I have a question about the privacy manifest including the process, that is Do I need to declare a privacy manifest file for the SDKs that Apple is not listed in their list? Let's take an example, I have two SDK's like SDK1, SDK2 used in my app and both the SDK's used the "NSUserDefaults" privacy part and both the SDK's are not listed in the Apple list and also both SDK's did not have their own privacy manifest file. Now, the questions are, Do I need to include Privacy Manifest file to both the SDK's? OR Can I add one Privacy Manifest file in the app-specific then Xcode will combine OR use thisPprivacy Manifest file for the SDK's too? Thanks!

I received an email from Apple saying my app is using the following privacy-restricted APIs without an API declaration. NSPrivacyAccessedAPICategoryUserDefaults NSPrivacyAccessedAPICategoryFileTimestamp NSPrivacyAccessedAPICategorySystemBootTime It's true, my app is using those features, in multiple pods that I depend on. For example, my app depends on the FBAudienceNetwork cocoapod, and I've upgraded it to version 6.15.0, which added a privacy manifest specifically to ensure that Apple wouldn't flag my app with an error. https://developers.facebook.com/docs/audience-network/setting-up/platform-setup/ios/changelog/ I can see its privacy manifest explicitly covers these APIs, below: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>NSPrivacyTrackingDomains</key> <array> <string>ep1.facebook.com</string> <string>ep6.facebook.com</string> </array> <key>NSPrivacyCollectedDataTypes</key> <array> <dict> <key>NSPrivacyCollectedDataType</key> <string>NSPrivacyCollectedDataTypeAdvertisingData</string> <key>NSPrivacyCollectedDataTypeLinked</key> <true/> <key>NSPrivacyCollectedDataTypeTracking</key> <true/> <key>NSPrivacyCollectedDataTypePurposes</key> <array> <string>NSPrivacyCollectedDataTypePurposeThirdPartyAdvertising</string> <string>NSPrivacyCollectedDataTypePurposeAnalytics</string> </array> </dict> <dict> <key>NSPrivacyCollectedDataType</key> <string>NSPrivacyCollectedDataTypeDeviceID</string> <key>NSPrivacyCollectedDataTypeLinked</key> <true/> <key>NSPrivacyCollectedDataTypeTracking</key> <true/> <key>NSPrivacyCollectedDataTypePurposes</key> <array> <string>NSPrivacyCollectedDataTypePurposeThirdPartyAdvertising</string> </array> </dict> </array> <key>NSPrivacyAccessedAPITypes</key> <array> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryUserDefaults</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>CA92.1</string> </array> </dict> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategorySystemBootTime</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>35F9.1</string> </array> </dict> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryFileTimestamp</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>C617.1</string> </array> </dict> </array> <key>NSPrivacyTracking</key> <true/> </dict> </plist> So, why is Apple flagging my app with "Missing API Declaration" errors? The API declaration is right there. What am I still missing?

We are using and iOS version 17.4.1 and 17.5(beta) , and when are we facing the issue for local network permission in our app. Success scenario steps: Don't allow the local network permission in our App Allow it manually in app setting for local network permission(works only in first install of the App) We are able to call the API successfully Error scenario steps: Allow the local network permission popup to app when asked for permission Call the API successfully Uninstall the app and install the same app again and don't allow the local network permission API call fail's Manually change the local network permission to allow in app settings Still the API call fails even if we allow the local network permission Conclusion : We are getting API error when re-install the app and if it is not allowed local network permission as well as when we allow the local network permission. Looks like caching issue. Note: Even if uninstall and install multiple time and allow the local network permission from 2nd time onward API keeps on failing , but these scenario work perfectly fine on iOS 16 version and below. Even the existing app stopped working after updating iOS version to 17 and above. Also we found alternatively when we uninstall the app and restart the device and install it back again it works fine for the first time as a fresh install. Additionally : We are not calling local network permission explicitly, when the API call is happening this is native popup coming on iOS

We have a question about tracking domains: If we found a tracking domain in our app（eg."example.tracking.com"）, but not put it into the PrivacyInfo.xcprivacy -> tracking domain list (refer to https://developer.apple.com/documentation/bundleresources/privacy_manifest_files), will iOS auto block the connection of this domain even when the tracking permission is granted? At the current time, the answer seems to be NO, but we are not sure about the situation in the future. Add this is the test result: tracking domains added + tracking permission granted -> not blocked tracking domains added + tracking permission not granted -> blocked tracking domains not added + tracking permission granted -> not blocked tracking domains not added + tracking permission not granted -> not blocked So it there any suggestion about the question? Thanks!

