Hello.
I'm having an issue using SPM to include a privacy manifest in my project.
For example, if I use Alamofire 5.9.0 (with the PrivacyInfo.xcprivacy file) using SPM, I am continuously receiving the email saying ITMS-91053: Missing API declaration - System Boot Time when submitting an app for review.
But use the same version of Alamofire using cocoapod(as a dynamic library), the PrivacyAccessedAPI issue will not occur.
Is there any resolution for this problem?
If I use a library using SPM, do I need to add the library's information in the main app's PrivacyInfo.xcprivacy file?
Thank you.
General
RSS for tagPrioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
I have submitted an application for the Endpoint Security entitlement,
however,
I have yet to receive any feedback regarding its progress.
Could someone kindly advise on the proper procedure to track the current status of my permission request?
Hello. I am having issue with the privacy warnings.
Basically i am using react native without expo and i want to fix the warnings that are displayed via apple store connect. As per instruction, i created the PrivacyInfo.xcprivacy file, added my project as target and filled the rules out. After doing that, when i try to build i get errors:
"Multiple commands produce '/Users//Library/Developer/Xcode/DerivedData/-fvniikaunkvfgngctvgfjncckcat/Build/Products/Debug-iphonesimulator/.app/PrivacyInfo.xcprivacy'"
"Target '' (project '') has copy command from '/ios/PrivacyInfo.xcprivacy' to '/Users//Library/Developer/Xcode/DerivedData/-fvniikaunkvfgngctvgfjncckcat/Build/Products/Debug-iphonesimulator/.app/PrivacyInfo.xcprivacy'"
"That command depends on command in Target (project ): script phase “[CP] Copy Pods Resources”".
Some solutions suggested removing the PrivacyInfo from Copy Bundle resources. That way the build worked but the app store connect still gave warning.
to me the issue seems to arise during copy pods resources, it wants to create the PrivacyInfo.xcprivacy file, but it already exists. Or maybe it its something else.
Any help or direction is much obliged
G'day all,
I'm working through the creation of a cross-platform decryption implementation for CryptoKit's HPKE and wish to use the Sender & Recipient type.
I have been able to engineer the derived key, but the missing link is the nonce that is created and utilised by HPKE.Sender.seal(). I understand that I could create the key exchange and sealed box by myself and set my own random nonce, but I want to be able to utilise the HPKE.Sender.seal() functions to assist with this as well as create ciphertext data externally that can be opened with HPKE.Recipient.open().
By looking at Apple's open-source code available here, I can see that it seems to be exporting a key based on a "base_nonce" label on the context, which I think is what HPKE.Sender's exportSecret(context:outputByteCount:) can achieve.
However using senders exportSecret(context:outputByteCount:) in the following way:
let noncedata = try hpkeSender.exportSecret(context: Data("base_nonce".utf8), outputByteCount: 12)
even just for one message (so the sequence number would be 0 and thus this data block unchanged), the AES-GCM implementation still returns a "cipher: message authentication failed" error. This is specifically in Go, but can be replicated in Python easily. I'm confident that the derived key is correct and is being fed to AES-GCM with the ciphertext correctly, and it's just the nonce generation that is not understood.
Hello, my dear colleages. I'm a new ios developer (actually I'm sr. android dev), so this is my first publishing in app store. I have create an app with memes, where users can create memes, share it and judge. I have already tearm of uses, privacy policy, registration and report (because I want to create a stable product), but apple has own opinion:
Require that users agree to terms (EULA) and these terms must make it clear that there is no tolerance for objectionable content or abusive users - okay, I will add EULA to my links, but it already contains the rules of creating content
A method for filtering objectionable content - blocking happens automatically by user reports. I explained it to the reviewer, but he ignored it and repeated this mark (all marks) again. By user reports the memes with 10 or more marks will be hidden for content delivery. What does he want else? How can the filters resolve it or content already hidden? What actually should I do and these "filters"?
A mechanism for users to flag objectionable content - The same. What else does he want?
A mechanism for users to block abusive users - This is jsut ridiculous! Users can not write each other and can not communicate with each other. They can only create and judge memes. I'm not sure that reviewer really was looking my app. Maybe 30 seconds? So, how can I follow to his marks if he doesn't listen and doesn't check? Use fake feature? That's shame!
The developer must act on objectionable content reports within 24 hours by removing the content and ejecting the user who provided the offending content - The same. The blocking happens automatically. We don't have moderators and can control this process manually (only 2 members in the team). I really don't understand why apple make my life harder)) Google and Huawui have already published app in the internal testing without wrong useless marks.
As I know this situation is normal behaviour for apple. Anyway I want to resolve this "marks" and finish the publish process - users are waiting for. Please guys, help me to do it correct - I don't have experience with apple support and it looks for me like a circus!
