I'm developing an application for a client. This app is intended to be sold with a subscription. My client wants that at the time of registration, the user's data (name, date of birth, address, etc.) be sent to a server to be saved in a database for commercial purposes. What is Apple's policy knowing that the user will have the ability to give their consent

FB18383742 Setup 🛠️ Xcode 16.4 (16F6) 📱 iPhone 13 mini (iOS 18.0.1) ⌚️ Apple Watch Series 10 (watchOS 11.3.1) Observations As AccessorySetupKit does not request "Core Bluetooth permissions", when a watchOS companion app is installed after having installed the iOS app, the toggle in the watch settings for Privacy & Security > Bluetooth is turned off and disabled After removing the iPhone associated with the Apple Watch, Bluetooth works as expected in the watchOS app Upon reinstalling the iOS app, there's a toggle for Bluetooth in the iOS ASK app's settings and the ASK picker cannot be presented 🤨 From ASK Documentation: AccessorySetupKit is available for iOS and iPadOS. The accessory’s Bluetooth permission doesn’t sync to a companion watchOS app. But this doesn't address not being able to use Core Bluetooth in a watch companion app at all 🥲 Reproducing the bug Install the iOS + watchOS apps Launch iOS app, tap "start scan", observe devices can be discovered (project is set up to find heart rate monitors) Launch watchOS, tap allow on Bluetooth permission pop-up watchOS app crashes 💥 Meanwhile, in the iOS app, there should be a log entry for 💗 CBCentralManager state: poweredOff and the ASK picker is no longer able to discover any devices The state of the device permissions: iOS app has no paired accessories or Bluetooth permission watchOS app's Bluetooth permission shown as turned off & disabled Remove the iOS app Relaunch the watchOS app Notice the CBCentralManager state is unauthorized Remove and reinstall the watchOS app Tap allow on Bluetooth permission pop-up watchOS app does not crash and CBCentralManager state is poweredOn The state of the watch permissions: Bluetooth is turned on & the toggle is not disabled Note that at this time the iOS app is not installed, there is no way to remove Bluetooth permission for the watch app. Reinstall + launch the iOS app Notice a warning in the log: [##### WARNING #####] App has companion watch app that maybe affected if using CoreBluetooth framework. Please read developer documentation for AccessorySetupKit. Notice a log entry for 💗 CBCentralManager state: poweredOn before tapping start scan Tap start scan and observe another log entry: Failed to show picker due to: The operation couldn’t be completed. (ASErrorDomain error 550.) ASErrorDomain 550: The picker can't be used because the app is in the background. Is this the expected error? 🤔 The state of the iOS permissions: The app's settings show a Bluetooth toggle normally associated with Core Bluetooth, but the app never showed a Core Bluetooth pop-up The iOS ASK app now has Core Bluetooth permission 😵‍💫 Following up with Apple This is a known bug that should be fixed in watchOS 26 when Bluetooth permissions for watch apps can be set independently of the iOS app. I've yet to test it with watchOS 26. See repo for the same post with screenshots of the settings and demo code reproducing the bug: https://github.com/superturboryan/AccessorySetupKit-CoreBluetooth-watchOS-Demo

I have a project that need to get serial number and network SSID. I have looking anywhere to get those 2 value but no luck to find it. is there anyway i can get those information from the device?

Hello everyone, Our app, NumberBox, was rejected due to Guideline 5.1.1, with the review team saying it “collects information from public sources to build individual profiles.” We want to clarify: All data is 100% user-reported. Users voluntarily submit phone numbers (spam, scam, or telemarketing) and assign tags through the “Add Tag” feature. No data is collected from public sources or user contacts. No profiles are built automatically. All user submissions are reviewed by our support team before being displayed. The sole purpose of NumberBox is to help users avoid unwanted or scam calls, not to collect personal data. Our updated Privacy Policy is here: https://numberbox.app/privacypolicy Has anyone encountered a similar issue with Guideline 5.1.1? Any guidance on how to clearly communicate this to App Review would be greatly appreciated. Thanks in advance!

Documentation seems to say that privacySensitive is supposed to redact on the lockScreen. I've disabled "Allow Access when locked" for "Lock Screen Widgets" just in case. It does not work for me. If I add "redacted(reason:) into the view hierarchy it redacts all the content all the time including on the home screen. I've read articles. I gone through a lot of documentation. None of them seem to give the magic formula for redacting sensitive content on the lock screen. I'm using iOS 18.7 on a real iPhone 14 Pro Max.

Hello world! First post here. Developing my first app. It primarily targets supervised and MDM managed devices. A few questions: For supervised devices, is serial number available? I want to get the number and use it for app auto activation Is MDM required for supervised devices? Or, as long as a device is enrolled through Apple Business Manager? Which capacity shall I request for the app? Thanks so much!

