We are developing a mobile app for our financial institution using React Native. As part of our fraud prevention measures, we need to determine the country a user is located in. However, we have noticed that the permission requests seem excessive for our requirements, especially since we only need this information if a user changes countries. Also, is there a way to only be notified when a user changes countries? Our primary goal is to identify the user's country without requesting unnecessary permissions or compromising the user experience. We want to avoid requesting location permissions if possible, as it may raise concerns among our users. What are the best practices and recommended approaches for financial institutions to determine a user's country in a React Native app, while minimizing the use of sensitive permissions? Are there any iOS-specific APIs, frameworks, or third-party libraries that can help us achieve this in a privacy-friendly manner? We would greatly appreciate any guidance, insights, or examples from the developer community to help us strike the right balance between security and user privacy. Thank you in advance for your assistance!

・Xcode 15.1 ・The app is also compatible with Watch. In the privacy manifest, we defined NSPrivacyTracking to YES and NSPrivacyTrackingDomains to specific domains. Furthermore, to avoid warnings when uploading to Testflight, we have implemented a privacy manifest file in the app with the following configuration. ・Place the .xcprivacy files for the app itself and WatchExtension under their respective Target directories. ・Settings related to tracking domains are listed in .xcprivacy of the app itself. ・In .xcprivacy of WatchExtension, only describe the reason for UserDefault of NSPrivacyAccessedAPIType However, these implementations do not block network connections, "Fault" still occurs on "Point of Intereset instruments". Is there something wrong with my implementation?

Hello community, This is my first application that I try to publish, however my app has been rejected several times due to issues with the "purpose strings". I have already made several modifications to the texts but even so the app continues to be rejected, add the permissions in the infoPlist and texts, but they keep rejecting me, could someone advise me to comply with this requirement and publish my app. Apple sends me these comments Issue Description One or more purpose strings in the app do not sufficiently explain the use of protected resources. Purpose strings must clearly and completely describe the app's use of data and, in most cases, provide an example of how the data will be used. Examples of unclear purpose strings: "App would like to access your Contacts" "App needs microphone access" Next Steps Update the location and AppTrackingTransparency framework purpose string to explain how the app will use the requested information and provide an example of how the data will be used. See the attached screenshot. Thanks !!!

We have a question about tracking domains: If we found a tracking domain in our app（eg."example.tracking.com"）, but not put it into the PrivacyInfo.xcprivacy -> tracking domain list (refer to https://developer.apple.com/documentation/bundleresources/privacy_manifest_files), will iOS auto block the connection of this domain even when the tracking permission is granted? At the current time, the answer seems to be NO, but we are not sure about the situation in the future. Add this is the test result: tracking domains added + tracking permission granted -> not blocked tracking domains added + tracking permission not granted -> blocked tracking domains not added + tracking permission granted -> not blocked tracking domains not added + tracking permission not granted -> not blocked So it there any suggestion about the question? Thanks!

Hello, we have noticed a change in the last few weeks in how Mail Privacy Protection (MPP) is operating. Specifically, MPP pre-caches images within email newsletters that are protected via Private Relay. The end result of the pre-cacheing is that every image in the newsletter is retrieved from our servers even if the user does not open the newsletter. This has been in place since '21. What we've noticed in the last month or so, is that the amount of pre-cacheing has dropped significantly, on the order of 20-25%. We can compare this with newsletters opened in non-MPP environments to know that email sends are consistent, it is only that pre-cached events seem to have changed. Does anyone know of any changes to the logic of Private Relay / MPP that would impact how it is pre-caching data from email newsletters? Thank you.

ISSUE: In our code we are using the ImageTrackingProvider and ARKit similarly with the code provided from Apple documentation: https://developer.apple.com/documentation/visionos/tracking-images-in-3d-space However, when the application runs and we move the image in real space, the Image Tracking Provider send updates with a very low rate (about one frame per sec!) on the real Vision Pro device (please see the attached video). According to WWDC2023 (https://developer.apple.com/videos/play/wwdc2023/10091) the image anchors are updated as soon as they are available automatically by the system and they are not depended from camera frame rates. Therefore, why this is happening? We tried also to create an ImageAnchor by using the Reality Composer Pro in order to build a scene with it and check if we could have better tracking speed and updates. However, we found that Reality Composer Pro does not support image anchors like its predecessor Reality Composer! We also created the ImageAnchor on a Reality Composer Project and we tried to import the reality project / scene to out visionOS app. However, when the app builds we take an incompatibility message: “RealityKitContent - Tool terminated by signal 'Bus error: 10’ ” Other Reality Composer Projects that do not have image anchors are imported without any problems! We also tried to find if there is a frame rate setting on the real Vision Pro device (for reasons of battery saver), but we couldn’t find any. Finally, we tried to change asynchronous Tasks to synchronous in our code, but this couldn’t solve the problem. As the image detection and tracking in our code runs perfectly on iOS devices, and we want to build our apps to pure immersive space visionOS projects, what else can we do to have the same efficiency and performance like iOS?