P.S. Links to the terms of uses and privacy policy available on the register screen
I receive this from apple on review , what I suppose to change
Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing
The app privacy information you provided in App Store Connect indicates you collect data in order to track the user, including Browsing History, Other Diagnostic Data, Crash Data, Performance Data, Name, Search History, Physical Address, Customer Support, and Other Data Types. However, you do not use App Tracking Transparency to request the user's permission before tracking their activity.
Apps need to receive the user’s permission through the AppTrackingTransparency framework before collecting data used to track them. This requirement protects the privacy of users.
Next Steps
Here are two ways to resolve this issue:
If you do not currently track, or decide to stop tracking, update your app privacy information in App Store Connect. You must have the Account Holder or Admin role to update app privacy information.
If you track users, you must implement App Tracking Transparency and request permission before collecting data used to track. When you resubmit, indicate in the Review Notes where the permission request is located.
Existing external libraries are distributed in the form of framework files. However, if the company providing the library delays the Privacy Manifest registration patch, how can I handle this situation? Am I just keep getting my app rejected?
In an app that uses a specific commit in open source branch, what should I do if the Privacy Manifest is registered only in the latest version of that version? For various reasons, including functional stability, the open source cannot be updated to the latest version.
I have developed a framework that uses Alamofire which is included in the list of third-party SDKs that require the Privacy Manifest.
https://developer.apple.com/support/third-party-SDK-requirements/
The latest version of Alamofire already includes the PrivacyManifest.xcprivacy file and is visible from my own framework.
My question is if it is necessary to add a PrivacyManifest.xcprivacy to my framework in that case and if so, should it be the same as Alamofire's? Wouldn't that be redundant? My framework does not use any API that has to be declared.
If another framework were to use my framework that uses Alamofire, should I also create a PrivacyManifest.xcprivacy?
Thank you.
Hello,
When you integrate framework linked statically, the usage is that those framework provide a bundle in which they put their PrivacyInfo.xcprivacy file.
If you decompress an .ipa file you submit to Apple, you can see this bundle at the root.
The problem is that the PrivacyInfo.xcprivacy files inside bundles seem not to be scan by Apple in the privacy process.
Thus Apple send us issues about missing privacy.
Have you already heard about this problem ?
Probably link to what i am saying : Firebase issue #12557
Thank you very much for your feedback !
Is there an API to query for SIP Protected Paths or someway that this information can be deciphered ?
Intent is to mute those paths or a subset for an ES client ?
As per our code, we have the apps to be shielded whenever the threshold is reached. According to this use-case, our code in DeviceActivityExtension looks something like:
override func eventDidReachThreshold(_ event: DeviceActivityEvent.Name, activity: DeviceActivityName) {
super.eventDidReachThreshold(event, activity: activity)
defaults?.setValue(event.rawValue, forKey: "appLimitEventName")
defaults?.setValue(true, forKey: "appLimitReached")
defaults?.synchronize()
// using darwinNotificationCenter to trigger callback in the application
let darwinNotificationCenter = DarwinNotificationsManager.sharedInstance()
darwinNotificationCenter.postNotification(withName: "nextAppLimitInitiated")
// using Notifications to debug since print doesn't work
scheduleNotification(with: "interval threshold reached")
}
And in our application, we have the shielding logic in place,
init() {
let darwinNotificationCenter = DarwinNotificationsManager.sharedInstance()
darwinNotificationCenter.register(forNotificationName: "nextAppLimitInitiated"){
print("callback received")
let appLimitReached = self.defaults?.bool(forKey: "appLimitReached")
let appLimitEventName = self.defaults?.string(forKey: "appLimitEventName")
if appLimitReached ?? false, appLimitEventName != "" {
// this sends the notification when callback is received
self.scheduleNotification(with: "init start")
self.defaults?.setValue(false, forKey: "appLimitReached")
guard var dataArray = self.defaults?.array(forKey: "appLimitdataArray"), !dataArray.isEmpty else {
return
}
let appLimitData = dataArray.first as! NSDictionary
let appLimitKey = appLimitData["appLimitId"] as! String
let data = self.getSchedule(key: appLimitEventName ?? "")
if let appTokens = data?.applicationTokens {
for token in appTokens {
if !self.applicationTokens.contains(appTokens) {
self.applicationTokens.insert(token)
}
}
}
self.store.shield.applications = self.applicationTokens
self.store.shield.applicationCategories = ShieldSettings.ActivityCategoryPolicy.specific(self.categoryTokens, except: Set())
dataArray.removeFirst()
//dataArray.append(appLimitData)
self.defaults?.set(dataArray, forKey: "appLimitdataArray")
self.initiateMonitoring(initiateAgain: true)
self.scheduleNotification(with: "init end")
}
}
}
This works as expected for multiple App Limits but only when the device is connected to the Xcode. If we disconnect the device from Xcode/ stop application from Xcode/ try in release mode, the callback is not received from extension to the app/init block.
