Hi Everybody,
I would like to see the feature, that allows us to limit the access for selected apps to get access to our Contacts.
Especially apps like WhatsApp cannot be trusted, in my opinion, so I would love to see the possibility to prevent, that they just analyse our full Contact book and sell the data.
With a limited access feature, we can at least decide, which information we wanna share with suspicious companys.
What do you think and how could we reach the developers attention to get this with the next major update.
Greetings from Europe
Privacy
RSS for tagDiscuss how to secure user data, respect user data preferences, support iCloud Private Relay and Mail Privacy Protection, replace CAPTCHAs with Private Access Tokens, and more. Ask about Privacy nutrition labels, Privacy manifests, and more.
Posts under Privacy tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hi,
I just received a new email from AppStore Review while submitting our app for review. This time I got informed, that I need to declare two NSPrivacyAccessedAPITypes: NSPrivacyAccessedAPICategorySystemBootTime and NSPrivacyAccessedAPICategoryFileTimestamp. I tried to find where we make use of APIs falling under these categories, but I couldn't find any in our app code. I searched within our SwiftPM checkout folder too, seeing if there is an SDK missing the PrivacyInfo.xcprivacy file itself or the required declaration, again no luck.
In another thread is described how a link map could help to find the source of my problem, but this file doesn't help me at all. I can find occurrences of the API names as string, but not all of them are API calls (e.g. creationDate which is a custom property).
So my question is now, how can I find the source of these warnings? I dislike the idea of blindly adding both declarations with all options on.
Best,
Thomas
I recently received a notification after my app submission, highlighting missing API declarations in accordance with the new privacy requirements. Following the guidelines, I already updated my pods, which now include their own privacy manifest files. However, I'm still facing issues as detailed in the attached communication from App Store Connect.
Anyone know how to done this?
Our website supports Apple login, but after logging in, the server obtains the private mailbox of Apple users, but we found that sending emails to this private mailbox failed. The following is the response result I sent to the privacy mailbox using Google mailbox
We are using mach_absolute_time to determine the number of CPU cycles in our app, and from that, we are using it to seed a random number generator. From this random number generator, we are getting a series of random numbers and combining it with other random numbers from another generator not seeded via mach_abolute_time. This combined random number is being sent off device as a unique ID for authentication purposes.
I've read through the required reasons for using this API, and I am not sure if it falls under the acceptable use cases. My gut-feeling is that it does not.
The following reasons are what Apple lists as acceptable reasons for this API:
35F9.1
Declare this reason to access the system boot time in order to measure the amount of time that has elapsed between events that occurred within the app or to perform calculations to enable timers. Information accessed for this reason, or any derived information, may not be sent off-device. There is an exception for information about the amount of time that has elapsed between events that occurred within the app, which may be sent off-device.
8FFB.1
Declare this reason to access the system boot time to calculate absolute timestamps for events that occurred within your app, such as events related to the UIKit or AVFAudio frameworks. Absolute timestamps for events that occurred within your app may be sent off-device. System boot time accessed for this reason, or any other information derived from system boot time, may not be sent off-device.
3D61.1
Declare this reason to include system boot time information in an optional bug report that the person using the device chooses to submit. The system boot time information must be prominently displayed to the person as part of the report. Information accessed for this reason, or any derived information, may be sent off-device only after the user affirmatively chooses to submit the specific bug report including system boot time information, and only for the purpose of investigating or responding to the bug report.
Would anybody be able to confirm that this usage is allowed or if we will need to change it to be in accordance with Apple's new policies regarding the usage of this API?
Thanks
How to handle libraries that are not explicitly added by me, but pulled by other SPMs that I use in my project? For example Firebase SPM pulls other packages like Abseil, nanopb etc. Do I need to handle those, and make sure they contain privacy manifests, or is Firebase package "responsible" for those?
When transferring an app from one team to another, Sign in with Apple users have to me carefuly migrated since their unique identifiers are team-scoped.
To migrate users from Team A to Team B, a transient transfer identifier, aka transfer_sub, has to be generated by Team A before the transfer to prepare the app data, using specific migration endpoints provided by Apple. "Preparing the app data" means, for example, associate database entries to the transfer id instead of the team-specific id.
One the app has been transferred, and during 60 days, Team B will find the transfer_sub in ID tokens issued by Apple Sign In, and thanks to this shared identifier they can retrieve the user data and associate it to their new unique identifier.
