Let's say I have an iOS app on the app store. Anyone can download and use it, but I would like to restrict the app from granting access to certain features to a select set of people I can personally vouch for. So, for example, to get access, the app send email to me, you have to convince me I know you, and if you do, I send you back some kind of token string which you can enter into the app.
However, I'd like for that token to not be shareable, and to be locked to that device.
Is there any kind of persistent ID associated with a device that I can use to tie the token I grant to that persistent ID?
Or can someone suggest a way that once I trust a user, I can give them a token which will cannot be shared to anyone else?
Also, does anyone know if restricting access to app features in this way is any kind of issue with regards to the app review process? The app itself is free, and there are no in-app purchases. I simply don't want certain features of the app (which end up sending push notifications) to get abused.
Privacy
RSS for tagDiscuss how to secure user data, respect user data preferences, support iCloud Private Relay and Mail Privacy Protection, replace CAPTCHAs with Private Access Tokens, and more. Ask about Privacy nutrition labels, Privacy manifests, and more.
Posts under Privacy tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Should the privacyInfo.xcprivacy file provided by an app also cover the content of the privacyInfo.xcprivacy from an SDK?
For example, if Privacy Tracking Enabled is set to true in a third-party SDK, does that mean Privacy Tracking Enabled should also set to true in the privacyInfo.xcprivacy file included in the app?
I work on an app that uses a couple 3P SDKs that have their own SDK. My app also uses some of the APIs (UserDefaults) and declares those reasons in it's privacy manifest file.
I was under the impression that I should only declare the reasons from my app in it's Privacy Manifest file, and that the 3P SDK reasons would automatically be pulled in (because they include them).
Uploading to TestFlight I get warnings that this is not the case. If I only declare my app's reasons, it warns me that the APIs the SDK accesses are not included in the manifest.
The only way to get it to work, is manually copying in the same declarations that the 3P SDK has into my own manifest file. Is this the way it's supposed to work? Or should it be generating a holistic manifest automatically for me?
Hello!
In our applications we consume several 3rd party libraries that use one or more API from this list - https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api?language=objc. These XCFrameworks contain static frameworks (a framework with a statically linked binary inside), so after linking, the machine code inside these frameworks becomes either a part of the app's executable or a part of a dynamic library.
We integrate these libraries using Swift Package Manager's ".binaryTarget" feature and have been having trouble understanding where should the privacy manifest be located in the final app, so that we can pass the App Store review process. It seems that with SPM the privacy manifest (PrivacyInfo.xcprivacy file) is lost - https://github.com/apple/swift-package-manager/issues/7317
If the static framework is linked as a part of the app's executable, does that mean we have to manually merge the app's privacy manifest with that of a 3rd party static library?
If the static framework is linked as a part of a dynamic library within the app, where should the privacy manifest be located? And what should happen if there are multiple static frameworks each with a privacy manifest being linked into this dynamic library?
Thank you very much!
Hey, I’m updating all of my apps to target the new versions of all the plugins we use, and for some reason, I have a warning message :
ITMS-91053: Missing API declaration - Your app’s code in the “*****” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryDiskSpace. ...
ITMS-91053: Missing API declaration - Your app’s code in the “*****” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. ...
Apple Developer Relations
But in my Cordova config.xml, I have already added the <privacy-manifest> tag:
<privacy-manifest>
<key>NSPrivacyTracking</key>
<false/>
<key>NSPrivacyCollectedDataTypes</key>
<array/>
<key>NSPrivacyTrackingDomains</key>
<array/>
<key>NSPrivacyAccessedAPITypes</key>
<array>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryDiskSpace</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>E174.1</string>
</array>
</dict>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>3B52.1</string>
</array>
</dict>
</array>
</privacy-manifest>
I have already sent some applications to Apple, and there is no problem; they haven’t sent me back the ‘Missing API declaration’ error.
So in conclusion, I don’t know what the problem is for three of my app’s pool. it’s been several days that I’ve been working on this issue.
If you have a solution, please let me know.
Best regards."
Hello, I was referring to the post - https://developer.apple.com/forums/thread/663769 to determine if my app has been granted access to Local Network or not. I am starting an NWConnection for a local network address and checking if the currentPath?.unsatisfiedReason == .localNetworkDenied. This is not working as expected.
Even when I accept the local network permission prompt, I still get the unsatisfied reason as .localNetworkDenied. I have also tried turning off/on the permission toggle from the settings app. I have also checked this with the 2nd method in the above post about using pathUpdateHandler and getting the same results. I am using an iOS 17.4.1 device.
Is this method reliable? Is there some other method/api that I can use to check for local network access in my app?
