Unity IAP unsupported for Kids Apps on iOS ? (at the moment)

Unity IAP is really great, but it seems that if you're using it in a kids app you're going to have a hard time releasing it on iOS. This is due to Unity Analytics being included with IAP, which violates Apple Guideline 1.3 - Safety - Kids Category ... details given below.

As far as I know, there is currently no solution (but I'd be very happy to be proved wrong on this).

To save other developers time, would the Unity IAP team consider either :-

1) Highlighting this restriction in the Unity IAP knowledge base https://support.unity3d.com/hc/en-u...28.727494493.1593447020-2036023412.1592647924 and/or pinning a message at the top of the Unity IAP forum.

2) If there is a robust solution, adding it to the Unity IAP knowledge base. Even if this solution is currently to use one of the several 3rd party assets on the asset store.

3) A fix that decouples IAP and analytics.



------------------------------

App rejected 30th Jun 2020, using Unity 2019.4.1f1 & Unity IAP 1.23.2

Guideline 1.3 - Safety - Kids Category

We noticed that your Kids Category app includes analytics, advertising and collects, transmits, or has the ability to share personal information or device information with third parties.

Your app includes the following feature(s), contrary to guideline 1.3 of the App Store Review Guidelines:

Third-party analytics or third-party advertising with the ability to collect, transmit or share identifiable information, including, for example, IDFA.

Next Steps

To resolve this issue, please remove this functionality or revise your app so that no personally identifiable information or device information is sent to third parties.--

 

@JeffDUnity3D It's the presence of the analytics that causes rejection for kids apps - not the IAP.

My post was just suggesting that if there is a known work around it would be soooooo helpful to make it more visible.

At the moment there seem to be fragments of knowledge and experience in various threads suggesting things that might work and then often people saying that those things have not been successful for them and they've given up and used a 3rd party asset without analytics instead.

As it stands, developers most likely won't be aware of this issue until they try to submit an iOS kids app for review. Even the suggestion to disable Analytics at runtime for iOS kids apps would be a useful start - as far as I'm aware you only discover this by digging in the forums once you encounter the problem (apologies if this is not the case).

I say this with all the best motives. Unity is such a fantastic product and you guys do such a great job helping with people's issues.

 

@JeffDUnity3D Thanks so much - very helpful. I'll try today.
Just checking though, shouldn't I set Analytics.limitUserTracking = true rather than false? (based on https://docs.unity3d.com/ScriptReference/Analytics.Analytics-limitUserTracking.html ).

 

@JeffDUnity3D OK - so I tried the above - but I went a bit off piste and set Analytics.limitUserTracking = true (let me know if I should have left it as false).

As you predicted, I do get a call to ecommerce.iap.unity3d.com



One thing that may or may not be relevant:-
I inserted the disable analytics code on the Awake of the controller script of my first scene, but when I watched the logs in Xcode I get some UnityIAP activity before this code is executed.


Let me know if any more info/captures would help.

Oh also the IAP code doesn't work when Charles Proxy is being used - I'm guessing this is expected behaviour? When I disabled it all worked again.

Any ideas what the call to ecommerce.iap.unity3d.com is there for? I'm guessing this may be the kind of thing Apple would object to. Would it be classified as analytics? Any ideas what the call is for?

 

Ah no - I didn't add that package to my project. Should I have? I interpreted the document as saying that this step was just required for Android (to fiddle the manifest) - but I might have misunderstood. Maybe it does all sorts of things depending on your build? Should I include it for iOS and try again?

 

Ah, not quite. I think in the doc it says to use wildcard *.* which I thought I'd done. I'll go and check and add the more specific unity settings as in your settings file above too.

 

@JeffDUnity3D OK - here is the detail. I've obfuscated some of the details - let me know if that renders it useless.

Also it may be worth adding your great SSLSettings.png to the Charles Proxy instructions doc.

So it looks like it sends some sort of device id and user id. I guess this may be problematic for Apple's new review requirements for kids? It sounds like it might be classified as "personally identifiable information or device information" which was the reason given for rejection? But I don't know exactly what is allowed and what is forbidden.

 

@JeffDUnity3D thanks. Any idea how long before we're likely to get any response from the IAP team? Do they have any contact with Apple to clarify what is allowed?

 

@JeffDUnity3D OK. Many thanks for your help with this - much appreciated!

 

@JeffDUnity3D Just checking if there is any more info on this - or any idea when there may be.

Is the premise that what is being sent may be legitimate (and we'd need to present that argument to Apple on review), or is the aim to remove that call, or is there another way in code/config to suppress that call?

I've an app waiting to be resubmitted and would appreciate an update.

Many thanks!

 

@JeffDUnity3D thanks for the update. Sounds hopeful. So will the fix be a combination of ensuring you have analytics explicitly switched off in code (as you documented above) in combination with an updated Unity IAP package?

 

@JeffDUnity3D Hi there. Any idea of an ETA for the fix yet? I've an app that I really need to release. Many thanks!

 

Thanks for the update.
Does this mean via a dialogue with Apple? i.e. to determine exactly what data should be allowed to be sent (and maybe to then argue that what is being sent is ok, or maybe to argue that Unity analytics should not be classified as 3rd party).
Or is there an issue working out how/why/where the call is being made?

Should I be trying to argue the case, with Apple, for the legitimacy of the data being sent and try and get my app through review that way? The reviewer was pretty specific in the requirement that no "personally identifiable information or device information" should be sent to 3rd parties and I don't feel I have sufficient knowledge of what Unity Analytics is doing and why to make a strong case. On the face of it, using Charles Proxy to monitor the calls, it looks like this kind of prohibited data is being sent. Does this not happen in your tests? Maybe I'm not setting all the analytics off correctly?

I'm sure you'll appreciate just how frustrating this is. This has been rumbling on for some time (since before the original deadline was extended) and we still have no documented, proven way to actually release an iOS app for kids using Unity IAP.

 

Right - but has the call that we saw with deviceid and userid been removed? Maybe removing such calls would be enough. Wouldn't it be worth a try?
If these sorts of calls were not made (when analytics are switched off) I'd be able to answer "No" to the questions about analytics and advertising being in the app, which may be sufficient to pass review.
Do we know that the binary is being inspected, or is it supposition?

 

OK - thanks for clarifying and for all your work on this. Obviously, we really need this asap.

 

I've just seen Unity IAP 1.23.4 is released with the following change :-

### Removed
- Analytics - For publication to Kids Category on Google Play and Apple App Store, removed `SystemInfo.deviceUniqueIdentifier` collection and sharing with `ecommerce.iap.unity3d.com` server.

Great work! Thanks so much guys! I'll try submitting an update to Apple shortly.

 

@Jonsi, were you able to get the approval from Apple with this new updated IAP release?

Thanks

 

@MohHeader Sorry for the delayed response. The review process seemed to take a while for other spurious reasons. Not sure if I got super rigorous reviewers this time or what. But YES! I got notification this morning that our app has gone through review! I used the latest version of IAP and switched off analytics as described in the thread. Thanks again to the Unity folks (@JeffDUnity3D) for helping with this!