As per iOS SMS sending API, there is no option to send SMS programmatically without user consent. Developer needs to use the MessageUI framework to get iPhone user consent for sending SMS.
In that case, if any third party SmartWatch connected through BLE with iPhone received SMS notification through ANCS and want to reply to that SMS, After typing and sending from Watch, user needs to perform this additional step in iPhone - give consent.
But if we use Apple watch, this consent in iPhone is not required if Apple Watch is already paired with iPhone. After typing text in Apple Watch, can send SMS to receiver through utilizing iPhone's SMS service without any user interaction.
What is the reason of this difference?
For sending SMS, iPhone and Apple Watch needs to be paired. Similarly, even third party SmartWatch also performs BLE connection and pair together before sending SMS text from Watch to iPhone to forward to receiver.
But in that case why another additional user consent is required in iPhone? If we consider iPhone and Apple Watch case, pairing with each other is considered as user consent for sending any SMS later from Watch utilizing iPhone.
Then, why BLE pairing between iPhone and other third party Watch not considered as user consent and additional user consent is required for each time SMS sending?
Privacy
RSS for tagDiscuss how to secure user data, respect user data preferences, support iCloud Private Relay and Mail Privacy Protection, replace CAPTCHAs with Private Access Tokens, and more. Ask about Privacy nutrition labels, Privacy manifests, and more.
Posts under Privacy tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hello, I have a question regarding the Privacy Manifest of a third-party SDK.
We are using a static third-party SDK. This third-party SDK use the UserDefaults API, and it is also specified in the Privacy Accessed API Types within PrivacyInfo.xcprivacy. The static third-party SDK is added as a dependency via CocoaPods, and PrivacyInfo.xcprivacy is included in the Pods Resource. Additionally, our app does not use UserDefaults API.
When we generate the Privacy Report, it correctly shows the data collected by the third-party SDK. However, when we submitted for review, we received a warning email stating that UserDefaults is being used in the app but is missing from the Privacy Manifest.
ITMS-91053: Missing API declaration - Your app’s code in the “MyApp” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.
I have the following questions:
When submitting the app for review, does Apple not consider the PrivacyInfo.xcprivacy of the third-party SDK?
What steps should be taken to ensure that Apple reviews the PrivacyInfo.xcprivacy of the third-party SDK?
1C8F.1 seems to cover all the situations that CA92.1 covers, plus 1C8F.1 covers data for app extensions and App Clips.
If our SDK uses UserDefaults, and our group debates that
some functionality is about data only accessible to the app and would be covered by code CA92.1
some functionality is about data accessible to extensions and App Clips and would be covered by code 1C8F.1
Can we declare both codes in our manifest file (PrivacyInfo.xcprivacy) ?
Or should we only declare 1C8F.1 to cover both parts?
After March 13th, we uploaded IPA packages without a privacy manifest and we still haven't received a warning email from AppStore Connect. So even if we add a privacy manifest, we still can't verify that the privacy manifest we've added in the IPA is correct. Has anyone encountered this situation, is Apple grayscale releasing this feature?
Please help me understand the phrasing from Apple's articles about this topic. Of course, I am referring to the SDKs from the official list, as only those are affected by the new regulations.
1, https://developer.apple.com/support/third-party-SDK-requirements/
Starting in spring 2024, you must include the privacy manifest for any SDK listed below when you submit new apps in App Store Connect that include those SDKs, or when you submit an app update that adds one of the listed SDKs as part of the update.
That states 2 cases in which fresh SDK versions are needed, containing privacy information:
If you submit a completely new app
If your app update contains a framework which was not present in the previous version of the app
So, according to my understanding, if I create an app update, which does not contain any new SDKs, only the ones that I have been using for a while now, I can keep using these older SKD versions. And it is not mandatory to update them to newer versions.
Does Apple state anywhere that we have to update every SDK from the list this spring in every case? Because that would contradict what I quoted from the article.
2, https://developer.apple.com/news/?id=3d8a9yyh
And if you add a new third-party SDK that’s on the list of commonly used third-party SDKs, these API, privacy manifest, and signature requirements will apply to that SDK.
