they've also attached the screenshot that depicts Firebase error "Remote notifications and background fetching need to be set up for the app [...]"

Firebase documentation states that APNs notifications are absolutely required for phone auth to function:
https://firebase.google.com/docs/auth/ios/phone-auth

To use phone number authentication, your app must be able to receive APNs notifications from Firebase. When you sign in a user with their phone number for the first time on a device, Firebase Authentication sends a silent push notification to the device to verify that the phone number sign-in request comes from your app. (For this reason, phone number sign-in cannot be used on a simulator.)

However App Store review guidelines state that Push Notifications must not be required in order for the app to function: https://developer.apple.com/app-store/review/guidelines/

4.5.4 Push Notifications must not be required for the app to function, and should not be used for advertising, promotions, or direct marketing purposes or to send sensitive personal or confidential information.

Users need to sign in before they can use the app (the app is about sending digital GIF invitations to your guests and sharing photos), which is why Push Notifications are basically required for the app to function, if the sign in method is Firebase phone auth.

We have tested the app a lot, and the authentication works without a problem when push notifications are enabled (on real devices, both in distribution Ad Hoc builds with production environment and development builds with sandbox environment).

Come to think of it, how did App Review team even disable Push Notifications? The notification center setting does not stop actual pushes, it just doesn't display them. Setting is turned off We have tested with this setting off, and firebase phone auth works fine, pushes are still coming through as expected.

I am very surprised with this issue, as Firebase is a huge service provider. Did anyone else encounter this issue? Are there plans to remove APNs requirement for phone auth? Is there maybe some other way to use Firebase phone auth without pushes?

like image 685
Lveecode Avatar asked Jul 14 '17 20:07

Lveecode


People also ask

How do I stop App Store rejection?

To avoid rejection, make sure that your privacy policy is easily accessible both within your app and app page in the App Store. It should explain how you use the specific data that you collect: how it's stored, and whether or not you share it with other third-party entities.

Do apps get rejected from the App Store?

Unfortunately, some apps do get rejected straight out the gate. It's not always easy to find out what you need to do in order to avoid app store rejection. According to Apple, 88% of those rejections occur because of the most common faux pas.

What is App store ID for Firebase?

Go to your Firebase "Project Settings" by clicking the gear icon in the top left and scroll down to the "Your Apps" subsection. Click the pencil icon next to "App Store ID" and "Team ID" and change them to appropriate values. Under App Store ID, use 292922029.

What is metadata rejected in App Store?

Metadata rejected This means that the review has only just been interrupted and can be resumed once you provide the missing information.


1 Answers

Firebaser here. We have released an updated Firebase Auth SDK, 4.2.0, as Leetmory mentioned, which should hopefully resolve these issues going forward.

The issue was caused by the fact that the Firebase Auth SDK using APNs to validate the request - this is to minimize the risk of SMS spam abuse or similar. The validation uses a silent APNs notification, so doesn't require explicit user consent for iOS 8 and above. However, this still failed if APNs was completely disabled, as in this review case.

The 4.2.0 release introduced the facility to use a reCAPTCHA prompt inside an SFSafariViewController (or webview for older iOS) to prevent abuse if APNs isn't available. We don't expect this to happen very much, but it accounts for the unusual state encountered here. It also enables support for testing Firebase Phone Auth on the simulator!

You'll notice there is a new uiDelegate parameter on the verifyPhoneNumber method. In most cases you wont need to use this, but it is part of the fallback verification.

What you will need to do, if you haven't already, is add the REVERSED_CLIENT_ID (from the GoogleService-Info.plist) as a custom URL scheme. This will allow the reCAPTCHA view to return validation to your app.

There is a gotchas to be aware of in the current version though:

  1. In the callback from verifyPhoneNumber you'll need to redispatch to the main thread, using DispatchQueue.main.async {} - this will be fixed in the next version of Firebase Auth!

Other than that, things should work as normal! We definitely recommend supporting silent push where ever possible to ensure the best user experience.

For a full walk through, see the full Phone Auth developer guide.

like image 90
Ian Barber Avatar answered Oct 07 '22 22:10

Ian Barber