Hello.We provide our customer with a SDK which we developed.
Our customer demands us that our SDK supports privacy manifest requirement.
We check if our SDK uses data,APIs and third party SDKs on the list Apple released.
When our SDK don't use any data,APIs and third party SDKs,
Should we add the privacy manifest file to our SDK?
Privacy
RSS for tagDiscuss how to secure user data, respect user data preferences, support iCloud Private Relay and Mail Privacy Protection, replace CAPTCHAs with Private Access Tokens, and more. Ask about Privacy nutrition labels, Privacy manifests, and more.
Posts under Privacy tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
How can we generate the app privacy report with xcodebuild?
Here it is described how to generate the app privacy report using Xcode. We would like to do the same with xcodebuild as part of our automated build pipeline.
Hello
I have a question regarding App Privacy Details, concerning the “User ID” field.
On one of my apps, I use email address as identifier during user authentication.
In “App privacy” page (as well in my privacy manifest), I did add “Email Address” as collected data type, and specified that it’s linked to the user.
My question is: Should I add “User ID” to my “App privacy details”, since the email address is used as identifier for the user account?
Thanks in advance
As the new requirement for Privacy manifests is coming this Spring 2024 (https://developer.apple.com/news/?id=r1henawx), Apple released a list of SDK's that need to comply with this requirement and provide a privacy manifest file: https://developer.apple.com/support/third-party-SDK-requirements/
I have a SDK project that does not fall under the mentioned requirements。
collects data
uses of required reason API
includes listed Third-party SDK
I have some questions:
Do I need to include a privacy manifest file in my SDK project?
if so, is a blank privacy manifest file included in the SDK?
if not, is it possible to publish an App that use my SDK, without a privacy manifest file?
If someone in Apple WWDR sees this, please take the feedback to heart and report it up the chain:
When you announce that a technology is being deprecated — such as CGDisplayStream — and also publish WWDC sessions about the intended replacement — ScreenCaptureKit — then you also need to give third-party developers a clear deadline by which this technology will be deprecated so that they can plan engineering efforts around implementing the new feature, and have ample time to communicate this to their customers. If it's important for third-party developers to get on board with this change, you should use every available means to communicate this to them, including multiple email alerts to their registered email address.
Additionally, if you plan to make a BREAKING change in a framework that results in a wildly different user experience, you should probably hold that off until the summer release for the next major OS.
What you should definitely NOT do is roll out a new privacy prompt in a mid-year release of macOS; or give your developers, customers, and AppleSeed program participants zero advance notice that this alert is coming, ignore your own Human Interface Guidelines when designing said prompt, and perform no user experience design testing (aka "putting on your customer hat") during a presumed internal alpha testing cycle to refine the experience and still find the most effective and least annoying way to present this additional prompt and spur change with your third-party developers.
Oh, wait, you've done exactly all those things the wrong way with respect to ScreenCaptureKit.
Right now, a host of Apple device administrators and client platform engineers are sending mountains of feedback to you, and they're also scrambling to contact third-party developers to let them know this is coming. Most of the vendors being discussed in private forums are said to be caught off guard by this change.
We anticipate that users are not going to like this, and there is no way we can manage it with MDM or configuration profiles. In short, the current experience is a ghastly mess. WE, the administrators, will get blamed for this, not the third-party developers. WE will have to explain to our leadership why this experience is terrible and cannot be managed.
Engineers need deadlines to help plan their work and prioritize tasks. In this case, vendors have had no firm deadline for this effort. There's already precedence for Apple announcing estimated deadlines for deprecations and feature removals. You do your developers and customers a great disservice by not communicating schedules to them.
Please do better.
P.S.: Feedback filed as FB13619326.
Hi,
I've implemented the Privacy Manifest in my app and specified my tracking domain as required, setting NSPrivacyTracking to true and listing my domain under NSPrivacyTrackingDomains However, on iOS17 when I decline the App Tracking Transparency (ATT) request, the specified tracking domain isn't blocked by iOS, contrary to my expectations. Shouldn't Apple's framework automatically block the domain and indicate this action in Instruments, allowing developers to verify the domain is indeed blocked when tracking is denied?
