Is App Tracking Transparency required when displaying websites with a cookie policy within restricted browser APIs ASWebAuthenticationSession & SFSafariViewController

An iOS application of ours we develop for a client was recently rejected as it was claimed we violate Guideline 5.1.2.

The App Review team's justification was:

We noticed your app accesses web content you own where you collect cookies. Cookies may be used to track users, but you do not use App Tracking Transparency to request the user's permission before collecting data used to track.

The App Review team included a screenshot of our client's website which they had navigated to via a button found in our client's SSO login flow. Their main website has a cookie policy which seems to be the cause of the rejection.

Clearly our client's main website should not be accessible via their SSO login flow but this opens a wider question and concerns from our client.

We open the SSO login flow within an ephemeral ASWebAuthenticationSession. The documentation of which states:

Set prefersEphemeralWebBrowserSession to true to request that the browser doesn’t share cookies or other browsing data between the authentication session and the user’s normal browser session.

https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/3237231-prefersephemeralwebbrowsersessio

We interpret that and the fact that there is no API on ASWebAuthentication to extract cookies from it into the hosting iOS app to mean that we do not store cookies in our iOS app and are therefore not in violation of Guideline 5.1.2.

We also assume the same thing applies to SFSafariViewController (which we also use to sometimes display pages from our client's website which, to reiterate, has a cookie policy). It's documentation states:

The user's activity and interaction with SFSafariViewController are not visible to your app, which cannot access AutoFill data, browsing history, or website data

https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller

After having read the documentation we see no reason why accessing a website with a cookie policy within either an ephemeral ASWebAuthenticationSession or an SFSafariViewController would warrant the hosting app to include App Tracking Transparency. I am assuming that due to the nature of these APIs (as they do not give cookie access to the hosting app) that they are exempt.

Could someone please either:

  1. Provide documentation that states if an ephemeral ASWebAuthenticationSession or an SFSafariViewController accesses a website with a cookie policy App Tracking Transparency is required.

or

  1. Confirm that we are not in violation of of Guideline 5.1.2 and we should appeal the rejection.

Many thanks

Hey Thomas

Did you get an answer from Apple. We share a similar predicament, where there is no API on ASWebAuthentication to extract cookies from the iOS app and would not not in violation of Guideline 5.1.2.

No response received on this from Apple, instead we fixed our issue where it was possible to open the company website from within the ASWebAuthenticationSession.

Honestly my anecdotal experience so far is that if someone from the App Review team sees the word "Cookies" then they will instantly reject the app without considering context or technology.

Is App Tracking Transparency required when displaying websites with a cookie policy within restricted browser APIs ASWebAuthenticationSession & SFSafariViewController
 
 
Q