When submitting for Apple review, you will receive a warning email about the required reason APIs from the third party SDK.

I'll try and answer your question the best i know how, since you'll probably not hear anything from any official source :P

My best guess is that in order to determine what APIs that require reasons your app uses, Apple just runs a script with the nm CLI command that inspects your game binary and all the other binaries in your app bundle like the frameworks in the Frameworks folder.

If you run nm on your MyApp.ipa/Payload/MyApp.app/MyApp binary, you'll probably find the NSUserDefaults class there being used. It'll show up like "U OBJC_CLASS$_NSUserDefaults".

When you generate the Privacy report, if the third-party SDK is embedded & signed inside your app, it'll show up in the MyApp.ipa/Payload/MyApp.app/MyApp/Frameworks folder and the privacy manifest stuff will correctly be shown in the Privacy Report generated by Xcode. Except for NSPrivacyAccessedAPITypes, they dont show up in the Privacy Report.

Since it is a third-party static framework, by default, Xcode is configured to remove these static executables from embedded frameworks to ensure that your app bundle is as lean as possible (see REMOVE_STATIC_EXECUTABLES_FROM_EMBEDDED_BUNDLES setting). Also because it is a static framework, it gets incorporated into the binary of the main executable.

As a result of all of this, you've now ended up with your app's executable containing symbols for NSUserDefaults API, your app's privacy manifest is missing the declaration of this API, your third-party static framework does not have the binary there, so apple doesn't find the NSUserDefaults API usage in it , and the privacy manifest of your third-party framework declared the NSUserDefaults API even though apple cannot check the framework's binary.

So, if you ask me , it's a bug, Apple should merge the privacy manifests of static embedded frameworks with the privacy manifest of the main app. As for steps to ensure that Apple reviews the Privacy manifest of the third-party SDK, if you see NSPrivacyCollectedDataTypes from a privacy manifest correctly show up in a Privacy Report generated with Xcode, you can pretty much bet you've done your job correctly and Apple is reviewing it.

I hope this helps. At least, this is how i understand it, im not an expert.

Have a great day,

-Sisky

https://developer.apple.com/support/third-party-SDK-requirements/ apple says that "Xcode will combine the privacy manifests across all the third-party SDKs used by your app into a single", But actually, xcode doesn't do this, and you may need to wait for xcode to update?

@YaTian , I think you are referring to the app's privacy report, which Xcode can generate from an app archive. It is only used for filling out the forms for privacy information in App Store Connect when you submit your app for review.

The full quote from Upcoming third-party SDK requirements

When you prepare to distribute your app, Xcode will combine the privacy manifests across all the third-party SDKs used by your app into a single, easy-to-use report. With one comprehensive report that summarizes all the third-party SDKs found in an app, it will be even easier for you to create more accurate Privacy Nutrition Labels

See also: Create your app’s privacy report