App Store rejection due to Firebase phone auth

Question

Our app uses Firebase phone auth. The App Store review has rejected the app due to pushes being required:

Guideline 4.5.4 - Design - Apple Sites and Services

We noticed that your app requires push notifications in order to function.

Specifically, we noticed if the Push Notifications setting was not enabled on our device, we encountered an error message after entering our phone number within the app.

Next Steps

Push notifications must be optional and must obtain the user's consent to be used within the app.

And they've also attached the screenshot that depicts Firebase error "Remote notifications and background fetching need to be set up for the app [...]"

Firebase documentation states that APNs notifications are absolutely required for phone auth to function:
https://firebase.google.com/docs/auth/ios/phone-auth

To use phone number authentication, your app must be able to receive APNs notifications from Firebase. When you sign in a user with their phone number for the first time on a device, Firebase Authentication sends a silent push notification to the device to verify that the phone number sign-in request comes from your app. (For this reason, phone number sign-in cannot be used on a simulator.)

However App Store review guidelines state that Push Notifications must not be required in order for the app to function: https://developer.apple.com/app-store/review/guidelines/

4.5.4 Push Notifications must not be required for the app to function, and should not be used for advertising, promotions, or direct marketing purposes or to send sensitive personal or confidential information.

Users need to sign in before they can use the app (the app is about sending digital GIF invitations to your guests and sharing photos), which is why Push Notifications are basically required for the app to function, if the sign in method is Firebase phone auth.

We have tested the app a lot, and the authentication works without a problem when push notifications are enabled (on real devices, both in distribution Ad Hoc builds with production environment and development builds with sandbox environment).

Come to think of it, how did App Review team even disable Push Notifications? The notification center setting does not stop actual pushes, it just doesn't display them. We have tested with this setting off, and firebase phone auth works fine, pushes are still coming through as expected.

I am very surprised with this issue, as Firebase is a huge service provider. Did anyone else encounter this issue? Are there plans to remove APNs requirement for phone auth? Is there maybe some other way to use Firebase phone auth without pushes?

Answer 1

Firebaser here. We have released an updated Firebase Auth SDK, 4.2.0, as Leetmory mentioned, which should hopefully resolve these issues going forward.

The issue was caused by the fact that the Firebase Auth SDK using APNs to validate the request - this is to minimize the risk of SMS spam abuse or similar. The validation uses a silent APNs notification, so doesn't require explicit user consent for iOS 8 and above. However, this still failed if APNs was completely disabled, as in this review case.

The 4.2.0 release introduced the facility to use a reCAPTCHA prompt inside an SFSafariViewController (or webview for older iOS) to prevent abuse if APNs isn't available. We don't expect this to happen very much, but it accounts for the unusual state encountered here. It also enables support for testing Firebase Phone Auth on the simulator!

You'll notice there is a new uiDelegate parameter on the verifyPhoneNumber method. In most cases you wont need to use this, but it is part of the fallback verification.

What you will need to do, if you haven't already, is add the REVERSED_CLIENT_ID (from the GoogleService-Info.plist ) as a custom URL scheme. This will allow the reCAPTCHA view to return validation to your app.

There is a gotchas to be aware of in the current version though:

1. In the callback from verifyPhoneNumber you'll need to redispatch to the main thread, using DispatchQueue.main.async {} - this will be fixed in the next version of Firebase Auth!

Other than that, things should work as normal! We definitely recommend supporting silent push where ever possible to ensure the best user experience.

For a full walk through, see the full Phone Auth developer guide .

Answer 2

UPD: Firebase 4.2.0 has rolled out, which fixes the issue. You will need to add your reverse-client-id which looks something like this: com.googleusercontent.apps.123456-abcdefg99 to URL schemes in your Info.plist, and you are set.

To find this value, open the GoogleService-Info.plist configuration file, and look for the REVERSED_CLIENT_ID key.

---

Firebase support has confirmed this bug and has given the response to this issue:

to me
Thank you for the detailed information Leet. This is indeed an odd situation, and our Phone Auth engineers are taking a look. I'll get back to you as soon as I have an answer.

Best,
Jeff

---

to me
Hi Leet,

Our engineers are working internally on a long-term fix for this, but in the meantime, would like to meet with you to see if we can figure out a workaround.

It appears that there is indeed a bug in Firebase phone auth / Firebase UI.

Answer 3

I contacted Firebase support and here's an excerpt:

In terms of the concern around users disabling push notifications - Disabling push notification for the app by the user does not normally prevent users from signing in using their phone number with Firebase Auth. Our requirement is that the app must set up and enable push notification, not the user. Regardless of if the user accepts or declines your app's push notification prompt phone auth will continue to work since we use silent pushes that don't require any action from the user.

I researched further and found that silent push notifications do indeed arrive to the device even when the user explicitly disables push notifications. To disable silent push notifications you would need to go to Settings -> Your App -> Background Refresh to disable it. See Is Silent Remote Notifications possible if user has disabled push for the app?

So you can tell the App Store Review team that your login will only work when Background Refresh is enabled. I don't believe this violates their terms.

EDIT

After some testing, it appears that phone auth can work when Background Refresh is disabled. However, it works for me because Firebase already has access to my APNS device token. I have found no way to disassociate my device token from Firebase - they provide no API for it. This unfortunately makes it impossible to test the scenario where a new user disables Background Refresh and Remote Notifications before doing the phone auth which I believe may be the cause of the error.

EDIT 2

I can confirm that on a fresh device with a fresh install of our app, if you disable Background Refresh then Firebase Phone Auth will not work. Once you enable it, it will work again.

The reason is that the SDK likely calls [[UIApplication sharedApplication] registerForRemoteNotifications] which is ignored by the system if a user manually disables the Background Refresh and Notifications settings.

Unfortunately there is no workaround until Firebase releases a new SDK which does not require APNs.