My app uses CGEventTapCreateForPid to monitor keyboard events of a corresponding process. My app has already enabled the Accessibility permission, and AXIsProcessTrustedWithOptions returns true. However, CGEventTapCreateForPid returns null. What could be the problem? Does anyone know? I tested and found that if CGEventTapCreateForPid returns null, I can reset the Accessibility permission using tccutil reset Accessibility myapp_bundleid without restarting my app. But my app can still get the permission through AXIsProcessTrustedWithOptions
In my react native app deployed on appstore. I've added Privacy.Info file to declare privacy manifest as requested by Apple. But as soon as I added this file in my project using xcode, I am getting the Multiple commands produce Error when I make the build.
Below is the code for my privacy.info file, which I've added in the root ios folder of my react native project.
<dict>
<key>NSPrivacyAccessedAPITypes</key>
<array>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryDiskSpace</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>E174.1</string>
</array>
</dict>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>CA92.1</string>
</array>
</dict>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>C617.1</string>
</array>
</dict>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategorySystemBootTime</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>35F9.1</string>
</array>
</dict>
</array>
</dict>
What happens if I submit an app and one of the third party libraries (but not in the big list of common third party libraries) in my app has errors in its privacy manifest? Does my app get rejected? Or does Apple go after the third party to fix their library?
The error is simple enough. They simply failed to include the NSPrivacyCollectedDataTypes key. Actually, it is missing other keys but the error report probably stopped at the first one.
The error is from Xcode > Window > Organizer > Archives > command click an archive from the list > Generate Privacy Report.
The exact text of the error in that report is:
Errors Encountered
Missing an expected key: 'NSPrivacyCollectedDataTypes'
I am not concerned with how to fix the syntax. I know that much. I want to know what Apple will do if I submit the app for review with the errors present in the third party lib. There are verbal rumors and speculation that Apple contacts third party library devs and leave app devs alone if a library messes up its privacy file, but I cannot find any confirmation of this on the Internet.
And again, while this lib is from medium size commercial vendor, it is not common enough to be on Apple's list.
So as we know it's nearty 1/5 and the deadline of Privacy Manifest is near, I had take care allmost of case in my project but the things is I keep getting warning emails saying that I need to state for some "required api" that I'm using in my code.
Which I'm current not.
So after thinking abit, I decided to look into the IPA and extract the binary version of my IPA's package content using nm command.
And supprisingly I can easily saw all the "reuqired API" that stated in the email Apple send me for my release
So my question is: Do we really need to handle those case too? because always the "behind the scence" things using those API and honest I can't confirm where did they run or what did they do (due to limit of time until 1/5)
How can I open the user's Health Privacy Settings directly from my app when I'd like them to review them?
I believe similar questions have been asked before like this one: https://forums.developer.apple.com/forums/thread/730434
However, I'm wondering if the situation is changed for iOS 17 or if there's a way that works for Health permissions.
This is directly possible in the Garmin Connect app for example which is a major app on the store.
Hello, I have a question.
Recently, Apple's announcement asks for "Describing use of required reason API".
https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api?language=objc
SDKs that require a privacy file are specified in the "SDKs that require a privacy manifest and signature."
https://developer.apple.com/jp/support/third-party-SDK-requirements/
question 1. Should SDKs included in the list of "SDKs that require a privacy manifest and signature" provided by Apple always include a privacy file? Or you can put the privacy file only in your XCode project.
Question 2. If I don't use any personal information within the SDK, I don't need to insert a privacy file?
thank you.
Hey, I uploaded an app to Testflight and received these two Missing API declaration warnings. Is there something I am missing/wrong on the PrivacyInfo.xcprivacy file? Thanks so much!
ITMS-91053: Missing API declaration - Your app’s code in the “Ыйык Китеп” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code.
ITMS-91053: Missing API declaration - Your app’s code in the “Ыйык Китеп” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryDiskSpace. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code.
The content of my connected PrivacyInfo.xcprivacy file is:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSPrivacyTracking</key>
<false/>
<key>NSPrivacyTrackingDomains</key>
<array/>
<key>NSPrivacyCollectedDataTypes</key>
<array/>
<key>NSPrivacyAccessedAPITypes</key>
<array>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryDiskSpace</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>E174.1</string>
</array>
</dict>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>C617.1</string>
</array>
</dict>
</array>
</dict>
</plist>
For more context:
Generate Privacy Report option from xcode 15 is returning a blank pdf file on my archive. I assume it is the same issue as this thread.
I ran ios_17_required_reason_api_scanner that picked this info up. I think all of these should fall within NSPrivacyAccessedAPICategoryDiskSpace and NSPrivacyAccessedAPICategoryFileTimestamp.
