Please correct the following issues and upload a new binary to App Store Connect. ITMS-91061: Missing privacy manifest - Your app includes “Frameworks/FirebaseCoreDiagnostics.framework/FirebaseCoreDiagnostics”, which includes FirebaseCoreDiagnostics, an SDK that was identified in the documentation as a commonly used third-party SDK. If a new app includes a commonly used third-party SDK, or an app update adds a new commonly used third-party SDK, the SDK must include a privacy manifest file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. For more details about this policy, including a list of SDKs that are required to include signatures and manifests, visit: https://developer.apple.com/support/third-party-SDK-requirements. ITMS-91061: Missing privacy manifest - Your app includes “Frameworks/FBLPromises.framework/FBLPromises”, which includes FBLPromises, an SDK that was identified in the documentation as a commonly used third-party SDK. If a new app includes a commonly used third-party SDK, or an app update adds a new commonly used third-party SDK, the SDK must include a privacy manifest file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. For more details about this policy, including a list of SDKs that are required to include signatures and manifests, visit: https://developer.apple.com/support/third-party-SDK-requirements. ITMS-91061: Missing privacy manifest - Your app includes “Frameworks/GoogleDataTransport.framework/GoogleDataTransport”, which includes GoogleDataTransport, an SDK that was identified in the documentation as a commonly used third-party SDK. If a new app includes a commonly used third-party SDK, or an app update adds a new commonly used third-party SDK, the SDK must include a privacy manifest file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. For more details about this policy, including a list of SDKs that are required to include signatures and manifests, visit: https://developer.apple.com/support/third-party-SDK-requirements. our app is .NET MAUI app so we already addressed this by adding privacyinfo.xcprivacy privacy manifest under platform/ios/resources but still get flagged for this <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>NSPrivacyTracking</key> <false/> <key>NSPrivacyTrackingDomains</key> <array/> <key>NSPrivacyAccessedAPITypes</key> <array> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryFileTimestamp</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>C617.1</string> </array> </dict> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategorySystemBootTime</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>35F9.1</string> </array> </dict> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryDiskSpace</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>E174.1</string> </array> </dict> <dict> <key>NSPrivacyAccessedAPIType</key> <string>NSPrivacyAccessedAPICategoryUserDefaults</string> <key>NSPrivacyAccessedAPITypeReasons</key> <array> <string>CA92.1</string> </array> </dict> </array> <key>NSPrivacyCollectedDataTypes</key> <array/> </dict> </plist>

Binary code is associated with the NSUserTrackingUsageDescription deleted at present, but in the revised App privacy will contain NSUserTrackingUsageDescription, I feel very confused, don't know should shouldn't solve.

Like many/most developers, I gave Connect the info required to comply with the DSA. Perhaps unlike most, I always give unique email addresses so that I can easily track the source of abuse. Yesterday I finally had a phish come in to my DSA address claiming "Message blocked" and doing the standard click-to-login-for-details FOMO bait. So, yep, DSA just becomes yet another public database that malicious actors can use to target you. It would be really nice if Apple provided a way to supply our contact info only for legitimate business purposes. Mail Privacy Protection (or similar) for this would be a start.

Hello Apple Developer Community, We have been experiencing a persistent notification issue in our application, Flowace, after updating to macOS 15 and above. The issue is affecting our customers but does not occur on our internal test machines. Issue Description When users share their screen using Flowace, they receive a repetitive system notification stating: "Flowace has accessed your screen and system audio XX times in the past 30 days. You can manage this in settings." This pop-up appears approximately every minute, even though screen sharing and audio access work correctly. This behavior was not present in macOS 15.1.1 or earlier versions and appears to be related to recent privacy enhancements in macOS. Impact on Users The frequent pop-ups disrupt workflows, making it difficult for users to focus while using screen-sharing features. No issues are detected in Privacy &amp; Security Settings, where Flowace has the necessary permissions. The issue is not reproducible on our internal test machines, making troubleshooting difficult. Our application is enterprise level and works all the time, so technically this pop only comes after a period of not using the app. Request for Assistance We would like to understand: Has anyone else encountered a similar issue in macOS 15+? Is there official Apple documentation explaining this new privacy behavior? Are there any interim fixes to suppress or manage these notifications? What are Apple's prospects regarding this feature in upcoming macOS updates? A demonstration of the issue can be seen in the following video: https://youtu.be/njA6mam_Bgw Any insights, workarounds, or recommendations would be highly appreciated! Thank you in advance for your help. Best, Anuj Patil Flowace Team

