App Tracking Transparency

RSS for tag

Request user permission to access user data for tracking a user or device.

Posts under App Tracking Transparency tag

74 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

API requests being blocked by ITP
We develop an SDK that requires sharing a device-specific identifier with our web API, in order to guarantee that certain artifacts are only used on the correct device. For the device-specific identifier, we use UIDevice.currentDevice.identifierForVendor which should not be restricted under ATT. In production, many developers are getting back to us with complaints of web requests being blocked: nw_endpoint_handler_path_change [C1 [our url]:443 waiting parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] blocked tracker Connection 1: received failure notification Connection 1: failed to connect 1:50, reason -1 Connection 1: encountered error(1:50) Task <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1> HTTP load failed, 0/0 bytes (error code: -1009 [1:50]) Task <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1> finished with error [-1009] Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x3031118f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 "(null)" UserInfo={_NSURLErrorBlockedTrackerFailureKey=true, _kCFStreamErrorDomainKey=1, _kCFStreamErrorCodeKey=50, _NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1>" ), NSLocalizedDescription=The Internet connection appears to be offline., NSErrorFailingURLStringKey=..., NSErrorFailingURLKey=..., _kCFStreamErrorDomainKey=1} Interestingly, I've made a few observations: The blacklist seems to be persistent, across devices. The blacklist stays in place regardless of whether we send no identifiable data in the web request (in fact, an empty ping request to our URL still gets blocked) The only way to get past the block is to use ATT, and request from the user that we track them across websites. This is false, because we don't track any user data whatsoever; and iOS disables ATT by default (in the settings app, users have to opt-in). Our iOS SDK already has an xcprivacy manifest mentioning the fact that we use a device-specific identifier, and that we send it to our web API URL. Still, we get blocked. How can we fix this? We can standup a proxy URL but I'd imagine it's only a matter of time before that also gets blocked. Apple has not provided any guidance on the specifics of how domains get blocked, and how they can be unblocked.
1
3
595
Jun ’24
Facebook SDK and ATT
In order to have ads on Meta that link to the App Store directly (instead of to a website) Meta requires that I install the FB SDK. Now: Apple requires an ATT permission popup if a user is being tracked. I've installed the SDK but turned all tracking off by default (so it behaves as though the user said "no" to the ATT popup) and it's still not passing review. Any ideas as to what I could try next?
0
0
474
Jun ’24
Guideline 5.1.2(i) - Legal - Privacy - Data Use and Sharing
Apple is continuously replying this to my app The app appears to manipulate users into enabling tracking across different apps and websites. Specifically: The app requires users to enable tracking in order to access the app's content and functionality. Users should have control over how their personal information is used and should not be forced or manipulated into enabling tracking. Next Steps Take the following step(s) to resolve this issue: Revise the app so that users are not required to enable tracking in order to access the app's content and functionality. Resources Learn more about these requirements in guideline 5.1.2. iOS App 1.0App Version Rejection Reasons: 5.1.2 Legal: Privacy - Data Use and Sharing My login function is dependent on advertising id and advertising id can be achieved through tracking, what to do for my case? We aren’t taking advertising id for ads purpose or unlawful acts. Advertising id is solely taken to get us know that user is using same older device he used for last successful login. We need two unique identifier: keychain uuid used advertising id how to get this thing approved from Apple? I tried to reply the message and requested phone call but no response.
1
0
603
Jun ’24
Guideline 5.1.1 - Legal - Privacy - Data Collection and Storage
Hi, I have an issue with App submission. My flow is: show third party cookie consent banner (is an external SDK) show ATT Apple with this message "Allowing tracking will enable more personalized ads for you." Apple says this: You collect data to track after the user selects "Ask App Not to Track" on the App Tracking Transparency permission request. Specifically, we noticed the app accesses web content you own and collects cookies for tracking after the user asked you not to track them. Next Steps To resolve this issue, please revise the app so that you do not collect data for tracking purposes if the user does not give permission for tracking. Alternatively, if you do not collect cookies for tracking purposes, revise the cookie prompts that appear in the app to clarify you do not track users. in the rejection they put the ATT alert and the third party banner as the screen Do you have any input on this as Apple never says things clearly about what the problem is. Thank you
3
0
812
Jun ’24
Implemented App Tracking Transparency but don't see permission requests on your device
I created an app that implements Google AdMob banner ads. I have implemented App Tracking Transparency, but I don't see permission requests on devices running the latest operating system (iOS17.4). We have already taken the following measures. AdMob banner ads are displayed instead of permission requests. Setting Info.plist NSUserTrackingUsageDescription Used to display relevant ads to the user. App initialization timing I call it in ContentView's onAppear so that it is called immediately when the app starts. Check the settings of the actual machine In the iOS device settings, go to "Settings" > "Privacy" > "Tracking" and enable tracking. We apologize for the inconvenience and appreciate your guidance.
