When you generate privacy report for your app and meet the following issue, you should check two things. Check if you add your PrivacyInfo.xcprivacy into Target Membership. Check if Installation Directory is /Applications, on my side I can't gererate report if I change it to other path or other name with xcode 15.3(15E204a). It must be /Applications. I know /Applications means LOCAL_APPS_DIR or SYSTEM_APPS_DIR, but I want to use USER_APPS_DIR = $(HOME)/Applications or any path I write into Installation Directory. What should I do to make the generate tool follow my personal Installation Directory? And how to use command line to generate this report?

1C8F.1 seems to cover all the situations that CA92.1 covers, plus 1C8F.1 covers data for app extensions and App Clips. If our SDK uses UserDefaults, and our group debates that some functionality is about data only accessible to the app and would be covered by code CA92.1 some functionality is about data accessible to extensions and App Clips and would be covered by code 1C8F.1 Can we declare both codes in our manifest file (PrivacyInfo.xcprivacy) ? Or should we only declare 1C8F.1 to cover both parts?

We submitted an app to TestFlight and received the expected warning email. However, the email did not mention any of the SDK frameworks that were in the app. The email only mentioned the app itself and the app's extensions. We expected to get warnings for our frameworks that used required reason APIs. We also expected to get warnings for frameworks in the "list of commonly used third-party SDKs" Why are the warnings not as expected? Is this because Test Flight is not making the same kind of warning emails that will be created for the App Store?

We received an email from App Store Connect with the subject 'uploaded build for {AppName} has one or more issues' regarding our latest package, {versionNumber}' The email states that we need to add an App Privacy Manifest for our extensions before May 1st, and it specifies which categories need to be added. However, some of the categories mentioned, such as NSPrivacyAccessedAPICategorySystemBootTime, NSPrivacyAccessedAPICategoryFileTimestamp, NSPrivacyAccessedAPICategoryDiskSpace, are not used from our application. Do we still need to add these? If so, under which 'Privacy Accessed API Reasons' code should we add them?

My app is using Advertising data type to track but it leverages third-party ads SDKs to do so. I add NSPrivacyCollectedDataTypeAdvertisingData and NSPrivacyCollectedDataTypeTracking that is true to my app's manifest file. Those third-party ads SDKs will have their own manifests declaring the values of NSPrivacyTracking and tracking domains. In this case, do I need to set NSPrivacyTracking as true and add domains those SDKs are connecting to the host app's privacy manifest? My guess is no since all manifests are merged in to a single report finally.

I noticed that Apple's articles have changed since originally being published. For example, some required reason codes have been added to Describing use of required reason API Since there is no visible modification date or revision date on the page, how can we get notiifications for changes to these pages? I did not find a 'watch' button in them.

Hello, This relates to NSTrackingDomains for Privacy Manifest. Following doc here https://developer.apple.com/documentation/xcode/detecting-when-your-app-contacts-domains-that-may-be-profiling-users. (Also, I'm quite new to using the Network Instrument). I'm not seeing any "Points of Interest" but I know my app has domains that should be shown as "Faults". Do I need to os_log to my Objective-C codebase. I don't have access to the code of various 3rd party SDKs. The doc mentioned above made it sound like these domains should automagically appear. Thanks!

Morning All, just wanted a little help with my xamarin forms app. When I publish to test flight for a public test build I am always receiving the email about ITMS-91053: Missing API declaration. I have followed the steps and created a PrivacyInfo.xcprivacy in Xcode and I can see it in my xamarin iOS project but I still get the email saying it is missing. Is there something I am missing or ned to reference in the info.plist etc. My looks like the following: `

I received an email from Apple saying the app is using: NSPrivacyAccessedAPICategoryDiskSpace NSPrivacyAccessedAPICategoryFileTimestamp NSPrivacyAccessedAPICategorySystemBootTime I'm not directly calling (afaik) any API that might be involved in getting the disk space, file timestamp, nor system boot time, so presumably these are indirectly originating in a pod whose api I'm using. However I have about 100 pods in the app, how can I know which one these are originating from? (100 seems a lot, but its a React Native app and that alone pulls in dozens and dozens of pods implicitly in addition those specified explicitly in a pod file) I can try and update all the pods to the latest version, but if the offending pod(s) hasn't added a manifest file, then I have no way of knowing which one it is - therefore I can neither contact them to ask when they will release a new version, nor can I attempt to try and remove the pod, because I just don't know which one might be causing the manifest warning. So what are we supposed to do in this situation?