Searching for use of required reason API
See https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api
Found potentially required reason API usage 'NSFileCreationDate' in '../global-bible-app-builder-v2/app/platforms/ios/Ыйык Китеп/Plugins/@moodlehq/cordova-plugin-zip/Plugins/minizip/SSZipArchive.m'
Line numbers: 224
Found potentially required reason API usage 'NSFileModificationDate' in '../global-bible-app-builder-v2/app/platforms/ios/Ыйык Китеп/Plugins/@moodlehq/cordova-plugin-zip/Plugins/minizip/SSZipArchive.m'
Line numbers: 224 270 358 529 591
Found potentially required reason API usage '.creationDate' in '../global-bible-app-builder-v2/app/platforms/ios/Ыйык Китеп/Plugins/cordova-plugin-file/CDVAssetLibraryFilesystem.m'
Line numbers: 234 235
Found potentially required reason API usage 'NSFileSystemFreeSize' in '../global-bible-app-builder-v2/app/platforms/ios/Ыйык Китеп/Plugins/cordova-plugin-file/CDVFile.m'
Line numbers: 419
Found potentially required reason API usage '.fileModificationDate' in '../global-bible-app-builder-v2/app/platforms/ios/Ыйык Китеп/Plugins/cordova-plugin-file/CDVLocalFilesystem.m'
Line numbers: 713
After adding PrivacyInfo.xcprivacy following this Steps:
https://vikramios.medium.com/itms-91053-missing-api-declaration-3c2bef935bd3
I am getting this error
❌ error: Multiple commands produce 'app_dir/PrivacyInfo.xcprivacy';
how could I remove the key NSMotionUsageDescription? cause it leads some crash problem.But after I remove the key NSMotionUsageDescription, I submit to Apple Store connect,I will receive issue .TMS-90683: Missing purpose string in Info.plist - Your app’s code references one or more APIs that access sensitive user data, or the app has one or more entitlements that permit such access. The Info.plist file for the “ydbus.app” bundle should contain a NSMotionUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. If you’re using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. For details, visit: https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/requesting_access_to_protected_resources.
How could I solve the problem? I reviewed my project,I don't use the key NSMotionUsageDescription api.
Hello Apple Developer Community,
I'm reaching out to seek clarification on a specific post in the forum, referenced here: https://developer.apple.com/forums/thread/743295
Lets say our current live App in App Store uses below mentioned third-party SDKs
SDKs listed in commonly used SDKs:
Firebase
GoogleUtilities
AppAuth
RxSwift
RxCocoa
SDKs not listed in commonly used SDKs:
SDK1 (uses required reason API)
SDK2 (uses required reason API)
SDK3 (uses required reason API)
Note: All the above mentioned SDKs are already integrated in the current live app, not adding for the first time
We are going to update our app soon (lets say after May 1, 2024)
I have some questions:
If I’m updating SDKs listed in commonly used SDKs and updating an old app that already includes these SDKs. Do I need to declare a privacy manifest file for these SDKs?
If I’m not updating SDKs listed in commonly used SDKs and updating an old app that already includes these SDKs. Do i need to declare a privacy manifest file for these SDKs?
If I’m updating SDKs not listed in commonly used SDKs and updating an old app that already includes these SDKs. Do I need to declare a privacy manifest file for these SDKs?
If I’m not updating SDKs not listed in commonly used SDKs and updating an old app that already includes these SDKs. Do I need to declare a privacy manifest file for these SDKs?
Hi community:
Is there any way to create a Privacy report from the command line?
Thanks
Once I have the PDF generated by xcode:
what exactly should I be doing with it?.
Is there a place in Apple Connect where I should be uploading it?.
If there's a place to upload it, will this mean that privacy manifest for our app will be updated by using this PDF?
Do you have some documentation I can reference to where I can see the process of uploading this PDF? (not the process of how to create the xcprivacy file or how to add it to xcode nor all the properties that go in the plist file.)
in this weeks i received this error:
ITMS-91055: Invalid API reason declaration - The PrivacyInfo.xcprivacy for the “VanigliaPro” file contains “App Functionality” as the value for a NSPrivacyAccessedAPITypeReasons key instead of a valid reason code for using an API in the NSPrivacyAccessedAPICategoryFileTimestamp category. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, values for NSPrivacyAccessedAPITypeReasons keys in your app’s privacy manifest must be valid reason codes for the corresponding API category. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.
ITMS-91053: Missing API declaration - Your app’s code in the “xxxx” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.
ITMS-91053: Missing API declaration - Your app’s code in the “xxxx” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.
any help for make correct privacy file?
Hello, I have a problem.
Our app is based on a set of javascript cross-platform development framework, which includes bridging and packaging of the Foundation Framework. This bridging and packaging itself does not make any API calls, but it contains almost all security APIs. This In this case, does this Framework, which is only used as a bridge, need to add a privacy manifest statement? But since it does not make any API calls, how should I fill in the content?