Hi Everybody, I would like to see the feature, that allows us to limit the access for selected apps to get access to our Contacts. Especially apps like WhatsApp cannot be trusted, in my opinion, so I would love to see the possibility to prevent, that they just analyse our full Contact book and sell the data. With a limited access feature, we can at least decide, which information we wanna share with suspicious companys. What do you think and how could we reach the developers attention to get this with the next major update. Greetings from Europe

In my device (iOS 17.4.1) settings, allowing apps to request tracking is enabled. Here is my request code: if (@available(iOS 14, *)) { ATTrackingManagerAuthorizationStatus attStatus = [ATTrackingManager trackingAuthorizationStatus]; if(attStatus == ATTrackingManagerAuthorizationStatusNotDetermined){ [ATTrackingManager requestTrackingAuthorizationWithCompletionHandler:^(ATTrackingManagerAuthorizationStatus status) { if (status == ATTrackingManagerAuthorizationStatusAuthorized) { NSLog(@"iOS14, ATT enabled"); [FBAdSettings setAdvertiserTrackingEnabled:YES]; NSLog(@"iOS14, ATT enabled, FBAdSettings setAdvertiserTrackingEnabled:YES successed"); } else if (status == ATTrackingManagerAuthorizationStatusDenied) { NSLog(@"iOS14, ATT disabled"); [FBAdSettings setAdvertiserTrackingEnabled:NO]; NSLog(@"iOS14, ATT disabled, FBAdSettings setAdvertiserTrackingEnabled:NO successed"); } UnitySendMessage("StoreKitListener", "OnRequestATTPermissionFinished", [[NSString stringWithFormat:@"%d", (int)status] cStringUsingEncoding:NSUTF8StringEncoding]); }]; } } else { UnitySendMessage("StoreKitListener", "OnRequestATTPermissionFinished", [[NSString stringWithFormat:@"%d", 3] cStringUsingEncoding:NSUTF8StringEncoding]); } When attStatus == ATTrackingManagerAuthorizationStatusNotDetermined, requestTrackingAuthorizationWithCompletionHandler will be called. Afterwards, status == ATTrackingManagerAuthorizationStatusDenied is received, and at the same time, I can see the permission request popup.

`import UIKit import AppTrackingTransparency func requestDFA(){ if #available(iOS 14, *){ ATTrackingManager.requestTrackingAuthorization { status in switch status { case .authorized: // 用户已授权跟踪 print("Tracking authorization status: authorized") case .denied: // 用户拒绝跟踪 print("Tracking authorization status: denied") case .notDetermined: // 用户尚未做出选择 print("Tracking authorization status: not determined") case .restricted: // 跟踪受限，例如在家长控制设置下 print("Tracking authorization status: restricted") default: print("Tracking authorization status: unknown") } } } } @main class AppDelegate: UIResponder, UIApplicationDelegate { func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool { // Override point for customization after application launch. requestDFA() return true } // MARK: UISceneSession Lifecyclez func application(_ application: UIApplication, configurationForConnecting connectingSceneSession: UISceneSession, options: UIScene.ConnectionOptions) -> UISceneConfiguration { // Called when a new scene session is being created. // Use this method to select a configuration to create the new scene with. return UISceneConfiguration(name: "Default Configuration", sessionRole: connectingSceneSession.role) } func application(_ application: UIApplication, didDiscardSceneSessions sceneSessions: Set) { // Called when the user discards a scene session. // If any sessions were discarded while the application was not running, this will be called shortly after application:didFinishLaunchingWithOptions. // Use this method to release any resources that were specific to the discarded scenes, as they will not return. } }`

Hello, when I'm asking for the ATT permission don't wait for the user response. I doesn't matter which approach use never waits for user answer. Using xcode 15.2 on iOS 17.4 simulators, versions before like iOS 17.2 works without any issue. Task { self.resultStatus = await ATTrackingManager.requestTrackingAuthorization() completion() } } ATTrackingManager.requestTrackingAuthorization(completionHandler: { status in self.resultStatus = status completion() }) }

As title, i tried to get tracking domain by Network instruments, but it shows Call os_log APIs on a logging handle network instruments. Anyone know how can i log the domain. Thanks

Because the latest privacy manifest file requires inclusion for submissions after May 1st, based on the document: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files I have two questions regarding the NSPrivacyTrackingDomains field: In my app, NSPrivacyTrackingDomains and regular user login registration data loading use the same second-level domain "myapp.com". If "tracking.myapp.com" is specified in NSPrivacyTrackingDomains but the user does not grant tracking permission to the App Tracking Transparency framework, can the app still access the network through third-level domains such as "login.myapp.com" or "data.myapp.com"? At the bottom of the document, there is a note: "You only need to supply NSPrivacyAccessedAPITypes for apps and third-party SDKs on iOS, iPadOS, tvOS, visionOS, and watchOS." Does this mean that NSPrivacyTrackingDomains and NSPrivacyTracking properties do not need to be filled out as of May 1st? Will there be any issues if they are not filled out? Eagerly awaiting your response! Thanks!!!