So far so good !
Now, the question : if an app is transferred from Team A to Team B, and then, shortly thereafter (a few days later), from team B to team C, will the transfer_sub related to the B-C transfer be different ? Or will they remain the same as the ones issued for the A-B transfer ?
(I'm asking this question in order to avoid the possible catastrophe of an ill-prepared double app transfer)
Thank you !
We use few third party dependencies that declare API Reasons and we integrate those using SPM.
Since SPM will statically link those dependencies in the main binary, we get a report from App Store that we need to declare those reasons in our Privacy manifest file.
This is somewhat surprising since third party privacy manifest is bundled within our app, it is just independent of our app's main Privacy manifest file.
Is there a way to aggregate all privacy manifest files, or does Apple plan to scan for all privacy manifest files in application bundle?
Hello.
I'm having an issue using SPM to include a privacy manifest in my project.
For example, if I use Alamofire 5.9.0 (with the PrivacyInfo.xcprivacy file) using SPM, I am continuously receiving the email saying ITMS-91053: Missing API declaration - System Boot Time when submitting an app for review.
But use the same version of Alamofire using cocoapod(as a dynamic library), the PrivacyAccessedAPI issue will not occur.
Is there any resolution for this problem?
If I use a library using SPM, do I need to add the library's information in the main app's PrivacyInfo.xcprivacy file?
Thank you.
Hello. I am having issue with the privacy warnings.
Basically i am using react native without expo and i want to fix the warnings that are displayed via apple store connect. As per instruction, i created the PrivacyInfo.xcprivacy file, added my project as target and filled the rules out. After doing that, when i try to build i get errors:
"Multiple commands produce '/Users//Library/Developer/Xcode/DerivedData/-fvniikaunkvfgngctvgfjncckcat/Build/Products/Debug-iphonesimulator/.app/PrivacyInfo.xcprivacy'"
"Target '' (project '') has copy command from '/ios/PrivacyInfo.xcprivacy' to '/Users//Library/Developer/Xcode/DerivedData/-fvniikaunkvfgngctvgfjncckcat/Build/Products/Debug-iphonesimulator/.app/PrivacyInfo.xcprivacy'"
"That command depends on command in Target (project ): script phase “[CP] Copy Pods Resources”".
Some solutions suggested removing the PrivacyInfo from Copy Bundle resources. That way the build worked but the app store connect still gave warning.
to me the issue seems to arise during copy pods resources, it wants to create the PrivacyInfo.xcprivacy file, but it already exists. Or maybe it its something else.
Any help or direction is much obliged
As title, i tried to get tracking domain by Network instruments,
but it shows Call os_log APIs on a logging handle network instruments.
Anyone know how can i log the domain. Thanks
Step follow:
Open your project in Xcode.
Choose Product > Archive. Xcode creates the archive and reveals it in the organizer
Control-click the archive in the organizer and choose Generate Privacy Report
Choose a location to save the privacy report
When I open the privacy report file, I can't see the content.
Could you help me resolve this issue?
Hello,
I am trying to develop an app , using Flutter. My app has its own database which it contains the customer info such as name, address and phone number. I need to get the caller's phone number then I use the phone number and search in my database and if the phone# exist in our DB , I extract customer info and show it on pop up screen. How can I get the phone number of the person who is calling? i tried this, it didnt work:
let networkInfo = CTTelephonyNetworkInfo()
guard let carrier = networkInfo.serviceSubscriberCellularProviders?.first?.value else {
return nil
}
return carrier.mobileNetworkCode
Is there any way to get caller's number while he/she is calling?
Thanks
P.
Hello, my dear colleages. I'm a new ios developer (actually I'm sr. android dev), so this is my first publishing in app store. I have create an app with memes, where users can create memes, share it and judge. I have already tearm of uses, privacy policy, registration and report (because I want to create a stable product), but apple has own opinion:
Require that users agree to terms (EULA) and these terms must make it clear that there is no tolerance for objectionable content or abusive users - okay, I will add EULA to my links, but it already contains the rules of creating content
A method for filtering objectionable content - blocking happens automatically by user reports. I explained it to the reviewer, but he ignored it and repeated this mark (all marks) again. By user reports the memes with 10 or more marks will be hidden for content delivery. What does he want else? How can the filters resolve it or content already hidden? What actually should I do and these "filters"?
