An ITMS-91061: Missing privacy manifest rejection email looks as follows:
ITMS-91061: Missing privacy manifest- Your app includes
"<path/to/SDK>", which includes , an SDK that was identified in the documentation as a privacy-impacting third-party SDK. Starting February 12, 2025, if a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a privacy manifest file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. For more details about this policy, including a list of SDKs that are required to include signatures and manifests, visit: https://developer.apple.com/support/third-party-SDK-requirements.
Glossary
ITMS-91061: Missing privacy manifest: An email that includes the name and path of privacy-impacting SDK(s) with no privacy manifest files in your app bundle. For more information, see https://developer.apple.com/support/third-party-SDK-requirements.
: The specified privacy-impacting SDK that doesn't include a privacy manifest file.
If you are the developer of the rejected app, gather the name of the SDK from the email you received from Apple, then contact the SDK's provider for an updated version that includes a valid privacy manifest. After receiving an updated version of the SDK, verify the SDK includes a valid privacy manifest file at the expected location. For more information, see Adding a privacy manifest to your app or third-party SDK.
If your app includes a privacy manifest file, make sure the file only describes the privacy practices of your app. Do not add the privacy practices of the SDK to your app's privacy manifest.
If the email lists multiple SDKs, repeat the above process for all of them.
If you are the developer of an SDK listed in the email, publish an updated version of your SDK that includes a privacy manifest file with valid keys and values.
Every privacy-impacting SDK must contain a privacy manifest file that only describes its privacy practices.
To learn how to add a valid privacy manifest to your SDK, see the Additional resources section below.
Additional resources
Privacy manifest files
Describing data use in privacy manifests
Describing use of required reason API
Adding a privacy manifest to your app or third-party SDK
TN3182: Adding privacy tracking keys to your privacy manifest
TN3183: Adding required reason API entries to your privacy manifest
TN3184: Adding data collection details to your privacy manifest
TN3181: Debugging an invalid privacy manifest
Privacy
RSS for tagDiscuss how to secure user data, respect user data preferences, support iCloud Private Relay and Mail Privacy Protection, replace CAPTCHAs with Private Access Tokens, and more. Ask about Privacy nutrition labels, Privacy manifests, and more.
Posts under Privacy tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Our business model is to identify Frauds using our advanced AI/ML model. However, in order to do so we need to collect many device information which seems to be ok according to https://developer.apple.com/app-store/user-privacy-and-data-use/
But it's also prohibited to generate a fingerprint, so I need more clarification here.
Does it mean I can only use the data to identify that a user if either fraud or not but I cannot generate a fingerprint to identify the device?
If so, I can see many SKD in the market that generates Fingerprints like https://fingerprint.com/blog/local-device-fingerprint-ios/
and https://shield.com/?
Hi everyone,
I’m currently facing an issue while trying to submit an update for my app to the App Store. The review process is blocking the update due to a "Privacy - Data Use and Sharing" warning, stating that our app requests "tracking purchase history for tracking purposes."
However, we have already removed this functionality and deleted the NSUserTrackingUsageDescription key from our latest build. Despite this, the warning persists, and we are unable to proceed with the update.
I have already contacted Apple Support, but in the meantime, I wanted to ask the community:
Has anyone else encountered this issue, and if so, how did you resolve it?
Is there a way to force a refresh of privacy-related settings in App Store Connect?
Are there any additional steps we need to take to completely remove this tracking flag from our app submission?
Any insights or guidance would be greatly appreciated! Thanks in advance for your help.
I am reaching out regarding the ITMS-91061 rejection issue we encountered while submitting our app to the App Store. The rejection is related to missing privacy manifests for Firebase and related SDKs.
Currently, our PrivacyInfo.xcprivacy file is structured as follows:
Could you please confirm whether we can modify this file to include Firebase-related privacy information to resolve the rejection? If so, could you provide guidance on the correct format and the necessary entries we should add?
We appreciate your support and look forward to your response.
Hello, I have created an app for both iOs and Android where upon speaking two trigger words, the listening app sends a text and then calls to an inputted designated phone contact. The Android version works perfectly. The iOs version also works perfectly but the iOs app emiits a PopUp for each, the text and then the call asking "Do you really want to send the text -or- make the call". Basically, I input the contact info and I spoke the trigger words. So, yes I want to send the text and make the call. So, I have to click the two PopUps then the device sends and calls.