Again, this states that you have to use a fresh version of an SDK in case you add it newly to your app. This seems to reinforce my point that if a 3rd party SDK was already used in previous app versions, the new requirements do not apply to that SDK and I can keep using its older release which does not have its own privacy manifest file.
My main concern here is that there are many 3rd party SDKs from the list that we already use in our projects, and it would be a huge effort if my team had to update all those SDKs in every project by May. But if I'm right, it is not mandatory for us. (Of course, it would be wise to update the SDKs every now and then, but that's not the point here.)
Can anybody confirm whether my understanding is correct? Maybe link some proof if I'm not right? It would be nice to have a reply from someone working at Apple, to have a reliable answer.
Hello, I’ve got some questions about the privacy manifest.
On March 18, we built our company's app with Xcode 14, submitted it for review, and it passed. However, we did not make any adjustments for the privacy manifest and yet did not receive any related emails. Our app utilizes APIs like UserDefaults and file stamps.
We've got permission from our users to use tracking, so we turned on Xcode15 instruments to check the network, but there were no faults identified in the points of interest. It looks like we’re engaged in tracking activities, possibly with tools like Firebase.
Can someone who knows about this please give me an answer?
We've been getting missing API declaration errors when submitting our app to App Store Connect for review. As SDK providers, while we have attempted our best effort to declare which APIs are being called in our Privacy Manifests, it's difficult to determine what we are missing especially with multiple libraries.
Only the app container is raised as the offending target, so how do we determine which dependency or even which API call is causing App Store Connect to flag errors, so we can properly declare usage in our Privacy Manifests?
Suppose I have some third party frameworks integrated in an application. From May inwards, its mandatory to have privacy manifest for all the tracking APIs. But if the third party library doesnt have any plans to integrate the third party framework, how should we proceed to avoid rejection from the app store?
Our team uses a static library (.a) consisting of C and C++.
Our team is developing static libraries internally and not sharing them to the outside. Should we still provide 'Privacy Manifest' in this case??
I added the contents of our team's static library (.a) to the app's 'Privacy Manifest' and there was no problem.
Nevertheless, if I have to add it separately to the static library (.a), should I create a new framework project itself and not use the .a? Or can I just create a new framework and wrap the .a file??
Dear Experts,
I've just received the exciting new email from App Store Connect telling me that I'm using a "required reason" API call and need to declare it in my privacy manifest. Of course this is easy to fix, I'll just add the code to my privacy manifest - but I thought I'd at least go through the motions of trying to work out what function I am calling and from where.
First issue is that the email just tells me that the app "references one or more APIs that require reasons ... including NSPrivacyAcceeedAPICategoryFileTimestamp". Dear Apple, why on earth can't you actually tell me the specific function that I am calling? (FB13689896).
So let's see if I can work out what has been detected. I look at the app binary:
% objdump --syms App.app
I think that is probably more or less what App Review must get from their scan, right? So I can see _stat in there but it doesn't know the corresponding source file.
So I go to the build directory with the object files and extract symbols from them all individually, using objdump --syms. Provided that I've not enabled link-time optimisation that works and I can find ... zero calls to stat(). Which tells me that my C++ std::filesystem calls have not been detected! Interesting. So if you want to bypass this amazing new privacy technology, I guess that's the way to go.
Anyway if there's a call to stat() in the binary but not in the object files, it must be coming from one of my .a files. That's a bit more difficult to track down as (1) my .a files are not in a convenient single directory, and (2) they may have calls to stat() in archive members that aren't needed and aren't included in this binary.
So the question: is there some convenient way to take the binary and identify which object files or static library archive members resulted in which of its UND symbols?
I requested the com.apple.developer.device-information.user-assigned-device-name entitlement on Feb 11 and received an email reply stating "We’ll contact you within a few weeks with your request status." However, it's been more than a month without any updates.
Can anyone chime in with their experience RE: how long it took for Apple to review their request for this entitlement?
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_device-information_user-assigned-device-name
Dear Developer Community,
I recently implemented privacy manifest changes in accordance with Apple guidelines. However, have encountered unexpected issues with BLE communication while our app was running in the background when there are multiple reader.