I am developing a React Native app for a health monitoring device that connects via Bluetooth and streams live data on iOS. To ensure the uniqueness of the device, I initially planned to use the MAC address. However, I discovered that iOS does not provide access to the original MAC address due to privacy restrictions. Is there an alternative approach to uniquely identifying a Bluetooth device in iOS? I need a reliable way to distinguish devices while maintaining secure and stable connections. Any insights or best practices on handling this in iOS would be greatly appreciated. Looking forward to hearing your suggestions! If anyone has experience with handling Bluetooth device uniqueness on iOS, please share your insights. Thank you!

Hello. We have several apps, that use battery information, such as charge level and battery charge events. Since iOS 17, instead of report every 1% of charge, all API return an approximate within 5% value of the real value. As a result, that created a lot of issues with our users. Most of them, and at this point its around of million plus users, are not happy, because they will have to wait for the app to return information for literally hours... Please fix this, and even if you wont allow us access to real time data, like in Android devices, please at least return it back to be precise and at 1% of precision.

When you have a mac, creating xcprivacy is pretty straightforward for your app, you simply use xcode, then select the sdks and target them and your privacy manifest is ready. In the other hand, when you are using CI/CD solutions you might not use xcode direclty. In that instance and if you are coding in flutter, you need to create your privacy manifest by hand. I would like guidance how to write that file, I would it for a given third party SDK and where to put that file in the flutter project (just to be sure) For example we choose the most important third party SDK manifest: FUTTER framework. I keep getting errors about it for my app, got alot of builds get the INVALID BINARY error because of that, and my mails indicating me a problem with the manifest. Please show me the source code of the manifest privacy for a project where a third party SDK is present (in particular: flutter sdk) Thanks

Hi, we are preparing to launch an app soon that will allow users to login via their apple or google accounts. We were reviewing the app review guidelines and had some questions about Login Services. Do we need to support username/email + password alongside social logins? If yes, can we support passkeys to get around this restriction? passkeys do not require any information so we think this should apply Apps that use a third-party or social login service (such as Facebook Login, Google Sign-In, Sign in with Twitter, Sign In with LinkedIn, Login with Amazon, or WeChat Login) to set up or authenticate the user’s primary account with the app must also offer as an equivalent option another login service with the following features: - the login service limits data collection to the user’s name and email address; - the login service allows users to keep their email address private as part of setting up their account; and - the login service does not collect interactions with your app for advertising purposes without consent. A user’s primary account is the account they establish with your app for the purposes of identifying themselves, signing in, and accessing your features and associated services.

Hello, I have an iOS app that is recording audio that is working fine on iPads/iPhones. It asks for microphone permission and after that recording works. I installed the same app on my M3 MacBook via TestFlight since iPad apps are supposed to work without a change that way. The app starts fine and everything, but it never asks for Microphone permission, so I can't record. Do I need to do something to make this happen (this is not macCatalyst, its running the arm64 iPhone binary on macOS) thanks

If new photo is added to library and app is not running in foreground or was not opened after the new photo was added but the app is having full access to gallery, can it access, read the new photo - If the app is not specifically a cloud syncing app, can it have this attached function, suppose it is a game app or beauty camera app?

Our business model is to identify Frauds using our advanced AI/ML model. However, in order to do so we need to collect many device information which seems to be ok according to https://developer.apple.com/app-store/user-privacy-and-data-use/ But it's also prohibited to generate a fingerprint, so I need more clarification here. Does it mean I can only use the data to identify that a user if either fraud or not but I cannot generate a fingerprint to identify the device? If so, I can see many SKD in the market that generates Fingerprints like https://fingerprint.com/blog/local-device-fingerprint-ios/ and https://shield.com/?

