this post is related to the https://developer.apple.com/videos/play/wwdc2023/10061/
Hi, we are wondering if the framework should be signed.
the video indicates that all xcframework must be signed, on the other hand framework is not mentioned even website.
does anyone have ideas?
Privacy
RSS for tagDiscuss how to secure user data, respect user data preferences, support iCloud Private Relay and Mail Privacy Protection, replace CAPTCHAs with Private Access Tokens, and more. Ask about Privacy nutrition labels, Privacy manifests, and more.
Posts under Privacy tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
The current structure of my SDK xcframework is XXXX-Release.xcframework. Inside that, I have an XXXX.xcframework and a LICENSE.md file. Currently, this structure works fine in Swift Package Manager, dropping the XXXX-Release.xcframework file into Xcode and CocoaPods.
When I sign my xcframework as per Apple's requirements, I need to sign XXXX.xcframework, which is on the second level. Signing this works fine.
Will this meet Apple's requirements for signing an xcframework? I just want to make sure the current structure of my SDK does not need to change.
Thanks
Do I have to add the Privacy Manifest file in my SDK if I'm not using any required reason APis and not collecting any data?
Using the Bonjour service requires obtaining local network permissions, but the Bonjour service also scans nearby devices through Bluetooth. Why doesn't Bluetooth permission be required?
https://developer.apple.com/library/archive/qa/qa1753/_index.html#apple_ref/doc/uid/DTS40011315/
Did I misunderstand? Is there an issue with the design of iOS here?
Hello everyone,
I have a question about the file PrivacyInfo.xcprivacy: Is it mandatory to have it in all XCFrameworks for submitting/updating apps in the App Store after Spring 2024? Alternatively, can the app declare all the values of this file directly (including the required configurations for third-party libraries) while the third party delivers the XCFrameworks with this file included?
Would it be acceptable to include a blank privacy manifest file for a open-source third-party SDK that does not fit any of the Data Types or Required Reason APIs categories? Or would it be better not to include one at all?
Hello, We provide some xcframework for customer, the xcode automatically merge all privacy manifests under the xcframework?
If it is a framework, do you need to manually configure the app level privacy manifest ?
In the "Privacy updates for App Store submissions" section, the addition of a privacy manifest file is required for app releases after May 1.
We added a subdomain and defined it in NSPrivacyTrackingDomains, but when we separate the subdomain and main domain as "tracking.example.com" when ATT is allowed and "example.com" when ATT is not allowed would the communication on the main domain not result in an error?
I couldn't figure it out exactly from the documentation or the session, so please let me confirm.
Documentation: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files
Session (domain definition): https://developer.apple.com/videos/play/wwdc2023/10060/?time=387
In the "Privacy updates for App Store submissions" section, the addition of a privacy manifest file is required for app releases after May 1.
We added a subdomain and defined it in NSPrivacyTrackingDomains, but when we separate the subdomain and main domain as "tracking.example.com" when ATT is allowed and "example.com" when ATT is not allowed would the communication on the main domain not result in an error?
I couldn't figure it out exactly from the documentation or the session, so please let me confirm.
Documentation: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files
Session (domain definition): https://developer.apple.com/videos/play/wwdc2023/10060/?time=387
The text from https://developer.apple.com/news/?id=3d8a9yyh states,
"Make sure to use a version of the SDK that includes its privacy manifest and note that signatures are also required when the SDK is added as a binary dependency."
Does this imply that I must update all the third-party libraries I use to versions that "include a privacy manifest"? I do not wish to upgrade the third-party library code, but I can ensure that the privacy manifest in my app will include the privacy manifest related to the APIs utilized by these older versions of the third-party libraries
As per the https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests
Mentions that Third-party SDKs need to provide their own privacy manifest files.
What about the SDKs which are in-house? Meaning if the application contains the SDKs which are developer within the same company as the application would be treated as Third-party SDKs?
Hello,
Scenario:
My app is running in the foreground, logged into my backend server and I have registered for push notifications and received a push token. I have pin code activated on the phone.