<key>NSPrivacyTracking</key>
<true/>
<key>NSPrivacyTrackingDomains</key>
<array>
<string>traking.example.com</string>
</array>
for ios sdk,
only NSPrivacyAccessedAPITypes is required?
Note
You only need to supply NSPrivacyAccessedAPITypes for apps and third-party SDKs on iOS, iPadOS, tvOS, visionOS, and watchOS.
https://developer.apple.com/documentation/bundleresources/privacy_manifest_files?language=objc
Hi,
I encounter a problem about the permission using Flutter.
I already add the following items in iOS/Runner/Info.plist
<key>NSCameraUsageDescription</key>
<string>We need access to your camera to take photos.</string>
<key>NSLocationAlwaysAndWhenInUseUsageDescription</key>
<string>We need to access your current location for manage the dispatching routing.</string>
<key>NSLocationWhenInUseUsageDescription</key>
<string>We need to access your current location for manage the dispatching routing.</string>
<key>NSMicrophoneUsageDescription</key>
<string>We need access your microphone to talk to driver.</string>
<key>NSPhotoLibraryUsageDescription</key>
<string>For uploading driver's report including dispatch and clock in/out</string>
And call this in my code:
Map<Permission, PermissionStatus> statuses = await [
Permission.camera,
Permission.locationWhenInUse,
Permission.locationAlways,
Permission.microphone,
].request();
But why there is no any dialog asking for permission and when going to settings-> "App name", and there are no items in "Allow {App Name} to Access" for setting permission manually. Can anyone help me?
Thanks a lot.
Here is the information of flutter doctor
``[✓] Flutter (Channel stable, 3.10.6, on macOS 13.6.4 22G513 darwin-x64, locale zh-Hant-TW)
[✗] Android toolchain - develop for Android devices
✗ Unable to locate Android SDK.
Install Android Studio from: https://developer.android.com/studio/index.html
On first launch it will assist you in installing the Android SDK components.
(or visit https://flutter.dev/docs/get-started/install/macos#android-setup for detailed instructions).
If the Android SDK has been installed to a custom location, please use
`flutter config --android-sdk` to update to that location.
[✓] Xcode - develop for iOS and macOS (Xcode 15.2)
[✗] Chrome - develop for the web (Cannot find Chrome executable at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome)
! Cannot find Chrome. Try setting CHROME_EXECUTABLE to a Chrome executable.
[!] Android Studio (not installed)
[✓] VS Code (version 1.62.0)
[✓] VS Code (version 1.86.1)
[✓] Connected device (2 available)
[✓] Network resources``
I'm following the steps outlined to be able to email users that have used Apple Sign-in that is listed here and I have a green check for SPF status. I used my email <my_email_here>@gmail.com, but when I try to send an email from the email address configured to the private relay email I don't see my test email coming through.
I also tried sending an email from a non configured email and I don't back any sort of error message, not sure if I should though.
Is there a delay in how quickly the email is received?
In other frameworks, I've seen codeSignature included in dynamic cases, but this time Apple said, "Signatures are so required in these cases where the listed SDKs are used as binary dependencies."
Does that mean that even if the .framework file of the SDK you are deploying is static, you have to include codeSignature?
Hello:
I was reading about Mail Privacy Protection because a customer issue case, and how it don't work with VPNs. The final user sees all the time a message on the email top, and then the final user claims to the vpn owner.
Which are the hostnames to set in the VPN as whitelisted to remove the message from there?
Thanks in advance
Apple requires declaring the use of UserDefaults in both the App and third-party libraries in the PrivacyInfo.
However, I also utilize UserDefaults in the Notification Service Extension.
Should I treat the Extension as part of the App and only declare it within the App project? Or do I need to separately declare it for the Extension as well?