Is there a way to suppress the PopUps in any way? The app is designed for emergencies. So, a dely to anser a popup is not at all good.
Maybe by telling the device to allow auto calls and texts from my app?
Any and all help on this issue will be very welcomed...
Thanks :)
Apps made through .net maui don't work with local networks.
I'm using the .net 8 framework, and I followed the app to the ios system through .net Maui after connecting it to the computer through a data cable.
When I open the app, I get a request to access the local network and I agree to it. But still my app is not accessible.
I have asserted it correctly inside info.plist.
How can I fix this issue
I have these two pods:
Frameworks/GTMSessionFetcher.framework/GTMSessionFetcher
Frameworks/GoogleToolboxForMac.framework/GoogleToolboxForMac
they are showing this error:
ITMS-91061: Missing privacy manifest
I've tried manually making privacy files, I've tried updating the SDK's too. I cant update them because firebase depends on GTM Session at a lower version and if I update, MLKit depends on toolbox (even though its deprecating) If I upgrade then the whole project explodes. What do I do. I need help.
this is all I get and it doesn't help:
https://developer.apple.com/support/third-party-SDK-requirements
Hello Apple Developers,
I’m developing an iOS app that requires access to the user’s contacts. I understand that starting from iOS 14, Apple introduced two levels of contact permissions:
1️⃣ Full Access – The app can read all contacts.
2️⃣ Limited Access – The app can only access contacts selected by the user.
My Question:
If a user initially grants Limited Access, is it allowed by Apple’s guidelines to request Full Access later?
🔹 I understand that re-requesting permission immediately after the user denies it is against Apple’s policies.
🔹 However, if the user has already granted Limited Access, and we first show an explanation modal explaining why Full Access is beneficial, can we then prompt them to change their settings via openAppSettings()?
🔹 Alternatively, can we use Permission.contacts.request() again to re-prompt the user for Full Access, or will iOS prevent the permission prompt from appearing again?
How We Handle This in the App:
1️⃣ If a user selects Limited Access, we respect their choice and only access their selected contacts.
2️⃣ Later, if Full Access is necessary for an enhanced experience, we display a clear explanation modal explaining why the app needs Full Access.
3️⃣ If the user agrees, we attempt to guide them to openAppSettings(), allowing them to manually change the permission.
4️⃣ However, if Permission.contacts.request() can be used to directly request Full Access again, we would like to know if this is acceptable.
We want to ensure that our implementation follows Apple’s privacy guidelines while providing the best user experience.
Any official guidance or best practices on this matter would be greatly appreciated.
Thank you in advance!
Reproduce:
Download live-caller-id-lookup-example
Add
let url = URL(string: "http://another-macbook.local:80")!
let task = URLSession.shared.dataTask(with: url) {(data, response, error) in
guard let data = data else { return }
print(String(data: data, encoding: .utf8)!)
}
task.resume()
anywhere in the code
run PIRService target in xcode
Result: no dialogue, host is unreachable
Works fine when launching same binary from terminal
Hello,
I have been testing my app in iOS 18 device and while creating a server with TCP, then apple make a request for local network permission automatically. If we don't allow the permission, the connection not working. We are getting the connection timeout error even after allowing again from device setting.
Has something changed in the flow for iOS 18 version? Can someone help me to solve this issue?
According to the docs:
The first time your app performs an operation that requires [photo library] authorization, the system automatically and asynchronously prompts the user for it.
(https://developer.apple.com/documentation/photokit/delivering-an-enhanced-privacy-experience-in-your-photos-app)
I.e. it's not necessary for the app to call PHPhotoLibrary.requestAuthorization.
This does seem to be what happens when my app runs on an iPhone or iPad; the prompt is shown. But when it runs on a Mac in "designed for iPad" mode, the permission dialog is not presented. Instead the code continues to see status == .notDetermined.
That's today, on macOS 15.3. It may have worked in the past.
Is anyone else seeing issues with this? Should I call requestAuthorization explicitly? (Would that actually work?)