During local testing in both debug and release modes within Xcode, have not experienced any problems with BLE communication, even with multiple readers.
However, upon uploading the build to TestFlight for testing, i found that communication was being blocked when multiple readers are there. This behavior was quite perplexing.
Upon further investigation, I decided to revert the privacy manifest changes and retested via TestFlight. Surprisingly, we did not encounter any issues with BLE communication.
I am reaching out to this forum to inquire whether anyone else has encountered similar issues with BLE communication. Additionally, I have submitted a report via Feedback Assistant to seek assistance from Apple. I am particularly interested in understanding if any core logic related to BLE is affected by the privacy manifest changes.
As Apple has mandated the inclusion of the privacy manifest for App Store submissions starting from Spring 2024, any insights or assistance on this matter would be greatly appreciated.
Lets say i have an sdk that is not one of those listed, but it uses one of those listed. In this case, do i have to get the sdk im using to update their dependency to add the required signature and privacy manifest?
Hello,
This relates to NSTrackingDomains for Privacy Manifest.
Following doc here https://developer.apple.com/documentation/xcode/detecting-when-your-app-contacts-domains-that-may-be-profiling-users. (Also, I'm quite new to using the Network Instrument).
I'm not seeing any "Points of Interest" but I know my app has domains that should be shown as "Faults". Do I need to os_log to my Objective-C codebase. I don't have access to the code of various 3rd party SDKs. The doc mentioned above made it sound like these domains should automagically appear. Thanks!
Issue: The screen saver is not shown, and the user is not locked after removing a smart card with a logged in user.
I have tried setting tokenRemovalAction to 1, along with various other com.apple.security.smartcard defaults, and I have also tried setting "turn on screen saver when login token removed." None of this makes the screen locked on card removal.
Is this an issue with MacOS14 or is there a different setting/value that has to be set for this to work correctly?
Near the bottom,
Describing data use in privacy manifests, says:
App extensions don’t include privacy information files. The operating system and App Store Connect use the privacy information file in the extension’s host app bundle, in combination with those from third-party SDKs your app links to.
Yet the warnings email we see lists the app's extensions as missing manifests.
Are we reading the documentation incorrectly?
Getting this clarified helps us justify approvals for the additional work.
Does anybody know what the "Document Storage" entry in the Privacy settings for an app means?
I recently discovered that the Privacy Settings of my own app nowadays has a "Document Storage" entry, with (for me) the possible choices: "iCloud Drive", "On My Phone", and "Dropbox". I don't know with which version of iOS these appeared.
When "iCloud Drive" is selected (the default), then the explanatory text below it says "Automatically upload and store your documents in iCloud Drive"
My app has no explicit support for iCloud Drive or iCloud in general, and no support for Dropbox. Some of its files are stored in the Documents folder of the app, which is publicly accessible (through the Files app, e.g.)
My users assume that enabling the option will automatically copy those files to iCloud Drive, but that does not seem to be happening.
I have searched half a day for any documentation around this from Apple, but found nothing.
So: does anybody know what that setting does?
And: if it does not do anything, then how can I can make sure it does NOT appear, to not confuse my users?
Are mergeable libraries compatible with digital signatures and privacy manifests? If so, what happens to the privacy manifests from each merged library? Do they get merged?
In https://developer.apple.com/support/third-party-SDK-requirements/ it says "Signatures are also required in these cases where the listed SDKs are used as binary dependencies. "
As I am clueless regarding the technicalities of how sdks are added to a host app, the term binary dependency means nothing to me.
For reference, our app uses Cocoapods to install all of the sdks.
I am assuming that even if the app i am using is not listed in the ios list of privacy impacting sdks, if they use a privacy impacting sdk in their sdk, then my app will be required to get the privacy manifest for that privacy impacting sdk: the rule must (logically!) be transitive.
So far apple has not sent any email about the app needing to provide that for any of our sdks. but i am worried that maybe apple has not done the check for us yet, and by the time they do , we will be near deadline to submit an app.