Hi, I've got swiftUI based application. It seems that on some occasions, when the app starts, I get the following popup window but I don't know which restricted items it attempts to access (passwords,network, etc..) . How can I tell what trigger this elevation message ? Thanks !

I'm developing a (XC) 3rd party framework, but the framework doesn't use any privacy access API as listed in listed in this document. Do I still need to include the PrivacyManifest.xcprivacy file which will have empty content into the framework?

Hello, I have a question regarding the Privacy Manifest of a third-party SDK. We are using a static third-party SDK. This third-party SDK use the UserDefaults API, and it is also specified in the Privacy Accessed API Types within PrivacyInfo.xcprivacy. The static third-party SDK is added as a dependency via CocoaPods, and PrivacyInfo.xcprivacy is included in the Pods Resource. Additionally, our app does not use UserDefaults API. When we generate the Privacy Report, it correctly shows the data collected by the third-party SDK. However, when we submitted for review, we received a warning email stating that UserDefaults is being used in the app but is missing from the Privacy Manifest. ITMS-91053: Missing API declaration - Your app’s code in the “MyApp” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api. I have the following questions: When submitting the app for review, does Apple not consider the PrivacyInfo.xcprivacy of the third-party SDK? What steps should be taken to ensure that Apple reviews the PrivacyInfo.xcprivacy of the third-party SDK?

My app does not knowingly capture or retain user data in any form, but I wanted to make sure that I don’t inadvertently have access to user data via CloudKit. I’m reaching out to confirm this. Here’s the basic structure of the app - users can enter information which is then retained for their own use. I’m using SwiftData. @Model data is saved in a CloudKit container, which permits data syncing across iOS devices. I’ve never written any code to make the container database I’m using for the app (or zones within it) anything other than private, so I think (??) by default the data is stored privately. Data syncing does work and my icloud.developer.apple.com dashboard shows a private database subscription but no public or shared subscriptions. My understanding of this design has been that the user’s data was stored in their personal, private iCloud account and I did NOT have access to it (nor do I need or want to have access). However, then I watched this WWDC 2018 video on GDPR compliance (https://developer.apple.com/videos/play/tech-talks/703/), in which Michael Ford presents code that provides “visibility into the data that is saved in CloudKit for the user”, including the private database. This sounds to me like a developer might actually be able to access a user’s private database data. Have I misinterpreted this WWDC 2018 presentation, has a developer’s access to user data in a private database changed since 2018, or do I actually have access to user data via my reliance on CloudKit to save user data? Many thanks for your help!