A mechanism for users to flag objectionable content - The same. What else does he want?
A mechanism for users to block abusive users - This is jsut ridiculous! Users can not write each other and can not communicate with each other. They can only create and judge memes. I'm not sure that reviewer really was looking my app. Maybe 30 seconds? So, how can I follow to his marks if he doesn't listen and doesn't check? Use fake feature? That's shame!
The developer must act on objectionable content reports within 24 hours by removing the content and ejecting the user who provided the offending content - The same. The blocking happens automatically. We don't have moderators and can control this process manually (only 2 members in the team). I really don't understand why apple make my life harder)) Google and Huawui have already published app in the internal testing without wrong useless marks.
As I know this situation is normal behaviour for apple. Anyway I want to resolve this "marks" and finish the publish process - users are waiting for. Please guys, help me to do it correct - I don't have experience with apple support and it looks for me like a circus!
P.S. Links to the terms of uses and privacy policy available on the register screen
I just submitted a build to TestFlight this morning that should have set off the same alarms as last week, but it didn't. We received no emails complaining about "ITMS-91053" violations like happened on this branch before.
We've been working hard to figure out how to meet your new privacy requirements, and it's been quite frustrating. I thought I finally fixed it yesterday, but today I wanted to run a sanity test. I went back and created a build that should fail, but now that one is apparently fine as well. I'm at a complete loss.
I receive this from apple on review , what I suppose to change
Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing
The app privacy information you provided in App Store Connect indicates you collect data in order to track the user, including Browsing History, Other Diagnostic Data, Crash Data, Performance Data, Name, Search History, Physical Address, Customer Support, and Other Data Types. However, you do not use App Tracking Transparency to request the user's permission before tracking their activity.
Apps need to receive the user’s permission through the AppTrackingTransparency framework before collecting data used to track them. This requirement protects the privacy of users.
Next Steps
Here are two ways to resolve this issue:
If you do not currently track, or decide to stop tracking, update your app privacy information in App Store Connect. You must have the Account Holder or Admin role to update app privacy information.
If you track users, you must implement App Tracking Transparency and request permission before collecting data used to track. When you resubmit, indicate in the Review Notes where the permission request is located.
Because the latest privacy manifest file requires inclusion for submissions after May 1st, based on the document: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files I have two questions regarding the NSPrivacyTrackingDomains field:
In my app, NSPrivacyTrackingDomains and regular user login registration data loading use the same second-level domain "myapp.com". If "tracking.myapp.com" is specified in NSPrivacyTrackingDomains but the user does not grant tracking permission to the App Tracking Transparency framework, can the app still access the network through third-level domains such as "login.myapp.com" or "data.myapp.com"?
At the bottom of the document, there is a note: "You only need to supply NSPrivacyAccessedAPITypes for apps and third-party SDKs on iOS, iPadOS, tvOS, visionOS, and watchOS." Does this mean that NSPrivacyTrackingDomains and NSPrivacyTracking properties do not need to be filled out as of May 1st? Will there be any issues if they are not filled out?
Eagerly awaiting your response! Thanks!!!
Existing external libraries are distributed in the form of framework files. However, if the company providing the library delays the Privacy Manifest registration patch, how can I handle this situation? Am I just keep getting my app rejected?
In an app that uses a specific commit in open source branch, what should I do if the Privacy Manifest is registered only in the latest version of that version? For various reasons, including functional stability, the open source cannot be updated to the latest version.
I have developed a framework that uses Alamofire which is included in the list of third-party SDKs that require the Privacy Manifest.
https://developer.apple.com/support/third-party-SDK-requirements/
The latest version of Alamofire already includes the PrivacyManifest.xcprivacy file and is visible from my own framework.
My question is if it is necessary to add a PrivacyManifest.xcprivacy to my framework in that case and if so, should it be the same as Alamofire's? Wouldn't that be redundant? My framework does not use any API that has to be declared.
If another framework were to use my framework that uses Alamofire, should I also create a PrivacyManifest.xcprivacy?
Thank you.
Hello,
I created my manifest file, added to target and when I send app to review I receive email. I have no idea what is wrong. I tried change localization, modify file and nothing. Still don't work.
Xcode version 15.3.
localization file and add to target:
email:
manifest file:
Manifest file