Hi folks,
I would like to ask for clarification regarding Local Network Policy. I found 2 cases where I think the behaviour differs from the documentation.
1. Use case
In a CI environment, we have multiple services (LaunchAgents) which require Local Network Access. We are fine by manually approving the Local Network Permission once (per service), but we also require these services to be able to self-update. Self update results in downloading the a binary with an (obviously) different UUID, which seems to result in re-triggering the Local Network Consent prompt. Strange thing: If I don't click either buttons (Allow of Reject), just restart macOS, it will result in an enabled entry in Privacy & Security > Local Network.
I read a reply somewhere on this forum by an Apple engineer that the approval process is a mix of Bundle ID + UUID + other components, so I would expect a new binary with the same properties (but different UUID) to be already whitelisted.
Is this behaviour intended?
2. Use Case
Given the first issue, I decided to do this in the "right way".
I was happy to read this sentence in the documentation:
If you ship a launchd agent that’s not installed using SMAppService, make macOS aware of the responsible code by setting the AssociatedBundleIdentifiers property in your launchd property list.
I have a properly setup (and code signed) Application, for which I have enabled Local Network permission in Privacy & Security.
I have a standalone LaunchAgent, which runs a long running binary from a user directory. The agent is managed with launchd, and in this sense it is "independent" from the main Application Bundle. I have setup AssociatedBundleIdentifiers in the Agent plist, to associate it with the Application. The TeamIdentifier of the 2 binaries are the same. Based on the documentation, this should be enough for my agent to signal macOS that the responsible code is the Application Bundle (which is already enabled from Local Network POV).
Instead, once the LaunchAgent starts, the Local Network Consent popup appears for the binary. I would expect the Application to be the responsible code, thus no more Consent popup.
Is this behaviour intended?
I need this service to run as user, so I cannot just circumvent the Consent popup by running as a Daemon or Root. Nor I would like to manage the Agent with ServiceManagement. What do you guys think, have I misunderstood the documentation?
There are different kinds of screen-sharing applications, all using different APIs.
The API used by AnyDesk, for example, or TeamViewer, which doesn't require light signals.
I wonder if this is more appropriate for a corporate application, i.e. MDM,
A screen-sharing application could be created and validated by Apple to display no light signals, and which could access the user's screen whenever the person wanted to after an initial acceptance?
In other words, the user accepts to share his screen once, but won't be notified to accept the next time.
Or is this impossible on iOS?
I'd be honored to have some answers
I am trying to simulate a paste command and it seems to not want to paste. It worked at one point with the same code and now is causing issues.
My code looks like this:
` func simulatePaste() {
guard let source = CGEventSource(stateID: .hidSystemState) else {
print("Failed to create event source")
return
}
let keyDown = CGEvent(keyboardEventSource: source, virtualKey: CGKeyCode(9), keyDown: true)
let keyUp = CGEvent(keyboardEventSource: source, virtualKey: CGKeyCode(9), keyDown: false)
keyDown?.flags = .maskCommand
keyUp?.flags = .maskCommand
keyDown?.post(tap: .cgAnnotatedSessionEventTap)
keyUp?.post(tap: .cgAnnotatedSessionEventTap)
print("Simulated Cmd + V")
}
I know that there is some issues around permissions and so in my Info.plist I have this:
<string>NSApplication</string>
<key>NSAppleEventsUsageDescription</key>
<string>This app requires permission to send keyboard input for pasting from the clipboard.</string>
I have also disabled sandbox. It does ask me if I want to give the app permissions but after approving it, it still doesn't paste.
We are developing a Flutter application targeted for MacOS and Windows . We are using the FlutterMacOS and connectivity_plus packages in our app
But whenever we are releasing a version to App Store we are getting the privacy manifest file missing for above 2 packages
We tried to add xcPrivacy file inside the Runner Xcode project. But that doesn't solve the issue
Adding the relevant lines from the warning email getting from App Store below
"ITMS-91061: Missing privacy manifest - Your app includes “Contents/Frameworks/FlutterMacOS.framework/Versions/A/FlutterMacOS”, which includes Flutter, an SDK that was identified in the documentation as a commonly used third-party SDK. Starting February 12, 2025, if a new app includes a commonly used third-party SDK, or an app update adds a new commonly used third-party SDK, the SDK must include a privacy manifest file or you won’t be able to submit the app for review in App Store Connect. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. For more details about this policy, including a list of SDKs that are required to include signatures and manifests, visit: https://developer.apple.com/support/third-party-SDK-requirements.