1
0
672
May ’24
Gender Options and Data Collection for Vaccine Tracker App
Hello everyone, I'm currently working on implementing a vaccine tracker and reminder feature for an application. As part of this feature, I plan to collect basic information about babies from their parents, such as name, gender, and date of birth, in order to create personalized profile cards and assist in tracking vaccinations. My question is regarding the gender field: Is it acceptable to ask for only 'male' or 'female' as options, or should I include other gender options as well to ensure inclusivity? Additionally, considering that I'll be asking for gender and date of birth, I'm concerned about potential rejection of the app build by Apple. Can anyone provide insight into whether this could be an issue? Thank you for your help and guidance!
0
0
393
Apr ’24
Best practices for determining a user's country in a React Native financial app for fraud prevention
We are developing a mobile app for our financial institution using React Native. As part of our fraud prevention measures, we need to determine the country a user is located in. However, we have noticed that the permission requests seem excessive for our requirements, especially since we only need this information if a user changes countries. Also, is there a way to only be notified when a user changes countries? Our primary goal is to identify the user's country without requesting unnecessary permissions or compromising the user experience. We want to avoid requesting location permissions if possible, as it may raise concerns among our users. What are the best practices and recommended approaches for financial institutions to determine a user's country in a React Native app, while minimizing the use of sensitive permissions? Are there any iOS-specific APIs, frameworks, or third-party libraries that can help us achieve this in a privacy-friendly manner? We would greatly appreciate any guidance, insights, or examples from the developer community to help us strike the right balance between security and user privacy. Thank you in advance for your assistance!
0
0
458
Apr ’24
Regarding network connection blocking of NSPrivacyTrackingDomains
・Xcode 15.1 ・The app is also compatible with Watch. In the privacy manifest, we defined NSPrivacyTracking to YES and NSPrivacyTrackingDomains to specific domains. Furthermore, to avoid warnings when uploading to Testflight, we have implemented a privacy manifest file in the app with the following configuration. ・Place the .xcprivacy files for the app itself and WatchExtension under their respective Target directories. ・Settings related to tracking domains are listed in .xcprivacy of the app itself. ・In .xcprivacy of WatchExtension, only describe the reason for UserDefault of NSPrivacyAccessedAPIType However, these implementations do not block network connections, "Fault" still occurs on "Point of Intereset instruments". Is there something wrong with my implementation?
0
0
585
Apr ’24
My app was reject because "Strings propurse"
Hello community, This is my first application that I try to publish, however my app has been rejected several times due to issues with the "purpose strings". I have already made several modifications to the texts but even so the app continues to be rejected, add the permissions in the infoPlist and texts, but they keep rejecting me, could someone advise me to comply with this requirement and publish my app. Apple sends me these comments Issue Description One or more purpose strings in the app do not sufficiently explain the use of protected resources. Purpose strings must clearly and completely describe the app's use of data and, in most cases, provide an example of how the data will be used. Examples of unclear purpose strings: "App would like to access your Contacts" "App needs microphone access" Next Steps Update the location and AppTrackingTransparency framework purpose string to explain how the app will use the requested information and provide an example of how the data will be used. See the attached screenshot. Thanks !!!
2
0
2.7k
Apr ’24
Question about tracking domains
We have a question about tracking domains: If we found a tracking domain in our app(eg."example.tracking.com"), but not put it into the PrivacyInfo.xcprivacy -> tracking domain list (refer to https://developer.apple.com/documentation/bundleresources/privacy_manifest_files), will iOS auto block the connection of this domain even when the tracking permission is granted? At the current time, the answer seems to be NO, but we are not sure about the situation in the future. Add this is the test result: tracking domains added + tracking permission granted -> not blocked tracking domains added + tracking permission not granted -> blocked tracking domains not added + tracking permission granted -> not blocked tracking domains not added + tracking permission not granted -> not blocked So it there any suggestion about the question? Thanks!
