[tylerhou]

This is a non-story.

In most cases, there is no point asking for a phone number as 2FA if the user chooses Sign in with Apple (SIWA).

SIWA requires access to the device. App credentials are usually persisted per device, so 2FA doesn't really help if your device is stolen as the attacker would have app access anyway (if they were able to unlock the device). Even for non-Apple-device sign ins such as on Android or Windows, SIWA requires device access to generate a password, which requires 2FA on the Apple account [1].

Uber is allowed to ask for a phone number because a driver legitimately may need to contact a customer to arrange pickup. But in this case, Apple does not think that this app requires a phone number, and is thus protecting the privacy of its customers.

There are other issues I have with Apple's ecosystem/the App Store, but this is not one of them.

EDIT: After posting this comment OP has written in another comment that their app requires a phone number to arrange delivery. This information was not in the original tweet. In that case, I think this is likely a misunderstanding between the App Store reviewers and OP about how the phone number would be used, and I would need to see further discussion between those two before declaring Apple a bully in this case.

[1] https://support.apple.com/en-us/HT204397

[syn-mcj]

We ask phone number for the same reason as Uber does - our masters need to contact the user to be able to deliver the service. Explaining this to Apple took a week of back and forth, and only lasted for one submission.

[tylerhou]

What does the sign in flow look like? Does the phone number screen clearly inform the user that their phone number will only be used to arrange delivery?

[syn-mcj]

It says "We need your phone number for our masters to be able to contact you".

Would you recommend to make it more clear in some way?

[tylerhou]

Note that I don't have much experience working with Apple's approval process, and am just speaking as a layuser here.

In that sentence, "contact" can mean many different things. Will you contact me by text for non-urgent things like billing or promotions? As a user, I don't want to give up my phone number for promotions. And since the request is right after the sign-in flow, I think it's reasonable Apple thinks "contact" can also mean 2FA.

I would put more precise language, such as: "Our masters may need to contact you in order to arrange delivery of X service."

Also, the fact that Apple did approve your app already is further evidence that this is just a misunderstanding, likely because your copy is not 100% clear.

(Sidenote: This is not important, but personally, the term "master" makes me uncomfortable. I personally would not call people "masters," but I also don't know your target market, so the term may be more appropriate in that context.)

[syn-mcj]

Thanks for the advice. Yes, our target market isn't english speaking, so some things might be a result of a bad translation.