Hello, Currently, my app only uses web view to load HTML data and external safari web view by link click. I have seen the following developer's details. So if HTML data load on web view needs data collection enabled, then which Types of data need to be added to data collection? Also. if we disable all types of Data collection from privacy. Is apple will allow you to submit the app? or Reject it? Any help will be appreciated. Thanks

Hi everybody i'm developing an app that shows events of an estate. i fetch the events from an endpoint and show them in a calendar like UI. The app it's pretty simple, just 2 endpoints and a few filters. We have 6 hyperlinks some pointing to the institutional website, some others to a platform my customer use to allow users to book rooms from his estate. The app does not collect any kind of cookies, there's no login or anything like that BUT a few version ago the app store connect blocked my app due to the absence of the tracking request within the links. the institutional website collect cookies and have his own banner and acceptance flow, i tried to explain that to the review team but they demanded me to add the request, so i did that and the app was accepted. Now i'm being rejected because of the tracking request because: _The app still appears to manipulate users into enabling tracking across different apps and websites. Specifically: The app still requires users to enable tracking in order to access the app's content and functionality, such as reserving a table. Users should have control over how their personal information is used and should not be forced or manipulated into enabling tracking._ I cant understand what should i doat this point, i've asked for info but the review team refuses to explain what steps do i need to take

Being a software company we create and distribute an iOS SDK with our customers world wide. The distribution of the software is in the form of a static library / XCFramework to our customers. They will integrate the SDK and use it to collect data from their hosting as first party. As Apple enforced through this article “Describing use of required reason API” - “starting from Fall 2023 you’ll receive an email from Apple if you upload an app to App Store Connect that uses required reason API without describing the reason in its privacy manifest file”. We are using "NSUserDefaults” in our SDK which is one among the required API listed, and as of now we didn’t create a Privacy manifest file and declared this on the SDK. We tried uploading our app to the Appstore connect portal, as we are not complying with the requirement from Apple we expect to see the warning message. Currently we are unknown about the impact of not having the Privacy manifest, and we would like to test the scenarios and make sure we are declaring the correct information on our SDK. Please could you review this and let us know why we are not receiving the emails. Or is that Apple didn’t harden the uploads yet and something planned for future date?

Environment: Xcode Version: 15.3 (15E204a) SDK Runtime: iOS 17.4 (17.4 - 21E213) - com.apple.CoreSimulator.SimRuntime.iOS-17-4 Issue: When calling requestTrackingAuthorization of ATTrackingManager, the completionHandler is immediately called with a value of notDetermined. This behavior is consistent even with async methods used in Runtime 14.0 and above.

In the "Privacy updates for App Store submissions" section, the addition of a privacy manifest file is required for app releases after May 1. We added a subdomain and defined it in NSPrivacyTrackingDomains, but when we separate the subdomain and main domain as "tracking.example.com" when ATT is allowed and "example.com" when ATT is not allowed would the communication on the main domain not result in an error? I couldn't figure it out exactly from the documentation or the session, so please let me confirm. Documentation: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files Session (domain definition): https://developer.apple.com/videos/play/wwdc2023/10060/?time=387

In the "Privacy updates for App Store submissions" section, the addition of a privacy manifest file is required for app releases after May 1. We added a subdomain and defined it in NSPrivacyTrackingDomains, but when we separate the subdomain and main domain as "tracking.example.com" when ATT is allowed and "example.com" when ATT is not allowed would the communication on the main domain not result in an error? I couldn't figure it out exactly from the documentation or the session, so please let me confirm. Documentation: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files Session (domain definition): https://developer.apple.com/videos/play/wwdc2023/10060/?time=387

I work with bloggers who write reviews about my app. I would like to track sales that originate on specific sites so I can pay them commissions, like an affiliate program. For example, if a person discovers our app by reading a review, I would like to give the blogger a URL to the App Store a UTM code so that I can track if the article generates sales of my app. if there is a 3rd party affiliate program management platform or software to do this, I might be open to using it. i’ve tried searching the web and other developers about this. It should be simple but it’s elusive if it’s out there at all.

I have an app that is meant for the kids category. It has been rejected based on non-compliance with 1.3 Kids Category "Kids Category apps may not send personally identifiable information or device information to third parties. Apps in the Kids Category should not include third-party analytics or third-party advertising". We have implemented Firebase analytics in our application. Is there any solution that we can implement for Firebase analytics in iOS kids application?