Is it possible to create a sandboxed app that uses accessibility permission? And if so, how do I ask the user for that permission in a way that is allowed by the App Store? Im creating a small menubar app and my current (rejected) solution is to create a pop-up, with link to Security & Privacy > Accessibility and the pop-up asks the user to manually add the app to the list and check the checkbox. This works in sandbox. Reason for rejection: "Specifically, your app requires to grant accessibility access, but once we opened the accessibility settings, your app was not listed." I know it's not listed there and it has to be added manually. But its the only solution I've found to this issue. Is there perhaps any way to add the app there programmatically? Im a bit confused since I've seen other apps in App Store that work the same way, where you have to add the app to the list manually. Eg. Flycut. :man-shrugging: I know about this alternative solution, and it's not allowed in sandboxed apps. It also adds the app to the accessibility list automagically: func getPermission() { AXIsProcessTrustedWithOptions([kAXTrustedCheckOptionPrompt.takeUnretainedValue():true] as CFDictionary). } Does anyone have a solution for this? Best regards, Daniel

Hi , I have a requirement like, Develop an app for iPad and app uses .net core apis. App will be in kiosk mode, and app doesn't have any type of authentication even OTP also. As the apis will be publishing to all over internet, how can we achieve security to apis? Kindly provide suggestions for this implementation

Starting with macOS 15 (Sequoia), applications that perform network discovery operations now trigger a permission prompt: "Allow [AppName] to find devices on local networks". I am using sysctl() with NET_RT_FLAGS and RTF_LLINFO to access the ARP table and retrieve gateway MAC addresses: int mib[6]; mib[0] = CTL_NET; mib[1] = PF_ROUTE; mib[2] = 0; mib[3] = AF_INET; mib[4] = NET_RT_FLAGS; mib[5] = RTF_LLINFO; // This flag accesses ARP table entries if (sysctl(mib, 6, buf, &needed, NULL, 0) < 0) return nil; From my testing, the Local Network Access prompt does not always appear. It looks like if the MAC address is already cached in the ARP table, no prompt is shown, and the prompt only appears when the system needs to resolve a new MAC address. Is this correct behavior? Does ARP resolution by itself triggering the prompt?

Hello, PrivacyInfo.xcprivacy Is primordial and without it the app is rejected from the Store I believe. All 5 ressources I had found related to it, mention XCODE, or explain how to add the code to langages that I don't use (Switf i think?) etc. I am building the app thought CI/CD, so prior to building it the app does not have privacy manifest and there is not way to generate it automatically without xcode it seems. My app is written in Flutter prior to becoming an iOS app. I am seeking for a method to do that. Thanks.

Hi, after upgrading to MacOS Sequoia, my connection to my local IP address does not work. The issue is with the PF (MacOS advanced firewall), as I confirmed that my local application works disabling it temporarily. Does anyone know how can I do to solve this problem? As APP developer, this is a big problem for me. Thanks in advance.

Hello everyone, I've noticed some unusual behavior while debugging my application on the iOS 26 beta. My standard testing process relies on the App Tracking Transparency (ATT) authorization status being reset whenever I uninstall and reinstall my app. This is crucial for me to test the permission flow. However, on the current beta, I've observed the following: 1 I installed my app on a device running the iOS 26 beta for the first time. The ATTrackingManager.requestTrackingAuthorization dialog appeared as expected. 2 I completely uninstalled the application. 3 I then reinstalled the app. Unexpected Result: The tracking permission dialog did not appear. And more importantly, the device's advertisingIdentifier appears to have remained unchanged. This is highly unusual, as the IDFA is expected to be reset with a fresh app installation. My question: Is this an intentional change, and is there a fundamental shift in how the operating system handles the persistence of the IDFA or the authorization status? Or could this be a bug in the iOS 26 beta? Any information or confirmation on this behavior would be greatly appreciated.

I added a feature to my app that retrieves only app settings (no personal data) from my API hosted on Cloudflare Workers. The app does not send, collect, track, or share any user data, and I do not store or process any personal information. Technical details such as IP address, user agent, and device information may be automatically transmitted as part of the internet protocol when the request is made, but my app does not log or use them. Cloudflare may collect this information. Question: Does this count as “data collection” for App Store Connect purposes, or can I select “No Data Collected”?

Hi, I have an iOS app that only makes GET requests to my own API (hosted on Cloudflare Workers). The app only receives information for its settings (like whether to show a coupon code). It does not send, collect, track, or share any user data, and I do not store or process any personal information. I understand that technical details (like IP address, user-agent, device information, etc.) are automatically sent as part of the internet protocol. Since I don’t log or use this data, I’m unsure if it counts as “data collection.” However, it is possible that Cloudflare collects this information for security purposes and deletes it after some time. Question: In this case, can I select “No data collected” in the App Privacy section of App Store Connect? Thanks!

