Discuss how to secure user data, respect user data preferences, support iCloud Private Relay and Mail Privacy Protection, replace CAPTCHAs with Private Access Tokens, and more. Ask about Privacy nutrition labels, Privacy manifests, and more.

Posts under Privacy tag

200 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

How to get permissions to Motion & Fitness
I am trying to access the CMAltimeter class, and I keep getting the error Domain=CMErrorDomain Code=105. I know that indicates my app does not have permissions for motion and fitness. All the documentation I can find mentions the need to add NSMotionUsageDescription to Info.plist. However, I have done that, and it does not help. I am using Xcode 15. It seems that whenever I go to look up how to get permissions to something, the information on the web seems to be outdated, and Apple seems to move stuff around. I have found I can add the entry to Info.plist by using the Info.plist editor and selecting "Privacy - Motion Usage Description", but that does not help. I also notice that when I info tab on my build target, there is a "Privacy - Motion Usage Description" there also. If I add the entry there, it takes out out of my Info.plist, and makes an entry in the project's project.pbxproj file named INFOPLIST_KEY_NSMotionUsageDescription. Regardless of which of those I use, I still do not the 105 error. I'm sure I'm missing something more, but I can't find it anywhere. There was mention of a "Health and Fitness" in the signing capabilities, but I could not find anything listed there in Xcode 15
3
0
766
Jun ’24
Invalid binary when submitting a build to appstore connect
When I send a build in Xcode the process occurs normally, but a few minutes later I receive an e-mail saying: "ITMS-90683: Missing purpose string in Info.plist - Your app’s code references one or more APIs that access sensitive user data, or the app has one or more entitlements that permit such access. The Info.plist file for the “***.app” bundle should contain a NSMicrophoneUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. If you’re using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required." So the problem is the description of the use of the microphone, right? As the attached image shows that I have already done this process, and I continue to receive this error. Even when I remove the part of the avfoundation code that uses the microphone to try to submit the build, the error continues to be returned to me
1
0
438
Jun ’24
Prevent authorisation prompt during deactivationRequest
By calling the deactivationRequest from the main app bundle, we see Privacy & Security prompts for TouchID to deactivate the System Extension. We want to know if there's way to avoid that prompt. And also need know why the prompt pops up to deactivate our own app's System Extension component. We even tried to call the deactivate request from Daemon which contain the root access. We still see the prompt. https://developer.apple.com/documentation/systemextensions/ossystemextensionrequest/deactivationrequest(forextensionwithidentifier:queue:)
1
0
403
Jun ’24
Are Privacy Nutrition Labels in App Store Connect automatically updated based on Privacy Manifest files in the app and third-party SDKs?
Hello, I include a Privacy Manifest file in my app and specify one Privacy Nutrition Label Type (Email Address, for marketing purposes). My app uses some third-party SDKs like RevenueCat that contain Privacy Manifest files with nutrition label types specified (Purchases History for RevenueCat for example). Xcode can generate a report that aggregates all the data types that are collected by the app. But is App Store Connect updated when I upload a build? Or do I have to manually setup the App Privacy info? Thanks
1
0
453
Jun ’24
Autofill verification codes from Mail
We're testing this new functionality with our app. One issue I've discovered is that because Gmail intentionally doesn't support push via the Mail app, sending codes to a Gmail email means users will likely never see this autofill. It does appear if you enter the Mail app, pull new messages, and then quickly switch back to the code entry in your app and present the keyboard. I'm basically looking for a behaviour correction here from Apple. Perhaps iOS should intercept notifications for the Gmail app (and other notable apps), or provide a way for devs to publish codes to a system API. As it stands, a large portion of our customers who use Gmail presumably will not be able to use this autofill feature.