Hi, I am new to Swift and trying to develop an app that needs photolibraryusagedescription and photolibraryaddtionsusagedescription. On simulation, I have fetched all photos and delete selected photos successfully but can't share selected photos so I've connect real device to test it out. However, after allow full access to photo album, I got error Domain=NSCocoaErrorDomain Code=4097, "connection to service with pid 1353 named com.apple.privacyaccountingd" UserInfo={NSDebugDescription=connection to service with pid 1353 named com.apple.privacyaccountingd} I've looked up for solutions so far but still have no idea what created that issue and how to solve it, I've been using the latest version of all devices and apps related. Could someone guide me about this issue? Thank you Here's the code of my ContentView, and function I use to request access, respectively: import Photos struct ContentView: View { @State var showGuide: Bool = false @State var showInfo: Bool = false @StateObject private var photoFetcher = PhotoFetcher() @State private var photoOffset: CGSize = .zero @State private var animateOut = false @State private var refreshTrigger = false @State private var showingShareSheet = false @State private var itemsToShare: [Any] = [] func likePhoto() { guard !self.photoFetcher.destinations.isEmpty else { return } // Some animation later DispatchQueue.main.asyncAfter(deadline: .now() + 0.5) { if !self.photoFetcher.destinations.isEmpty { let tempPhoto = self.photoFetcher.destinations.removeLast() self.photoFetcher.destinations.insert(tempPhoto, at: 0) } photoOffset = .zero animateOut = false } } func dislikePhoto() { guard !self.photoFetcher.destinations.isEmpty else { return } let deletePhoto = self.photoFetcher.destinations.last?.asset guard let deleteAsset = deletePhoto else { return } PHPhotoLibrary.shared().performChanges({ PHAssetChangeRequest.deleteAssets([deleteAsset] as NSArray) }) { success, error in DispatchQueue.main.async { if success { self.photoFetcher.destinations.removeLast() self.refreshTrigger.toggle() } else { print("Error deleting photo") } } } } func sharePhoto() { guard let topAsset = photoFetcher.destinations.last?.asset else { return } let manager = PHImageManager.default() let options = PHImageRequestOptions() options.version = .current options.isSynchronous = false options.deliveryMode = .highQualityFormat manager.requestImage(for: topAsset, targetSize: CGSize(width: UIScreen.main.bounds.width, height: UIScreen.main.bounds.height), contentMode: .aspectFit, options: options) { image, _ in if let image = image { DispatchQueue.main.async { self.shareImage(image: image) } print("shareImage called") } } } func shareImage(image: UIImage) { itemsToShare = [image] showingShareSheet = true print("Item to share: \(itemsToShare)") } var body: some View { VStack{ Spacer(minLength: 20) ZStack { ForEach(photoFetcher.destinations, id: \.id) { oldPic in CardView(showGuideView: $showGuide, showInfoView: $showInfo, oldPics: oldPic) } } .padding(.horizontal) Spacer() CardNav(onLike: { likePhoto() }, onDislike: { dislikePhoto() }, onShare: { sharePhoto() }) Spacer(minLength: 20) } .onAppear(perform: photoFetcher.requestPhotoLibraryAccess) .alert(isPresented: $photoFetcher.showAlert) { Alert( title: Text("Permission required"), message: Text(photoFetcher.alertMessage), primaryButton: .default(Text("Settings"), action: { // Open the app's settings UIApplication.shared.open(URL(string: UIApplication.openSettingsURLString)!, options: [:], completionHandler: nil) }), secondaryButton: .cancel() ) } .sheet(isPresented: $showingShareSheet) { ActivityViewController(activityItems: itemsToShare, applicationActivities: nil) } } } #Preview { ContentView() } PHPhotoLibrary.requestAuthorization { status in DispatchQueue.main.async { if status == .authorized { self.fetchPhotos() } else { // Do something self.handleDeniedAccess() } } } }

Will an app be rejected after the 1st of May 2024 if it contains a Embedded Dynamic XCFramework that uses a Required Reason API and it does not declare the Required Reason API usage inside its Privacy Manifest? Important note: I am asking about dynamic xcframeworks that are NOT on Apple's list of commonly-used SDKs. I am asking because I'm only getting warnings about missing API declaration for the main app binary and app extensions. I do not get any warnings for the embedded dynamic xcframeworks that i have in my app.

I'm referring to the use of a "settings bundle" plist to cause the main Settings app to display your app's preferences which the app can then read via NSUserDefaults, as described here: https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/UserDefaults/Preferences/Preferences.html#//apple_ref/doc/uid/10000059i-CH6 I am wondering if this is actually deprecated, or something. I ask because, (1), it still has the high-quality old-style documentation, and (2) there doesn't seem to be a "required reason API" code for using it. Specifically, the NSUserDefaults required reason API codes are CA92.1 : "This reason does not permit reading information that was written by other apps or the system" 1C8F.1 : "This reason does not permit reading information that was written by apps, app extensions, or App Clips outside the same App Group or by the system." C56D.1: "...third-party SDK..." - nope. AC6B.1: "... com.apple.configuration.managed ..." - nope. None of the codes permit reading preferences that have been set by the Settings app using this method.

