A missing NSHealthShareUsageDescription in Info.plist does not cause rejection — it causes a runtime crash the moment the app requests HealthKit permission on a user's device. This crash reaches production users if it somehow passes App Store review (possible if reviewers don't trigger the health flow). Under HIPAA §164.502 and GDPR Art. 13, health data has the highest protection tier; collecting it without a documented privacy policy describing the data type, purpose, and sharing parties exposes the developer to regulatory action by HHS (US) or a supervisory authority (EU), with fines up to 4% of global annual turnover under GDPR.
Medium because the failure causes a confirmed runtime crash on health permission request and creates HIPAA/GDPR regulatory exposure for sensitive health data collection.
Add both HealthKit usage strings to ios/[AppName]/Info.plist before submission:
<key>NSHealthShareUsageDescription</key>
<string>This app reads your step count to calculate personalized activity goals.</string>
<key>NSHealthUpdateUsageDescription</key>
<string>This app saves your workout sessions to help you track fitness progress.</string>
For Expo, configure in app.json under expo.ios.infoPlist. Ensure the privacy policy reachable from your store listing explicitly describes what health data types are collected, why they are collected, whether they are shared with third parties, and how users can request deletion. Complete the App Store Connect privacy nutrition label's health data section before uploading the binary.
app-store-metadata-listing.compliance-declarations.health-disclosuremediumNSHealthShareUsageDescription or NSHealthUpdateUsageDescription in ios/[AppName]/Info.plist or app.json's expo.ios.infoPlist; imports of HealthKit in Swift/Objective-C source; react-native-health or expo-health in package.json; health_kit in Flutter's pubspec.yaml. For Android Health Connect: android.permission.health.* permissions in AndroidManifest.xml. If health integration is detected, verify: (a) the app's privacy policy URL is present in the store metadata or app.json (expo.privacy), (b) the privacy policy explicitly mentions health data collection and sharing practices, (c) for iOS, the app's App Store Connect privacy nutrition label (health data section) has been completed — this cannot be verified from the codebase alone but check for any documentation noting it has been done, (d) for Google Play, any app using Health Connect must complete a Data Safety section declaration including health data types. Count all instances found and enumerate each.NSHealthShareUsageDescription or equivalent usage strings are missing; health integration exists but no privacy policy URL is configured anywhere in the project.NSHealthShareUsageDescription, no Health Connect permissions, and no health-related libraries detected."react-native-health detected in package.json but NSHealthShareUsageDescription is missing from ios/MyApp/Info.plist — iOS will crash at runtime when requesting health permissions".ios/[AppName]/Info.plist:
<key>NSHealthShareUsageDescription</key>
<string>This app reads your step count to personalize your fitness goals.</string>
<key>NSHealthUpdateUsageDescription</key>
<string>This app saves your workout data to help you track progress over time.</string>
app.json for Expo:
"ios": { "infoPlist": { "NSHealthShareUsageDescription": "..." } }