0
0
438
May ’24
Request access popup flood
Good afternoon, After a long time of using of Macbook security popups with requesting access from apps start appearing For example today I opened vscode to work with nuxtjs and 3 popups appeared: vscode requests access to photos, calendar, contacts, desktop, icloud etc The same happens with PHPStorm. If I open terminal, the same things happen with terminal I haven't installed anything and haven't updated anything Then I decided to update the latest MacOS, thought that it may help, but it didn't help My questions are: How to fix that? All applications even terminal should not have such permission requests Is it a bug and it will be fixed in a patch? Why do these popups always appearing if I clicked Don't allow? OS: MacOs Sonoma 14.5 Mac book Pro 2019
0
0
308
May ’24
Privacy Manifest Non Tracking Within Webview
We are requesting some information on what should be done in the following case: We have an application that has a privacy manifest, where tracking domains are listed. When the user does not give his/her consent to be tracked, non tracking domains are being used for requests to bring ads. The application in question has a webview where content (ads) are loaded. When a user clicks on an ad, another webview is opened, and this webview does not know that it is in a non tracking flow. Therefore, tracking domains are being used instead of non tracking domains. Since multiple redirections might be in play, there is no way to pass data from the original webview to the one that is opened once the ad is clicked. Would the tracking domains being used in the second webview be blocked? If so, what can we do to circumvent this scenario? Is this even a use case considering privacy manifest? Thanks
0
0
476
May ’24
iPad app on macOS not asking for microphone permission
Hello, I have an iOS app that is recording audio that is working fine on iPads/iPhones. It asks for microphone permission and after that recording works. I installed the same app on my M3 MacBook via TestFlight since iPad apps are supposed to work without a change that way. The app starts fine and everything, but it never asks for Microphone permission, so I can't record. Do I need to do something to make this happen (this is not macCatalyst, its running the arm64 iPhone binary on macOS) thanks
1
1
544
May ’24
Describing use of required reason API - current status
Hi everyone, I wanted to ask if anybody knows what the current status is about the declaration of required reasons APIs. Before May 1, when I uploaded a new build to the App Store Connect and added it to a group with external testers, I got a notification by email like the following: ITMS-91053: Missing API declaration - Your app’s code in the [...] file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryDiskSpace. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. In an article published by Apple (https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api) it is even statet that that after May 1, apps that do not comply are not accepted by the App Store Connect. According to my interpretation, even the upload should be rejected. I am currently in the process to add a privacy manifest and add the declarations. For testing purposes, I wanted to add the declarations step by step and see where I still need to fix anything. My problem is, that the warnings by apple are not beeing sent anymore. I have uploaded a new build after May 1 with no privacy manifest and therefore no API declarations, it was accepted by App Store Connect and even passed the review for an external testers group. Does anybody have information about the following questions? Did Apple shift the deadline? How can I trigger the warning emails again so that I know what to fix and see, when my app is compliant? Thanks in advance!
1
0
649
May ’24
ITMS-91054: Invalid API category declaration
I added Privacy manifest for my app and submit it to review and apple reject my app with what comment ITMS-91054: Invalid API category declaration - The PrivacyInfo.xcprivacy for the “Frameworks/SmartlookAnalytics.framework/SmartlookAnalytics” file contains “Disk Space” as the value for a NSPrivacyAccessedAPIType key, which is invalid. Values for NSPrivacyAccessedAPIType keys in any privacy manifest must be valid API categories. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api. i look at the package manifest and all looks fine (attached image). Maybe somebody saw that issue - and may tell me how can i fix it.
3
0
1.4k
May ’24
How to make keyboard extension available for a MDM device?
Our keyboard extension can be accessed independently in China region with native app like Notes or Safari, however the keyboard can only be opened in the app under same project in Taiwan region. I've checked some articles about how MDM managing extensions, also make sure our RequestOpenAccess option of keyboard extension info.plist also set to Yes. I'm not sure is there anything I missed, or I just need to inform client that they need to reach out their MDM manager and modify some restrictions? If keyboard supports mobile device management (MDM), it can work with managed apps. App extensions give third-party developers a way to provide functionality to other apps or even to key systems built into the operating systems Allow full access to custom keyboard in iOS
1
0
598
May ’24
Urgent: Help Needed with App Store Submission Issue
Hello, We recently encountered an issue with our app's submission to the App Store regarding missing permissions. Specifically, our app requires access to two categories called: NSPrivacyAccessedAPICategoryFileTimestamp and NSPrivacyAccessedAPICategoryUserDefaults for proper functionality. Although we've managed to resolve the immediate concern, it's important that we address this as soon as possible (to avoid any further complications with future app submissions). As I'm not entirely familiar with app development/coding, I'm reaching out to seek help with this. We also want to know if the issue we're experiencing is related to using pre-release software or our code? Any insights or help with this would be greatly appreciated. Thanks!