I have a question regarding the way iOS handles app permissions. Why doesn't Apple provide a feature to review the reasons an app gave for requesting certain permissions after the initial authorization? There are instances where permissions were granted a long time ago or perhaps inadvertently, and now I can't recall why the app needed those permissions in the first place. This feature could be helpful for users trying to understand and manage their privacy settings more effectively. Thank you for any insights or information

Hello, we have noticed a change in the last few weeks in how Mail Privacy Protection (MPP) is operating. Specifically, MPP pre-caches images within email newsletters that are protected via Private Relay. The end result of the pre-cacheing is that every image in the newsletter is retrieved from our servers even if the user does not open the newsletter. This has been in place since '21. What we've noticed in the last month or so, is that the amount of pre-cacheing has dropped significantly, on the order of 20-25%. We can compare this with newsletters opened in non-MPP environments to know that email sends are consistent, it is only that pre-cached events seem to have changed. Does anyone know of any changes to the logic of Private Relay / MPP that would impact how it is pre-caching data from email newsletters? Thank you.

We develop an iOS SDK that allows developers to add VoIP capability to their iOS applications. For post-call quality analysis and debugging purposes we do collect SDK API usage and call quality data and send them back through internal HTTP API endpoint, therefore we need to disclose the domain in the privacy manifest. However we do not collect any Personally Identifiable Information and definitely have no intent to use these data for tracking the users like the examples described in https://developer.apple.com/app-store/user-privacy-and-data-use/. Our question is, do we need to set the “NSPrivacyTracking” key to “true” in the privacy, or our SDK actually is not tracking from the Privacy Manifest’s perspective and simply disclosing the data collection type/purpose as well as the domain is sufficient?

I am new to coding so pardon my naivety. I made a simple app for my company where customers can place orders and leave their names and phones numbers. Upon placing an order the app creates a collection in Google Firebase then generates an email with some HTML code. My app does not use any API's directly, and I believe I received the warning email solely because of the Firebase SDK like many others. I updated my app with what I believe to be proper "declaration of the data collected by my app or by third-party SDKs" according to https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests - but I am wondering if I actually did it correctly! See Attached

Hello everyone,I am a student who is working on my final project of my college.I do not get an official development account since I do not need to put my app on AppStore. In my project,I need to use the camera of iOS device, and I know I need to add NSCameraUsageDesciption in Info.plist.However, as I add the description in my Info and build my project, it failed and says"Provisioning profile "iOS Team Provisioning Profile: " doesn't include the NSCameraUsageDescription and NSPhotoLibraryUsageDescription entitlements." I also notice that in the Info.plist file, when I change the property type to entitlements,I just cannot find NSCameraUsageDescription when I add row. What's the problem?Is this because I am not an official developer?

Hello, I need help understanding how to manage the privacyInfo.xcprivacy file for apps. Do I need to include privacy details from SDKs in the app’s own file? For instance, if an SDK’s file mentions "Privacy Tracking Enabled: YES," does the app need the same setting? Also, if the SDK lists "Device ID" as a Collected Data Type, should the app list it too? I thought it was best to keep the app’s privacy file just about the app itself and not add SDK information to avoid making things too complex. But I can’t find clear rules on this. Can someone clarify this for me? Thanks!

Let's say I have an iOS app on the app store. Anyone can download and use it, but I would like to restrict the app from granting access to certain features to a select set of people I can personally vouch for. So, for example, to get access, the app send email to me, you have to convince me I know you, and if you do, I send you back some kind of token string which you can enter into the app. However, I'd like for that token to not be shareable, and to be locked to that device. Is there any kind of persistent ID associated with a device that I can use to tie the token I grant to that persistent ID? Or can someone suggest a way that once I trust a user, I can give them a token which will cannot be shared to anyone else? Also, does anyone know if restricting access to app features in this way is any kind of issue with regards to the app review process? The app itself is free, and there are no in-app purchases. I simply don't want certain features of the app (which end up sending push notifications) to get abused.

Should the privacyInfo.xcprivacy file provided by an app also cover the content of the privacyInfo.xcprivacy from an SDK? For example, if Privacy Tracking Enabled is set to true in a third-party SDK, does that mean Privacy Tracking Enabled should also set to true in the privacyInfo.xcprivacy file included in the app?

I work on an app that uses a couple 3P SDKs that have their own SDK. My app also uses some of the APIs (UserDefaults) and declares those reasons in it's privacy manifest file. I was under the impression that I should only declare the reasons from my app in it's Privacy Manifest file, and that the 3P SDK reasons would automatically be pulled in (because they include them). Uploading to TestFlight I get warnings that this is not the case. If I only declare my app's reasons, it warns me that the APIs the SDK accesses are not included in the manifest. The only way to get it to work, is manually copying in the same declarations that the 3P SDK has into my own manifest file. Is this the way it's supposed to work? Or should it be generating a holistic manifest automatically for me?