0
0
566
Apr ’24
Mail Privacy Protection (MPP) / Private Relay Question
Hello, we have noticed a change in the last few weeks in how Mail Privacy Protection (MPP) is operating. Specifically, MPP pre-caches images within email newsletters that are protected via Private Relay. The end result of the pre-cacheing is that every image in the newsletter is retrieved from our servers even if the user does not open the newsletter. This has been in place since '21. What we've noticed in the last month or so, is that the amount of pre-cacheing has dropped significantly, on the order of 20-25%. We can compare this with newsletters opened in non-MPP environments to know that email sends are consistent, it is only that pre-cached events seem to have changed. Does anyone know of any changes to the logic of Private Relay / MPP that would impact how it is pre-caching data from email newsletters? Thank you.
0
0
545
Apr ’24
image tracking in apple vision pro
ISSUE: In our code we are using the ImageTrackingProvider and ARKit similarly with the code provided from Apple documentation: https://developer.apple.com/documentation/visionos/tracking-images-in-3d-space However, when the application runs and we move the image in real space, the Image Tracking Provider send updates with a very low rate (about one frame per sec!) on the real Vision Pro device (please see the attached video). According to WWDC2023 (https://developer.apple.com/videos/play/wwdc2023/10091) the image anchors are updated as soon as they are available automatically by the system and they are not depended from camera frame rates. Therefore, why this is happening? We tried also to create an ImageAnchor by using the Reality Composer Pro in order to build a scene with it and check if we could have better tracking speed and updates. However, we found that Reality Composer Pro does not support image anchors like its predecessor Reality Composer! We also created the ImageAnchor on a Reality Composer Project and we tried to import the reality project / scene to out visionOS app. However, when the app builds we take an incompatibility message: “RealityKitContent - Tool terminated by signal 'Bus error: 10’ ” Other Reality Composer Projects that do not have image anchors are imported without any problems! We also tried to find if there is a frame rate setting on the real Vision Pro device (for reasons of battery saver), but we couldn’t find any. Finally, we tried to change asynchronous Tasks to synchronous in our code, but this couldn’t solve the problem. As the image detection and tracking in our code runs perfectly on iOS devices, and we want to build our apps to pure immersive space visionOS projects, what else can we do to have the same efficiency and performance like iOS?
2
1
1k
Apr ’24
Limited Access for Contacts like for Photos to prevent certain apps to collect our data.
Hi Everybody, I would like to see the feature, that allows us to limit the access for selected apps to get access to our Contacts. Especially apps like WhatsApp cannot be trusted, in my opinion, so I would love to see the possibility to prevent, that they just analyse our full Contact book and sell the data. With a limited access feature, we can at least decide, which information we wanna share with suspicious companys. What do you think and how could we reach the developers attention to get this with the next major update. Greetings from Europe
2
0
722
Jun ’24
iOS 17.4.1 requestTrackingAuthorizationWithCompletionHandler always ATTrackingManagerAuthorizationStatusDenied
In my device (iOS 17.4.1) settings, allowing apps to request tracking is enabled. Here is my request code: if (@available(iOS 14, *)) { ATTrackingManagerAuthorizationStatus attStatus = [ATTrackingManager trackingAuthorizationStatus]; if(attStatus == ATTrackingManagerAuthorizationStatusNotDetermined){ [ATTrackingManager requestTrackingAuthorizationWithCompletionHandler:^(ATTrackingManagerAuthorizationStatus status) { if (status == ATTrackingManagerAuthorizationStatusAuthorized) { NSLog(@"iOS14, ATT enabled"); [FBAdSettings setAdvertiserTrackingEnabled:YES]; NSLog(@"iOS14, ATT enabled, FBAdSettings setAdvertiserTrackingEnabled:YES successed"); } else if (status == ATTrackingManagerAuthorizationStatusDenied) { NSLog(@"iOS14, ATT disabled"); [FBAdSettings setAdvertiserTrackingEnabled:NO]; NSLog(@"iOS14, ATT disabled, FBAdSettings setAdvertiserTrackingEnabled:NO successed"); } UnitySendMessage("StoreKitListener", "OnRequestATTPermissionFinished", [[NSString stringWithFormat:@"%d", (int)status] cStringUsingEncoding:NSUTF8StringEncoding]); }]; } } else { UnitySendMessage("StoreKitListener", "OnRequestATTPermissionFinished", [[NSString stringWithFormat:@"%d", 3] cStringUsingEncoding:NSUTF8StringEncoding]); } When attStatus == ATTrackingManagerAuthorizationStatusNotDetermined, requestTrackingAuthorizationWithCompletionHandler will be called. Afterwards, status == ATTrackingManagerAuthorizationStatusDenied is received, and at the same time, I can see the permission request popup.