As per iOS SMS sending API, there is no option to send SMS programmatically without user consent. Developer needs to use the MessageUI framework to get iPhone user consent for sending SMS. In that case, if any third party SmartWatch connected through BLE with iPhone received SMS notification through ANCS and want to reply to that SMS, After typing and sending from Watch, user needs to perform this additional step in iPhone - give consent. But if we use Apple watch, this consent in iPhone is not required if Apple Watch is already paired with iPhone. After typing text in Apple Watch, can send SMS to receiver through utilizing iPhone's SMS service without any user interaction. What is the reason of this difference? For sending SMS, iPhone and Apple Watch needs to be paired. Similarly, even third party SmartWatch also performs BLE connection and pair together before sending SMS text from Watch to iPhone to forward to receiver. But in that case why another additional user consent is required in iPhone? If we consider iPhone and Apple Watch case, pairing with each other is considered as user consent for sending any SMS later from Watch utilizing iPhone. Then, why BLE pairing between iPhone and other third party Watch not considered as user consent and additional user consent is required for each time SMS sending?

Please help me understand the phrasing from Apple's articles about this topic. Of course, I am referring to the SDKs from the official list, as only those are affected by the new regulations. 1, https://developer.apple.com/support/third-party-SDK-requirements/ Starting in spring 2024, you must include the privacy manifest for any SDK listed below when you submit new apps in App Store Connect that include those SDKs, or when you submit an app update that adds one of the listed SDKs as part of the update. That states 2 cases in which fresh SDK versions are needed, containing privacy information: If you submit a completely new app If your app update contains a framework which was not present in the previous version of the app So, according to my understanding, if I create an app update, which does not contain any new SDKs, only the ones that I have been using for a while now, I can keep using these older SKD versions. And it is not mandatory to update them to newer versions. Does Apple state anywhere that we have to update every SDK from the list this spring in every case? Because that would contradict what I quoted from the article. 2, https://developer.apple.com/news/?id=3d8a9yyh And if you add a new third-party SDK that’s on the list of commonly used third-party SDKs, these API, privacy manifest, and signature requirements will apply to that SDK. Again, this states that you have to use a fresh version of an SDK in case you add it newly to your app. This seems to reinforce my point that if a 3rd party SDK was already used in previous app versions, the new requirements do not apply to that SDK and I can keep using its older release which does not have its own privacy manifest file. My main concern here is that there are many 3rd party SDKs from the list that we already use in our projects, and it would be a huge effort if my team had to update all those SDKs in every project by May. But if I'm right, it is not mandatory for us. (Of course, it would be wise to update the SDKs every now and then, but that's not the point here.) Can anybody confirm whether my understanding is correct? Maybe link some proof if I'm not right? It would be nice to have a reply from someone working at Apple, to have a reliable answer.

After March 13th, we uploaded IPA packages without a privacy manifest and we still haven't received a warning email from AppStore Connect. So even if we add a privacy manifest, we still can't verify that the privacy manifest we've added in the IPA is correct. Has anyone encountered this situation, is Apple grayscale releasing this feature?

Being a software company we create and distribute an iOS SDK with our customers world wide. The distribution of the software is in the form of a static library / XCFramework to our customers. They will integrate the SDK and use it to collect data from their hosting as first party. As Apple enforced through this article “Describing use of required reason API” - “starting from Fall 2023 you’ll receive an email from Apple if you upload an app to App Store Connect that uses required reason API without describing the reason in its privacy manifest file”. We are using "NSUserDefaults” in our SDK which is one among the required API listed, and as of now we didn’t create a Privacy manifest file and declared this on the SDK. We tried uploading our app to the Appstore connect portal, as we are not complying with the requirement from Apple we expect to see the warning message. Currently we are unknown about the impact of not having the Privacy manifest, and we would like to test the scenarios and make sure we are declaring the correct information on our SDK. Please could you review this and let us know why we are not receiving the emails. Or is that Apple didn’t harden the uploads yet and something planned for future date?