If my app utilizes ASWebAuthenticationSession or SFSafariViewController, do I need to add all potential tracking domains that users may access within the session?
There is virtually no way to limit the URLs or domains that users can access within the ASWebAuthenticationSession or SFSafariViewController, so how can I know all the potential domains?
I'm creating an SDK, the static library doesn't have a target membership check, how do I add it?
I'm wondering what should I write in the associated static library(.a) if the user adds occupation privacyinfo.
I can't find any examples, so if anyone has solved this, I'd appreciate an example :)
Hello, according to this doc Apple will begin blocking app store submissions in Spring 2024 when an application or one of its 3rd-party SDKs calls certain iOS/iPadOS system APIs without declaring a reason for doing so via a privacy manifest.
It seems that for framework and app targets, adding a privacy manifest is relatively straightforward: Add the xcprivacy file to the project and make it a member of the appropriate build target. For apps and fameworks, this will cause the privacy manifest to be copied into the root directory of the .app or .framework bundle at build time.
I work on a SDK which ships to application developers as a static library (.a) bundled within a xcframework. It seems that Xcode will not allow a privacy manifest file to be added as a member of a static library target. Which I assume is because when compiled, a static library build target does not produce a bundle like a ".app" or ".framework" which you'd get when compiling an app or framework target. Just a standalone (.a) file. What is the recommended way for developers of static libraries to provide application developers with a privacy manifest for their SDK? Is there a mechanism for including the privacy manifest somewhere within the xcframework bundle at the time it is created for the static lib, so that it automatically gets copied into an application which may link to it? If not, can the privacy manifest be included in a resource bundle which we already provide to our partners along with the static lib? Or does the manifest need to exist within the root directory of the application bundle since the contents of the static lib will ultimately get embedded into the app binary? If that is the case, do we need to provide our app partners with a separate standalone xcprivacy file, which they would need to incorporate into their project?
As the new requirement for Privacy manifests is coming this Spring 2024 (https://developer.apple.com/news/?id=r1henawx), Apple released a list of SDK's that need to comply with this requirement and provide a privacy manifest file: https://developer.apple.com/support/third-party-SDK-requirements/
I have some questions:
Do i need to declare a privacy manifest file for the SDKs if i'm updating an old app that already includes one of these SDKs? Apple states "when you submit an app update that adds one of the listed SDKs as part of the update" which in my understanding applies only when an app adds an SDK for the first time in an app update.
What happens with SDK's that are not in this list? Should every single SDK an app uses to include the privacy manifest file?
Feature-rich products like Firebase offer a lot of features, but don't use all of them.
For example, Firebase Analytics may or may not use a user id.
Do I need to include all the features of firebase analytics in my privacy manifest just because I've included firebase analytics in my app, even if I don't use it?
Apple will enforce Privacy Manifest starting this spring.
Apple said it would inform you through e-mail before then.
I think a lot of developers should have already received mail.
But it's harder to find mail-related content than I thought.
Has anyone received an email? If so, what is it about??
Hi community,
i am updating the PrivacyInfo file of our app. Our app has multiple extensions, some of them accessing the UserDefaults. Because of that I want to set the Privacy Accessed API Type to a value of 1C8F.1. However, from the drop down menu for possible values, the value for code 1C8F.1 is not available. It does not show up in the list.
Can I just manually edit the underlying xml file and just add <string>1C8F.1</string> to the array for NSPrivacyAccessedAPITypeReasons and expect it to work or will this cause issues when submitting our app to the app review?
Hi,
I uploaded my app to the app store but Apple rejected it and gave me the following reason for rejection. I don't know how to fix it because url for policy of privacy is working and show information. Please guide me for this how can I resolve it and re upload my app. Thank You
Guideline 1.5 - Safety - Developer Information
The support URL specified in your app’s metadata, https://www.doclinkapp.net/privacypolicy, does not properly navigate to the intended destination.
Next Steps
To resolve this issue, please revise your app’s support URL to ensure it directs users to a webpage with support information.