When I make a local network HTTP request, an error occurs. I'm sure I've granted wireless data permissions and local network permissions, and I'm connected to the correct Wi-Fi. This problem is intermittent, but once it happens, it will keep happening, and the only way to fix it is to restart the phone. Here is the error log: sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1009 "似乎已断开与互联网的连接。" UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x30398a5b0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 "(null)" UserInfo={_NSURLErrorNWPathKey=unsatisfied (Local network prohibited), interface: en0[802.11], uses wifi, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask .&lt;63&gt;, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask .&lt;63&gt;" ), NSLocalizedDescription=似乎已断开与互联网的连接。, NSErrorFailingURLStringKey=http://192.168.2.1:80/v1/parameters, NSErrorFailingURLKey=http://192.168.2.1:80/v1/parameters, _kCFStreamErrorDomainKey=1})

Hello, Title states it basically. I have a java program (launched via shell script) running as a service using launchd which is running as a user (not root) and it does not request Local Network permissions ever. I feel like i'm missing something here. I combed through all of the Local Network FAQs and don't really see this use case addressed. I do see that there is an open ticket for an API to trigger the request, but no update on that and the ticket is not visible publicly. Is there is a way to accomplish this for java or other programs running via launchd with a user other than root? something like an entitlement or an API to seed the permission of Local Network when installing the service via launchctl etc?

Could anyone teach me how to ask iOS 18 to have a prompt during set-up process of a new APP if user accidentally turns off Local Network ?

Could anyone tell me how to detect status of Local Network for iOS 18+ systems ?

Hello, I’m planning to develop a custom referral-based attribution system for my app. The goal is to log the number of installs that come from unique referral links and then track subsequent in‑app analytics (for example, when a user reaches level 5 in a game). I’d also like to capture the user’s country to further segment these analytics. I want to build this system myself—without relying on third‑party services (such as AppsFlyer or Branch) since I only need a few key data points and want to keep costs low. However, I’m aware of the privacy restrictions in iOS and want to ensure that my implementation complies with Apple’s guidelines. Specifically, I would appreciate guidance on the following: Permissible Signals: Is it acceptable to log signals like IP address (or a suitably anonymized version), device model, and timestamp to help correlate the referral click to a successful install and subsequent in‑app events? Are there any other recommended non‑PII signals that can be used to confirm a referral install without risking rejection during App Review? Best Practices: What are the best practices for handling and transmitting these signals (e.g., should IP addresses be truncated or hashed)? How can I ensure that my system remains compliant with Apple’s App Tracking Transparency and other privacy guidelines? I’d appreciate any insights or references to relevant documentation that might help me build this system without getting rejected by Apple. Thank you in advance for your assistance!

I'm learning XPC by inspecting the GitHub Copilot project. I figured out that the schema works as follows: The host app with a UI to manage settings A Service Extension that controls the Xcode Editor A communication bridge cli app that connects the first two As far as I understand an app appears in the Accessibility Permission when it calls the next method: let key = kAXTrustedCheckOptionPrompt.takeRetainedValue() as NSString AXIsProcessTrustedWithOptions([key: true] as CFDictionary) This method is only called by the Service Extension. However, when I run a release build from the /Application folder (where launch agents point to), there are two records appearing in the Accessibility Permission list: The host app The needed Service Extension I compared all metadata files from Copilot with my copy line-by-line, but still can't figure out why the host app record appears in the Accessibility Permission, since the host app does not call the AXIsProcessTrustedWithOptions() method at all. Could you give me any clue to help me wrap my head around it?

Hi, We have an issue (https://github.com/actions/runner-images/issues/10924) raised by a user requesting to add 'local network access' permission for macOS 15 and macOS 15-arm64 image runners. Apple introduced a new LNP policy with macOS Sequoia that is not controlled by TCC or MDM. Could you please guide us on how to add 'local network access' permission for macOS 15 and macOS 15-arm64 image runners? Thanks.

In TN3179 under "macOS considerations" there are a set of instances where local network privacy does not apply: macOS automatically allows local network access by: Any daemon started by launchd Any program running as root Command-line tools run from Terminal or over SSH, including any child processes they spawn I am running some tests in my app that use the local network, attempting to run them from both the terminal app and from a VScode terminal and I am getting permissions prompts. After allowing these pop ups, some of the tests still fail as if networking was blocked.

Hello, I'm trying to publish my app, but I'm constantly getting rejected by Apple. They're telling me I'm having issues with tracking user data. This item has been rejected for the following reasons: 5.1.2 Legal: Privacy - Data Use and Sharing I've indicated that I don't use this data for ads, that it's only used for personalization and to understand who saves items. I added the NSUserTrackingUsageDescription property to the info.plist. I run AppTrackingTransparency.requestTrackingAuthorization() when the user logs into the app, displaying a warning message. I'd say I meet all the requirements they've set for me, but they still haven't approved my app. What do you recommend? How can I speak to a physical person who can help me? Thank you very much and best regards.