ITMS-91061: Missing privacy manifest - Your app includes “Contents/Frameworks/connectivity_plus.framework/Versions/A/connectivity_plus”, which includes connectivity_plus, an SDK that was identified in the documentation as a commonly used third-party SDK. Starting February 12, 2025, if a new app includes a commonly used third-party SDK, or an app update adds a new commonly used third-party SDK, the SDK must include a privacy manifest file or you won’t be able to submit the app for review in App Store Connect. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. For more details about this policy, including a list of SDKs that are required to include signatures and manifests, visit: https://developer.apple.com/support/third-party-SDK-requirements."
Please suggest a solution to solve this issue as early as possible , because February 12th onwards we will get blocked to release new versions
Hi,
I hope someone is able to help me with this query:
Is there a mandatory requirement to display a view before presenting the App Tracking Transparency modal to explain to the user why the app is asking for tracking? I see there are a few apps which do this, but I don't see any mention of this as a mandatory requirement within the app store review guidelines. The modal can be customised with a description detailing why the app is asking for tracking and I believe this may be sufficient to pass an app store review.
The guidelines also mention that the app must provide access to information about how and where the data will be used. We have these details in our privacy policy which is accessible from within the app. Is this sufficient or do we need a pre-modal view which contains a direct link the the privacy policy.
Any advice on this would be much appreciated.
I am trying to submit my app for review on appstoreconnect, but after every attempt it immediately says your app has been changed to invalid binary and rejected. The error related to this rejections is:
ITMS-91064: Invalid tracking information - A PrivacyInfo.xcprivacy file contains invalid tracking information at the following path: “Frameworks/MapboxCoreSearch.framework/PrivacyInfo.xcprivacy”. NSPrivacyTracking must be true if NSPrivacyTrackingDomains isn’t empty. Keys and values in your app’s privacy manifests must be valid.
Despite the fact that my app's PrivacyInfo.xcprivacy states no that there are no tracking domains, privacy tracking is not enabled and that the Privacy Nutrition Label Types clearly state that there are no particular tracking happening across the selected the labels, which are course location, precise location and search history. The information in the IPrivacyInfo.xcprivacy in the app privacy settings and reflect that there is no tracking happening. I have attempted changing the details and I still get the same error. I've tried every solution and it still gets flagged for this.
Hello,
I recently installed an iOS app called SpyBuster by MacPaw.
This app shows as list all my installed apps.
How is this possible ?
As a developer, I know this is prohibited by Apple - third party app to scan application workspace.
I'm experiencing an inconsistent behavior with the App Tracking Transparency (ATT) prompt in my Cordova iOS app using the admob-plus-cordova and cordova-plugin-consent plugins.
Environment:
Cordova iOS app
Plugins: admob-plus-cordova, cordova-plugin-consent
iOS Simulator: 16.0
Physical device: iphone 12 17.5.1
Xcode version: 16.2
Issue:
The ATT permission prompt appears correctly in the iOS Simulator but fails to show on physical devices. I've verified that:
Info.plist includes NSUserTrackingUsageDescription
The ATT request is triggered before initializing AdMob
The device is running iOS 14.5 or later
Expected behavior:
ATT prompt should appear on first launch on physical devices (as it does in the simulator)
Actual behavior:
ATT prompt appears correctly in simulator [attach your screenshot]
ATT prompt never appears on physical device
Troubleshooting steps tried:
Verified app hasn't previously requested ATT permission
Confirmed tracking is enabled in device Settings -> Privacy -> Tracking
Verified implementation order (ATT request before AdMob initialization)
Any insights on why this might be happening or additional debugging steps would be greatly appreciated.
SwiftData ModelContainer instances don't seem to have a value for setting the Data Protection class.
Is the best way to set that by setting the Data Protection in the app capabilities? Is that the only way?
I have a need for log data that would be "Complete unless open" and user data that would be "Complete", but how do I change one of the containers data protection class?