I make some code changes and re-flash it in Xcode, the app is running in debug mode wired to Xcode.
I put the app in the background and lock the screen and wait 30 sec until data protection is activated and the keychain cannot be accessed.
I send a push notification. In this case didRegisterForRemoteNotificationsWithDeviceToken if often called with the same push token as I had before.
Data is protected in this state, hence I cannot access the auth token and send the token to the server. In this case it is not needed since the token is the same, but it got me a bit worried. In didRegisterForRemoteNotificationsWithDeviceToken I send the push token to the server, as the Apple docs recommend.
My concern now is: could didRegisterForRemoteNotificationsWithDeviceToken be called in a real scenario when the phone is locked and data protection is activated?
The Apple docs say:
Device tokens can change periodically, so caching the value risks sending an invalid token to your server.
And gives an example:
For example, UIKit calls the method when the user launches an app after having restored a device from data that is not the device’s backup data.
In this case, since the user is initiating it, the phone is unlocked so data should be unprotected. But that is one example, what more scenarios could there be that triggers this function, and could data be protected in those scenarios?
I'm worried that it could be triggered, even if its rare, in a state where data protection is activated, hence I cannot send the new push token to the server, and thus future remote notifications from the server will not be received by my app until the users logs out and logs in again.
Hello community:
I have some questions about xcprivacy and third parties. I was talking to a third party owner and he told me that in PrivacyInfo.xcprivacy you only need to declare the minimum things to use the third party.
For example, the third party uses the user's default value to save data about the application, but also if he has extensions, he uses it to communicate data between the application and the extension. Just declare the first one.
Also, it retrieves purchase history and there's a way to use it anonymously (although in my opinion it is not the most used feature by this third party) so the data is not linked to anyone, but if you use a user identified with Apple ID, purchase history is linked to it.
So if the third party only declares the minimal things that he uses, how can we know the rest of the data/api uses? Is this approach correct?
I want to develop a safari extension for a study for a pet project website. I want to understand the challenges faced by the users while making searches on my e-commerce website. So the extension would basically trigger a survey when active on my website. If I were to understand what was searched on the website I would need to capture the url for the current page on they are on. Would this be possible? Would it comply with Apple regulation policies?
Hello.
From March 13, 2024, he said he would send an e-mail related to 'Privacy Manifest'.
Does Apple send us an email to the review process? Or does it send the app after it is finally released??
Hello,
I want to release an update of my app and I was wondering if the privacy manifest is already required for submitting an update, or if the app will get rejected for this reason (missing manifest file).
Thank you
This is the mail I received from Apple while testing.
If you look at it, it shows that there are two items that are problematic.
As you can see, "ITMS-91053: Missing API decimation" shows the same problem in both, but the colors are displayed differently.
(Purple, Gray)
There were four problems in the mail I received while testing more, but all of them received the same color.
Is this just a mail error?? Or does the color have a meaning?
Dears, do we have to expect any alert from Apple during upload to appcenter for new clients in order to be compliant to Third Party SDK and signature? I'm uploading new beta clients every day without any evidence (rather than the Xcode 15 one)
Could someone notify if receiving any alert during upload step or can we have any alert during manual review?
It's not clear to me if i have to work on it or what.
Thanks
I am assuming that even if the app i am using is not listed in the ios list of privacy impacting sdks, if they use a privacy impacting sdk in their sdk, then my app will be required to get the privacy manifest for that privacy impacting sdk: the rule must (logically!) be transitive.
So far apple has not sent any email about the app needing to provide that for any of our sdks. but i am worried that maybe apple has not done the check for us yet, and by the time they do , we will be near deadline to submit an app.
In https://developer.apple.com/support/third-party-SDK-requirements/ it says "Signatures are also required in these cases where the listed SDKs are used as binary dependencies. "
As I am clueless regarding the technicalities of how sdks are added to a host app, the term binary dependency means nothing to me.
For reference, our app uses Cocoapods to install all of the sdks.