We had a recently developed app rejected by Apple. Here is their explanation:
We found your app does not obtain user consent before collecting the user's personal data, as required by theApp Store Review Guidelines.
Specifically, your applications sends the device's MAC address without the user's permission. Your app also sends device Contact information without the user's permission.
To collect personal data with your app, you must make it clear to the user that their personal data will be uploaded to your server and you must obtain the user's consent before the data is uploaded.
iOS 6 includes new keys for specifying the reason the app will access the user's protected data. When the access prompt is displayed, the purpose specified in these keys is displayed in that dialog box. If your application will be transmitting protected user data, the usage string in your access request should clearly inform the user that their data will be uploaded to your server if they consent.
For more information on these keys, please see the Information Property List Key Reference.
We are using the RubyMotion toolchain, and not accessing the MAC address anywhere in our app. We think it may be one of the SDK's or gems we are using.
Gemfile:
source :rubygems
gem 'bubble-wrap', :git => 'https://github.com/rubymotion/BubbleWrap.git'
gem 'teacup'
gem 'rake'
gem "cocoapods", "0.13.0"
gem 'motion-cocoapods', "1.1.0"
gem 'motion-testflight'
gem 'motion-table'
gem "Parsistence"
gem 'formotion'
gem "ProMotion"
gem "motion-addressbook"
The only external api calls are to Parse.com and to testflight, as we are using both of these SDK's.
Parse said that they do not collect the MAC address, and Testflight doesn't unless you specifically do so.
We are also using these Cocoa pods:
'NSData+MD5Digest'
'MBProgressHUD'
'ASIHTTPRequest'
'PHFRefreshControl'
'JSONKit'
Question: Do any of these gems or Cocoapods call for the MAC address?
I'd imagine test flight or Parse could have the ability to retrieve the MAC address and even if they don't send it Apple is probably just seeing that they are accessing and sending something. I assume this because it would be really bad if any of these libraries are sending an unencrypted version of the MAC address over network so maybe Apple can just see the accessing of it. Are you by any chance using an advertising network in your app?