We’ve run into what looks like a gap in how forceAirDropUnmanaged is enforced on iOS devices. Setup: Device: iOS 17.x (unsupervised, enrolled in MDM) MDM Restriction: forceAirDropUnmanaged = true Managed Open-In restriction also applied (block unmanaged destinations). Verified: from a managed app, the AirDrop icon is hidden in the share sheet. This part works as expected. Issue: When two iOS devices are brought close together, the proximity-initiated AirDrop / NameDrop flow still allows transfer of photos, videos, or files between devices. In this path, forceAirDropUnmanaged does not appear to apply, even though the same restriction works correctly in the standard sharing pane. What I’d expect: If forceAirDropUnmanaged is enabled, all AirDrop transfer paths (including proximity/NameDrop) should be treated as unmanaged, and thus blocked when “Managed Open-In to unmanaged destinations” is restricted. What I observe instead: Share sheet → AirDrop hidden ✅ Proximity/NameDrop → transfer still possible ❌ Questions for Apple / Community: Is this a known limitation or expected behavior? Is there a different restriction key (or combination) that also covers proximity-based AirDrop? If not currently supported, should this be filed as Feedback (FB) to request alignment between share sheet AirDrop and NameDrop enforcement? This behaviour introduces a compliance gap for organisations relying on MDM to control data exfiltration on unsupervised or user-enrolled devices. Any clarification or guidance would be greatly appreciated.

We have received some information that with the release of iOS 18, there have been notable changes in how this API behaves, can apple team shed some light on this? on ios 17 this worked without much issues, what has changed on ios 18?

Hello, I’m new here. I'm developing an iOS app and I’d like to know whether it is possible to detect if a phone call is being recorded by another app running in the background. I’ve already reviewed the documentation for CallKit and AVAudioSession, but I couldn’t find anything related. My expectation was that iOS might provide some callback or API to indicate if a call is being recorded (third-party apps), but so far I haven’t found a way. My questions are: Does iOS expose any API to detect if a call is being recorded? If not, is there any indirect, Apple's policy compliant method (e.g., microphone usage events) that can be relied upon? Or is this something that iOS explicitly prevents for privacyreasons? Expecting solutions that align with Apple’s policies and would be accepted under the App Store Review Guidelines. Thanks in advance for any guidance.

I am developing an app that communicates with external BLE device over GATT. The device has a secure-read characteristic exposing some of it's data and requires pairing/bonding in order to communicate with it. I was able to pair and connect with the device using AccessorySetupKit and .bluetoothPairingLE option: let descriptor = ASDiscoveryDescriptor() descriptor.bluetoothServiceUUID = CBUUID(string: serviceUUID) descriptor.supportedOptions = [.bluetoothPairingLE] let picketItem = ASPickerDisplayItem(name: name, productImage: image, descriptor: descriptor) In this case when setting up accessory, I was prompted to compare passkeys and after confirming I can read the characteristic etc. Then I tried adding .confirmAuthorization to picker item and problems started: let descriptor = ASDiscoveryDescriptor() descriptor.bluetoothServiceUUID = CBUUID(string: serviceUUID) descriptor.supportedOptions = [.bluetoothPairingLE] let picketItem = ASPickerDisplayItem(name: name, productImage: image, desc pickerItem.setupOptions = [.confirmAuthorization] When setting up, I can see a passkey to be confirmed, but when confirmed the setup ui get's suck in loading state. Under the hood in logs, I can see that my app has connected to peripheral and was able to read the characteristic. I am unsure why the ui is stuck in loading state in this case. What is the difference when using .confirmAuthorization option and what should be the proper flow of events to setup accessory and then access protoected characteristic?

App Store Connect's privacy label system creates impossible review situations by checking live app versions instead of submitted builds. Problem: Developer has a live app with tracking on the App Store Developer create a new app version with all tracking removed Privacy labels from AppStore Connect cannot be updated because system references live version with tracking App gets rejected for privacy label mismatch with submitted build Cannot fix labels until approved, cannot get approved with wrong labels Expected behavior: Privacy label system should allow updates for pending app versions or check submitted build instead of live version. Steps to reproduce: Submit app update with tracking removed Try to update privacy labels to "no tracking" from AppStore Connect System shows error: "Your app contains NSUserTrackingUsageDescription, indicating that you will request permission to track users. You must indicate which data types are tracking users. If this is incorrect, update your app binary and upload a new build to App Store Connect." App gets rejected despite submitted build having no tracking This affects any developer trying to remove tracking functionality from AppStore Connect in such a scenario. I have opened a bug in Feedback Assistant: FB19459680

Hi everyone, I'm facing a frustrating App Store rejection that I can't seem to resolve. My app was rejected under Guideline 2.1 - Information Needed with the following message: "The app uses the AppTrackingTransparency framework, but we are unable to locate the App Tracking Transparency permission request when reviewed on iPadOS 18.5." However, in my latest version (2.9 Build 18), I have: Removed all SDKs that collect IDFA or perform tracking. Removed the AppTrackingTransparency framework entirely. Removed the NSUserTrackingUsageDescription key from Info.plist. Confirmed that no third-party SDKs are accessing IDFA or similar. Not using the app_tracking_transparency package (I'm using Flutter). I included a detailed review note explaining all of this, yet the app still gets rejected for not showing the ATT prompt — even though ATT is not used at all. Also, I can't update the App Privacy section until this new version is approved, which still reflects tracking from a previous live version (2.3). Has anyone faced something similar? Questions: Is there a way to confirm what part of the build might still be triggering ATT detection on Apple's side? Could an unused pod or leftover reference be the issue? How do I fully verify that ATT is not linked anywhere in the final binary? Any guidance or tips from others who’ve resolved this would be hugely appreciated! Thanks