Hello! In our applications we consume several 3rd party libraries that use one or more API from this list - https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api?language=objc. These XCFrameworks contain static frameworks (a framework with a statically linked binary inside), so after linking, the machine code inside these frameworks becomes either a part of the app's executable or a part of a dynamic library. We integrate these libraries using Swift Package Manager's ".binaryTarget" feature and have been having trouble understanding where should the privacy manifest be located in the final app, so that we can pass the App Store review process. It seems that with SPM the privacy manifest (PrivacyInfo.xcprivacy file) is lost - https://github.com/apple/swift-package-manager/issues/7317 If the static framework is linked as a part of the app's executable, does that mean we have to manually merge the app's privacy manifest with that of a 3rd party static library? If the static framework is linked as a part of a dynamic library within the app, where should the privacy manifest be located? And what should happen if there are multiple static frameworks each with a privacy manifest being linked into this dynamic library? Thank you very much!

Hey, I’m updating all of my apps to target the new versions of all the plugins we use, and for some reason, I have a warning message : ITMS-91053: Missing API declaration - Your app’s code in the “*****” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryDiskSpace. ... ITMS-91053: Missing API declaration - Your app’s code in the “*****” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. ... Apple Developer Relations But in my Cordova config.xml, I have already added the <privacy-manifest> tag: <privacy-manifest> <key>NSPrivacyTracking</key> <false/> <key>NSPrivacyCollectedDataTypes</key> <array/> <key>NSPrivacyTrackingDomains</key> <array/> <key>NSPrivacyAccessedAPITypes</key> <array> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryDiskSpace</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>E174.1</string> </array> </dict> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryFileTimestamp</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>3B52.1</string> </array> </dict> </array> </privacy-manifest> I have already sent some applications to Apple, and there is no problem; they haven’t sent me back the ‘Missing API declaration’ error. So in conclusion, I don’t know what the problem is for three of my app’s pool. it’s been several days that I’ve been working on this issue. If you have a solution, please let me know. Best regards."

Hello, I was referring to the post - https://developer.apple.com/forums/thread/663769 to determine if my app has been granted access to Local Network or not. I am starting an NWConnection for a local network address and checking if the currentPath?.unsatisfiedReason == .localNetworkDenied. This is not working as expected. Even when I accept the local network permission prompt, I still get the unsatisfied reason as .localNetworkDenied. I have also tried turning off/on the permission toggle from the settings app. I have also checked this with the 2nd method in the above post about using pathUpdateHandler and getting the same results. I am using an iOS 17.4.1 device. Is this method reliable? Is there some other method/api that I can use to check for local network access in my app?

My app uses CGEventTapCreateForPid to monitor keyboard events of a corresponding process. My app has already enabled the Accessibility permission, and AXIsProcessTrustedWithOptions returns true. However, CGEventTapCreateForPid returns null. What could be the problem? Does anyone know? I tested and found that if CGEventTapCreateForPid returns null, I can reset the Accessibility permission using tccutil reset Accessibility myapp_bundleid without restarting my app. But my app can still get the permission through AXIsProcessTrustedWithOptions

In my react native app deployed on appstore. I've added Privacy.Info file to declare privacy manifest as requested by Apple. But as soon as I added this file in my project using xcode, I am getting the Multiple commands produce Error when I make the build. Below is the code for my privacy.info file, which I've added in the root ios folder of my react native project. <dict> <key>NSPrivacyAccessedAPITypes</key> <array> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryDiskSpace</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>E174.1</string> </array> </dict> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryUserDefaults</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>CA92.1</string> </array> </dict> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryFileTimestamp</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>C617.1</string> </array> </dict> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategorySystemBootTime</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>35F9.1</string> </array> </dict> </array> </dict>

What happens if I submit an app and one of the third party libraries (but not in the big list of common third party libraries) in my app has errors in its privacy manifest? Does my app get rejected? Or does Apple go after the third party to fix their library? The error is simple enough. They simply failed to include the NSPrivacyCollectedDataTypes key. Actually, it is missing other keys but the error report probably stopped at the first one. The error is from Xcode > Window > Organizer > Archives > command click an archive from the list > Generate Privacy Report. The exact text of the error in that report is: Errors Encountered Missing an expected key: 'NSPrivacyCollectedDataTypes' I am not concerned with how to fix the syntax. I know that much. I want to know what Apple will do if I submit the app for review with the errors present in the third party lib. There are verbal rumors and speculation that Apple contacts third party library devs and leave app devs alone if a library messes up its privacy file, but I cannot find any confirmation of this on the Internet. And again, while this lib is from medium size commercial vendor, it is not common enough to be on Apple's list.

So as we know it's nearty 1/5 and the deadline of Privacy Manifest is near, I had take care allmost of case in my project but the things is I keep getting warning emails saying that I need to state for some "required api" that I'm using in my code. Which I'm current not. So after thinking abit, I decided to look into the IPA and extract the binary version of my IPA's package content using nm command. And supprisingly I can easily saw all the "reuqired API" that stated in the email Apple send me for my release So my question is: Do we really need to handle those case too? because always the "behind the scence" things using those API and honest I can't confirm where did they run or what did they do (due to limit of time until 1/5)