When the device is connected to Xcode, if the apps hit the threshold, they are shielded automatically. But if the device is disconnected/ app is in release mode, the apps are not shielded automatically even after the threshold is reached. It is shielded later only after opening our app once.
Please let me know if I'm doing anything wrong in receiving callback or in my shielding logic. If I need to place the shielding logic in the extension, please tell me how I can handle multiple appTokens.
Hello,
I created my manifest file, added to target and when I send app to review I receive email. I have no idea what is wrong. I tried change localization, modify file and nothing. Still don't work.
Xcode version 15.3.
localization file and add to target:
email:
manifest file:
Manifest file
Hello Apple
We have read your guide on https://developer.apple.com/documentation/bundleresources/privacy_manifest_files#4284009 and it is unclear how the NSPrivacyTrackingDomains affects WebView functionality of the app.
We have WebView based functionality we use for signup/ login of customers in the app and that can potentially track users.
It is stated that If the user has not granted tracking permission through the App Tracking Transparency framework, network requests to these domains fail and your app receives an error.
However based on our testing the domains listed in NSPrivacyTrackingDomains have no effect on network requests happening in the WebView if the user declines tracking via the App Tracking Transparency prompt. (e.g pages are loaded, network requests to listed tracking domains are happening)
Can you confirm it is the case on what should de done about it?
Right now we have a custom implementation on our side that passes the result of the App Tracking Transparency prompt to the WebView instructing it weather it can send requests to tracking domains or not.
In my project, I am using a third-party SDK called "SwiftyJSON" which is not maintained or updated since April 2019. So in such cases where the third-party SDKs are not updated with a PrivacyInfo.xcprivacy will it affect the app release in Appstore or in such cases is there any way to bypass non-maintained SDK?
1C8F.1 seems to cover all the situations that CA92.1 covers, plus 1C8F.1 covers data for app extensions and App Clips.
If our SDK uses UserDefaults, and our group debates that
some functionality is about data only accessible to the app and would be covered by code CA92.1
some functionality is about data accessible to extensions and App Clips and would be covered by code 1C8F.1
Can we declare both codes in our manifest file (PrivacyInfo.xcprivacy) ?
Or should we only declare 1C8F.1 to cover both parts?
We submitted an app to TestFlight and received the expected warning email. However, the email did not mention any of the SDK frameworks that were in the app. The email only mentioned the app itself and the app's extensions.
We expected to get warnings for our frameworks that used required reason APIs.
We also expected to get warnings for frameworks in the "list of commonly used third-party SDKs"
Why are the warnings not as expected?
Is this because Test Flight is not making the same kind of warning emails that will be created for the App Store?
My app is using Advertising data type to track but it leverages third-party ads SDKs to do so. I add NSPrivacyCollectedDataTypeAdvertisingData and NSPrivacyCollectedDataTypeTracking that is true to my app's manifest file.
Those third-party ads SDKs will have their own manifests declaring the values of NSPrivacyTracking and tracking domains.
In this case, do I need to set NSPrivacyTracking as true and add domains those SDKs are connecting to the host app's privacy manifest? My guess is no since all manifests are merged in to a single report finally.
I noticed that Apple's articles have changed since originally being published. For example, some required reason codes have been added to Describing use of required reason API
Since there is no visible modification date or revision date on the page, how can we get notiifications for changes to these pages? I did not find a 'watch' button in them.
Morning All,
just wanted a little help with my xamarin forms app. When I publish to test flight for a public test build I am always receiving the email about ITMS-91053: Missing API declaration. I have followed the steps and created a PrivacyInfo.xcprivacy in Xcode and I can see it in my xamarin iOS project but I still get the email saying it is missing. Is there something I am missing or ned to reference in the info.plist etc. My looks like the following:
`
Hello, I have a question regarding the Privacy Manifest of a third-party SDK.
We are using a static third-party SDK. This third-party SDK use the UserDefaults API, and it is also specified in the Privacy Accessed API Types within PrivacyInfo.xcprivacy. The static third-party SDK is added as a dependency via CocoaPods, and PrivacyInfo.xcprivacy is included in the Pods Resource. Additionally, our app does not use UserDefaults API.
When we generate the Privacy Report, it correctly shows the data collected by the third-party SDK. However, when we submitted for review, we received a warning email stating that UserDefaults is being used in the app but is missing from the Privacy Manifest.
ITMS-91053: Missing API declaration - Your app’s code in the “MyApp” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.
I have the following questions:
When submitting the app for review, does Apple not consider the PrivacyInfo.xcprivacy of the third-party SDK?
What steps should be taken to ensure that Apple reviews the PrivacyInfo.xcprivacy of the third-party SDK?