Health and fitness features are disclosed if HealthKit or Health Connect is used

ab-000435 · app-store-metadata-listing.compliance-declarations.health-disclosure

Severity: mediumactive

Why it matters

A missing NSHealthShareUsageDescription in Info.plist does not cause rejection — it causes a runtime crash the moment the app requests HealthKit permission on a user's device. This crash reaches production users if it somehow passes App Store review (possible if reviewers don't trigger the health flow). Under HIPAA §164.502 and GDPR Art. 13, health data has the highest protection tier; collecting it without a documented privacy policy describing the data type, purpose, and sharing parties exposes the developer to regulatory action by HHS (US) or a supervisory authority (EU), with fines up to 4% of global annual turnover under GDPR.

Severity rationale

Medium because the failure causes a confirmed runtime crash on health permission request and creates HIPAA/GDPR regulatory exposure for sensitive health data collection.

Remediation

Add both HealthKit usage strings to ios/[AppName]/Info.plist before submission:

<key>NSHealthShareUsageDescription</key>
<string>This app reads your step count to calculate personalized activity goals.</string>
<key>NSHealthUpdateUsageDescription</key>
<string>This app saves your workout sessions to help you track fitness progress.</string>

For Expo, configure in app.json under expo.ios.infoPlist. Ensure the privacy policy reachable from your store listing explicitly describes what health data types are collected, why they are collected, whether they are shared with third parties, and how users can request deletion. Complete the App Store Connect privacy nutrition label's health data section before uploading the binary.

Detection

ID: health-disclosure
Severity: medium
What to look for: Check for HealthKit integration in iOS: NSHealthShareUsageDescription or NSHealthUpdateUsageDescription in ios/[AppName]/Info.plist or app.json's expo.ios.infoPlist; imports of HealthKit in Swift/Objective-C source; react-native-health or expo-health in package.json; health_kit in Flutter's pubspec.yaml. For Android Health Connect: android.permission.health.* permissions in AndroidManifest.xml. If health integration is detected, verify: (a) the app's privacy policy URL is present in the store metadata or app.json (expo.privacy), (b) the privacy policy explicitly mentions health data collection and sharing practices, (c) for iOS, the app's App Store Connect privacy nutrition label (health data section) has been completed — this cannot be verified from the codebase alone but check for any documentation noting it has been done, (d) for Google Play, any app using Health Connect must complete a Data Safety section declaration including health data types. Count all instances found and enumerate each.
Pass criteria: Health integration is present and usage description strings are correctly included; or no health integration is detected. At least 1 implementation must be confirmed.
Fail criteria: HealthKit entitlements or Health Connect permissions are declared but NSHealthShareUsageDescription or equivalent usage strings are missing; health integration exists but no privacy policy URL is configured anywhere in the project.
Skip (N/A) when: No HealthKit entitlements, no NSHealthShareUsageDescription, no Health Connect permissions, and no health-related libraries detected.
Detail on fail: "react-native-health detected in package.json but NSHealthShareUsageDescription is missing from ios/MyApp/Info.plist — iOS will crash at runtime when requesting health permissions".
Remediation: Missing health usage strings cause a runtime crash, not just a rejection. This is one of the few issues that crashes the app in production if it passes review.
1. Add to ios/[AppName]/Info.plist:
```
<key>NSHealthShareUsageDescription</key>
<string>This app reads your step count to personalize your fitness goals.</string>
<key>NSHealthUpdateUsageDescription</key>
<string>This app saves your workout data to help you track progress over time.</string>
```
2. Or in app.json for Expo:
```
"ios": { "infoPlist": { "NSHealthShareUsageDescription": "..." } }
```
3. Ensure your privacy policy describes exactly what health data is collected, why, and who it is shared with
4. Complete the App Store Connect privacy nutrition label's health data section before submission

External references

hipaa · §164.502 — HIPAA Privacy Rule — Uses and Disclosures of Protected Health Information
gdpr · Art. 13 — GDPR Article 13 — Information to be provided where personal data are collected from the data subject
external · apple-healthkit-guidelines — Apple App Review Guideline 5.1.3 — Health & Health Research

Taxons

privacy-consent regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from app-store-metadata-listing·automated

Why it matters

Remediation

Add both HealthKit usage strings to ios/[AppName]/Info.plist before submission:

<key>NSHealthShareUsageDescription</key>
<string>This app reads your step count to calculate personalized activity goals.</string>
<key>NSHealthUpdateUsageDescription</key>
<string>This app saves your workout sessions to help you track fitness progress.</string>

Detection

ID: health-disclosure
Severity: medium
What to look for: Check for HealthKit integration in iOS: NSHealthShareUsageDescription or NSHealthUpdateUsageDescription in ios/[AppName]/Info.plist or app.json's expo.ios.infoPlist; imports of HealthKit in Swift/Objective-C source; react-native-health or expo-health in package.json; health_kit in Flutter's pubspec.yaml. For Android Health Connect: android.permission.health.* permissions in AndroidManifest.xml. If health integration is detected, verify: (a) the app's privacy policy URL is present in the store metadata or app.json (expo.privacy), (b) the privacy policy explicitly mentions health data collection and sharing practices, (c) for iOS, the app's App Store Connect privacy nutrition label (health data section) has been completed — this cannot be verified from the codebase alone but check for any documentation noting it has been done, (d) for Google Play, any app using Health Connect must complete a Data Safety section declaration including health data types. Count all instances found and enumerate each.
Pass criteria: Health integration is present and usage description strings are correctly included; or no health integration is detected. At least 1 implementation must be confirmed.
Fail criteria: HealthKit entitlements or Health Connect permissions are declared but NSHealthShareUsageDescription or equivalent usage strings are missing; health integration exists but no privacy policy URL is configured anywhere in the project.
Skip (N/A) when: No HealthKit entitlements, no NSHealthShareUsageDescription, no Health Connect permissions, and no health-related libraries detected.
Detail on fail: "react-native-health detected in package.json but NSHealthShareUsageDescription is missing from ios/MyApp/Info.plist — iOS will crash at runtime when requesting health permissions".
Remediation: Missing health usage strings cause a runtime crash, not just a rejection. This is one of the few issues that crashes the app in production if it passes review.
1. Add to ios/[AppName]/Info.plist:
```
<key>NSHealthShareUsageDescription</key>
<string>This app reads your step count to personalize your fitness goals.</string>
<key>NSHealthUpdateUsageDescription</key>
<string>This app saves your workout data to help you track progress over time.</string>
```
2. Or in app.json for Expo:
```
"ios": { "infoPlist": { "NSHealthShareUsageDescription": "..." } }
```
3. Ensure your privacy policy describes exactly what health data is collected, why, and who it is shared with
4. Complete the App Store Connect privacy nutrition label's health data section before submission

External references

hipaa · §164.502 — HIPAA Privacy Rule — Uses and Disclosures of Protected Health Information

gdpr · Art. 13 — GDPR Article 13 — Information to be provided where personal data are collected from the data subject

external · apple-healthkit-guidelines — Apple App Review Guideline 5.1.3 — Health & Health Research