2
0
464
May ’24
MIssing API declaration warning on AppStore submission
App: "Nappkin" Apple ID: 639242085 Hi, We are getting several "Missing API declaration" warnings (see below) when submitting our iOS app to the AppStore. Our app doesn't not use the mentioned api's but apparently one or more of the libraries we use do. We have included a privacy manifest that states this fact (included below). Why are we still getting these warnings/errors when we have included a privacy manifest? If each framework used must have a manifest can you tell me which frameworks are in error? We have no influence on the contents of the frameworks used in our apps. How can we comply if a framework we use does not have a required manifest and is unable or unwilling to include it? Our app is a point-of-sale app used by 100's of professionals. We have been in the AppStore for more than 10 years. Our app is fully dependend on several frameworks and not being able to update our app will mean we have to close our business. Thanks! Willem Bison = Privacy manifest ==== <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>NSPrivacyAccessedAPITypes</key> <array> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryDiskSpace</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>Our app does not use this api directly but (apparently) an included framework does</string> </array> </dict> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategorySystemBootTime</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>Our app does not use this api directly but (apparently) an included framework does</string> </array> </dict> <dict> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>NSUserDefault is used to store and retrieve several user preferences</string> </array> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryUserDefaults</string> </dict> <dict> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>Our app does not use this api directly but (apparently) an included framework does</string> </array> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryFileTimestamp</string> </dict> </array> </dict> </plist> = Warnings ==== Hello, We noticed one or more issues with a recent submission for App Store review for the following app: Nappkin Version 179.0 Build 33854 Although submission for App Store review was successful, you may want to correct the following issues in your next submission for App Store review. Once you've corrected the issues, upload a new binary to App Store Connect. ITMS-91053: Missing API declaration - Your app’s code in the “Nappkin” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api. ITMS-91053: Missing API declaration - Your app’s code in the “Nappkin” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryDiskSpace. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api. ITMS-91053: Missing API declaration - Your app’s code in the “Nappkin” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategorySystemBootTime. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api. ITMS-91053: Missing API declaration - Your app’s code in the “Nappkin” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api. Apple Developer Relations ============
2
0
644
Apr ’24
AppleEvents entitlement - apparently not required?
We have a legacy app written in a mix of C, ObjC, C++ and ObjC++ with .xib files. It is not sandboxed. It sends an Apple Event to TV (the app of that name from Apple, not a physical TV) using /usr/bin/osascript, calling a compiled Apple Script which is in our app bundle's Resources directory with parameters which we generate in our app at runtime. The first time it does this on a fresh system, the OS puts up a dialog asking for permission to control TV, and after the user clicks Allow, our app appears under Security and Privacy in the Automation section. That's all fine, but what is unexpected is that the app has no Apple Events entitlement (com.apple.security.automation.apple-events), and it doesn't have a NSAppleEventsUsageDescription string either. The documentation at https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_automation_apple-events says Your app doesn’t need the Apple Events Entitlement if it only sends Apple events to itself or to other processes signed with the same team ID. but we're not on the Apple team. When I filter the log for messages from tccd pertaining to our app, it does indeed complain : Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<our bundle id>” But despite those complaints, everything works - I can send the event, and TV acts upon it. Is this working only by accident, and might fail in some minor future OS update? tccd also complains about the microphone Prompting policy for hardened runtime; service: kTCCServiceMicrophone requires entitlement com.apple.security.device.audio-input but it is missing for requesting={TCCDProcess: identifier=<our bundle ID> but we don't use the microphone tccd complains about this too <path-to-our-app> attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement What does that mean, and should we be concerned?