1
0
1.2k
Apr ’24
ATTrackingManager can't be pop up
`import UIKit import AppTrackingTransparency func requestDFA(){ if #available(iOS 14, *){ ATTrackingManager.requestTrackingAuthorization { status in switch status { case .authorized: // 用户已授权跟踪 print("Tracking authorization status: authorized") case .denied: // 用户拒绝跟踪 print("Tracking authorization status: denied") case .notDetermined: // 用户尚未做出选择 print("Tracking authorization status: not determined") case .restricted: // 跟踪受限,例如在家长控制设置下 print("Tracking authorization status: restricted") default: print("Tracking authorization status: unknown") } } } } @main class AppDelegate: UIResponder, UIApplicationDelegate { func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool { // Override point for customization after application launch. requestDFA() return true } // MARK: UISceneSession Lifecyclez func application(_ application: UIApplication, configurationForConnecting connectingSceneSession: UISceneSession, options: UIScene.ConnectionOptions) -> UISceneConfiguration { // Called when a new scene session is being created. // Use this method to select a configuration to create the new scene with. return UISceneConfiguration(name: "Default Configuration", sessionRole: connectingSceneSession.role) } func application(_ application: UIApplication, didDiscardSceneSessions sceneSessions: Set) { // Called when the user discards a scene session. // If any sessions were discarded while the application was not running, this will be called shortly after application:didFinishLaunchingWithOptions. // Use this method to release any resources that were specific to the discarded scenes, as they will not return. } }`
1
0
530
May ’24
NSPrivacyTrackingDomains: does specifying a third-level domain affect other domains under the same second-level domain?
Because the latest privacy manifest file requires inclusion for submissions after May 1st, based on the document: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files I have two questions regarding the NSPrivacyTrackingDomains field: In my app, NSPrivacyTrackingDomains and regular user login registration data loading use the same second-level domain "myapp.com". If "tracking.myapp.com" is specified in NSPrivacyTrackingDomains but the user does not grant tracking permission to the App Tracking Transparency framework, can the app still access the network through third-level domains such as "login.myapp.com" or "data.myapp.com"? At the bottom of the document, there is a note: "You only need to supply NSPrivacyAccessedAPITypes for apps and third-party SDKs on iOS, iPadOS, tvOS, visionOS, and watchOS." Does this mean that NSPrivacyTrackingDomains and NSPrivacyTracking properties do not need to be filled out as of May 1st? Will there be any issues if they are not filled out? Eagerly awaiting your response! Thanks!!!
0
0
1.2k
Apr ’24
My app uses web view to load html data within app. Is that needs App Tracking Transparency?
Hello, Currently, my app only uses web view to load HTML data and external safari web view by link click. I have seen the following developer's details. So if HTML data load on web view needs data collection enabled, then which Types of data need to be added to data collection? Also. if we disable all types of Data collection from privacy. Is apple will allow you to submit the app? or Reject it? Any help will be appreciated. Thanks
0
0
483
Apr ’24
hyperlinks to external website and trackign request
Hi everybody i'm developing an app that shows events of an estate. i fetch the events from an endpoint and show them in a calendar like UI. The app it's pretty simple, just 2 endpoints and a few filters. We have 6 hyperlinks some pointing to the institutional website, some others to a platform my customer use to allow users to book rooms from his estate. The app does not collect any kind of cookies, there's no login or anything like that BUT a few version ago the app store connect blocked my app due to the absence of the tracking request within the links. the institutional website collect cookies and have his own banner and acceptance flow, i tried to explain that to the review team but they demanded me to add the request, so i did that and the app was accepted. Now i'm being rejected because of the tracking request because: _The app still appears to manipulate users into enabling tracking across different apps and websites. Specifically: The app still requires users to enable tracking in order to access the app's content and functionality, such as reserving a table. Users should have control over how their personal information is used and should not be forced or manipulated into enabling tracking._ I cant understand what should i doat this point, i've asked for info but the review team refuses to explain what steps do i need to take
0
0
376
Mar ’24