1
0
841
Apr ’24
Understanding Apple’s new Privacy Manifest Rules
Greetings everyone, first of all I apologize to everyone for the long question I am going to ask, but I thought it would be better to tell you my question and what I am working on to solve it. You may have heard about Apple's new Privacy Manifest requirement for new apps to be released to the app store. After I heard about it, I made a list of all dependencies used in my project and then updated them to the versions that include the Privacy Manifest file. Since I only use UserDefaults in my project, which is one of the required reason APIs specified by Apple, I added it and my reason for using it in the Privacy Manifest file. When I released a package with this development, I received a new notification email from Apple saying that while they used to be upset with me about UserDefaults, they are no longer, so it seems that Apple has accepted my reason for using UserDefaults in the application. However, Apple was also upset about Required Reason APIs in this list that I don't actually use (e.g. SystemBootTime API, DiskSpace API, FileTimestamp API). I thought about what could be causing this. First of all, it could be that one of the dependencies I use didn't specify the Required Reason API in the Privacy Manifest file or specified it incorrectly. However, I didn't think this was likely because I'm using common dependencies (e.g. Firebase, Alamofire, Lottie, etc.) and I didn't find any issues in the repos for them. Then it occurred to me that we have a binary dependency embedded statically in the project. I looked at the repo of this dependency and in the latest versions they added the Privacy Manifest file, but they added an empty privacy manifest file. This SDK is actually a service that we bought as a company. Therefore, I don't think there will be a problem. If they don't use Required Reason API, I think it can't be the cause of the mail. Nevertheless, our Business Analysts will contact the SDK owners. Then I realized that although it is on the list of SDKs that Apple requires to include a privacy manifest, I could not update it. This is nanopb. Actually, this is not a direct dependency of mine, but it is a dependency of Firebase. Like nanopb, there are other packages that are dependent on Firebase and are listed by apple (e.g. abseil, Promises, GTMSessionFetcher etc.) These are included as SPMs in the Package.swift file of Firebase that I have added to my project, with specific version ranges. If I update it, I get the latest version of the appropriate SPM version. For example promises were added for Firebase 10.16.0 as follows. The previous version did not have the Privacy Manifest. So I updated it to 2.4.0 by doing Project Navigator > Package Dependencies > Update To Latest Package Versions on Xcode. .package( url: “https://github.com/google/promises.git”, “2.1.0” ..< “3.0.0” ), This version included the Privacy Manifest, which solved my problem. But for nanopb the situation is as follows and no version of nanopb provides Privacy Manifest. I'm not even sure if there is a version of nanopb like the one below. .package( url: “https://github.com/firebase/nanopb.git”, “2.30909.0” ..< “2.30910.0” ) When I did some research on the issue, I came across something like this. The Google developer wrote “This bug can be closed because this repo does not release a binary distro of nanopb for Apple platforms.” in response to the issue. But as a non-native English speaker, I don't understand this explanation. As a result, Apple stated in the mail that I was using these Required Reason APIs (I will give an example of the mail below). I tried to find it even though it was not the case. Three possibilities came to my mind and I thought about these possibilities. Finally, I decided to consult you What do you think is causing this (is it widely used sdk's that do not specify or incorrectly specify the reason for using required reason api's? is it static library? is it nanopb?) Is there any way to see Apple's evaluation in this notification email without releasing the package? Will I test whether I have fixed this or not by constantly releasing packages? Any comments will be very appreciated. Thank you very much in advance for all your comments and answers! Email (Consider that the equivalent exists in the SystemBootTime API and DiskSpace API below.): ITMS-91053: Missing API declaration - Your app’s code in the “MyAppName” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api
0
0
1.6k
Apr ’24
If I remove the API from a third-party library, does it not require Privacy Manifest??
Suppose I received a Privacy Manifest from Apple in the process of reviewing the app. I used "UserDefaults" and "File timestamp APIs" among the APIs, and I didn't add Privacymanifest. And there is nothing in the mail other than "UserDefaults" and "File timestamp APIs". And so is the code. If I remove all the code related to "UserDefaults" and "File timestamp APIs" from the library in this situation, is it okay not to add "Privacy Manifest" from the library as well?? The library can be FrameWork or Static Library.
0
0
417
Apr ’24
Regarding network connection blocking of NSPrivacyTrackingDomains
・Xcode 15.1 ・The app is also compatible with Watch. In the privacy manifest, we defined NSPrivacyTracking to YES and NSPrivacyTrackingDomains to specific domains. Furthermore, to avoid warnings when uploading to Testflight, we have implemented a privacy manifest file in the app with the following configuration. ・Place the .xcprivacy files for the app itself and WatchExtension under their respective Target directories. ・Settings related to tracking domains are listed in .xcprivacy of the app itself. ・In .xcprivacy of WatchExtension, only describe the reason for UserDefault of NSPrivacyAccessedAPIType However, these implementations do not block network connections, "Fault" still occurs on "Point of Intereset instruments". Is there something wrong with my implementation?
0
0
585
Apr ’24