Existing external libraries are distributed in the form of framework files. However, if the company providing the library delays the Privacy Manifest registration patch, how can I handle this situation? Am I just keep getting my app rejected?
In an app that uses a specific commit in open source branch, what should I do if the Privacy Manifest is registered only in the latest version of that version? For various reasons, including functional stability, the open source cannot be updated to the latest version.
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
I have developed a framework that uses Alamofire which is included in the list of third-party SDKs that require the Privacy Manifest.
https://developer.apple.com/support/third-party-SDK-requirements/
The latest version of Alamofire already includes the PrivacyManifest.xcprivacy file and is visible from my own framework.
My question is if it is necessary to add a PrivacyManifest.xcprivacy to my framework in that case and if so, should it be the same as Alamofire's? Wouldn't that be redundant? My framework does not use any API that has to be declared.
If another framework were to use my framework that uses Alamofire, should I also create a PrivacyManifest.xcprivacy?
Thank you.
Hello,
I created my manifest file, added to target and when I send app to review I receive email. I have no idea what is wrong. I tried change localization, modify file and nothing. Still don't work.
Xcode version 15.3.
localization file and add to target:
email:
manifest file:
Manifest file
Hello,
What are the guidelines for mergeable libraires regarding privacy data ?
In particular where do we put the PrivacyInfo.xcprivacy file in this situation, so as Apple process can scan it when we upload the package of the app.
Thank you.
Hello,
When you integrate framework linked statically, the usage is that those framework provide a bundle in which they put their PrivacyInfo.xcprivacy file.
If you decompress an .ipa file you submit to Apple, you can see this bundle at the root.
The problem is that the PrivacyInfo.xcprivacy files inside bundles seem not to be scan by Apple in the privacy process.
Thus Apple send us issues about missing privacy.
Have you already heard about this problem ?
Probably link to what i am saying : Firebase issue #12557
Thank you very much for your feedback !
As per our code, we have the apps to be shielded whenever the threshold is reached. According to this use-case, our code in DeviceActivityExtension looks something like:
override func eventDidReachThreshold(_ event: DeviceActivityEvent.Name, activity: DeviceActivityName) {
super.eventDidReachThreshold(event, activity: activity)
defaults?.setValue(event.rawValue, forKey: "appLimitEventName")
defaults?.setValue(true, forKey: "appLimitReached")
defaults?.synchronize()
// using darwinNotificationCenter to trigger callback in the application
let darwinNotificationCenter = DarwinNotificationsManager.sharedInstance()
darwinNotificationCenter.postNotification(withName: "nextAppLimitInitiated")
// using Notifications to debug since print doesn't work
scheduleNotification(with: "interval threshold reached")
}
And in our application, we have the shielding logic in place,
init() {
let darwinNotificationCenter = DarwinNotificationsManager.sharedInstance()
darwinNotificationCenter.register(forNotificationName: "nextAppLimitInitiated"){
print("callback received")
let appLimitReached = self.defaults?.bool(forKey: "appLimitReached")
let appLimitEventName = self.defaults?.string(forKey: "appLimitEventName")
if appLimitReached ?? false, appLimitEventName != "" {
// this sends the notification when callback is received
self.scheduleNotification(with: "init start")
self.defaults?.setValue(false, forKey: "appLimitReached")
guard var dataArray = self.defaults?.array(forKey: "appLimitdataArray"), !dataArray.isEmpty else {
return
}
let appLimitData = dataArray.first as! NSDictionary
let appLimitKey = appLimitData["appLimitId"] as! String
let data = self.getSchedule(key: appLimitEventName ?? "")
if let appTokens = data?.applicationTokens {
for token in appTokens {
if !self.applicationTokens.contains(appTokens) {
self.applicationTokens.insert(token)
}
}
}
self.store.shield.applications = self.applicationTokens
self.store.shield.applicationCategories = ShieldSettings.ActivityCategoryPolicy.specific(self.categoryTokens, except: Set())
dataArray.removeFirst()
//dataArray.append(appLimitData)
self.defaults?.set(dataArray, forKey: "appLimitdataArray")
self.initiateMonitoring(initiateAgain: true)
self.scheduleNotification(with: "init end")
}
}
}
This works as expected for multiple App Limits but only when the device is connected to the Xcode. If we disconnect the device from Xcode/ stop application from Xcode/ try in release mode, the callback is not received from extension to the app/init block.
When the device is connected to Xcode, if the apps hit the threshold, they are shielded automatically. But if the device is disconnected/ app is in release mode, the apps are not shielded automatically even after the threshold is reached. It is shielded later only after opening our app once.
Please let me know if I'm doing anything wrong in receiving callback or in my shielding logic. If I need to place the shielding logic in the extension, please tell me how I can handle multiple appTokens.
Hello Apple
We have read your guide on https://developer.apple.com/documentation/bundleresources/privacy_manifest_files#4284009 and it is unclear how the NSPrivacyTrackingDomains affects WebView functionality of the app.
We have WebView based functionality we use for signup/ login of customers in the app and that can potentially track users.
It is stated that If the user has not granted tracking permission through the App Tracking Transparency framework, network requests to these domains fail and your app receives an error.
However based on our testing the domains listed in NSPrivacyTrackingDomains have no effect on network requests happening in the WebView if the user declines tracking via the App Tracking Transparency prompt. (e.g pages are loaded, network requests to listed tracking domains are happening)
Can you confirm it is the case on what should de done about it?
Right now we have a custom implementation on our side that passes the result of the App Tracking Transparency prompt to the WebView instructing it weather it can send requests to tracking domains or not.
My app is using Advertising data type to track but it leverages third-party ads SDKs to do so. I add NSPrivacyCollectedDataTypeAdvertisingData and NSPrivacyCollectedDataTypeTracking that is true to my app's manifest file.
Those third-party ads SDKs will have their own manifests declaring the values of NSPrivacyTracking and tracking domains.
In this case, do I need to set NSPrivacyTracking as true and add domains those SDKs are connecting to the host app's privacy manifest? My guess is no since all manifests are merged in to a single report finally.
Is there an API to query for SIP Protected Paths or someway that this information can be deciphered ?
Intent is to mute those paths or a subset for an ES client ?
I noticed that Apple's articles have changed since originally being published. For example, some required reason codes have been added to Describing use of required reason API
Since there is no visible modification date or revision date on the page, how can we get notiifications for changes to these pages? I did not find a 'watch' button in them.
Morning All,
just wanted a little help with my xamarin forms app. When I publish to test flight for a public test build I am always receiving the email about ITMS-91053: Missing API declaration. I have followed the steps and created a PrivacyInfo.xcprivacy in Xcode and I can see it in my xamarin iOS project but I still get the email saying it is missing. Is there something I am missing or ned to reference in the info.plist etc. My looks like the following:
`
We submitted an app to TestFlight and received the expected warning email. However, the email did not mention any of the SDK frameworks that were in the app. The email only mentioned the app itself and the app's extensions.
We expected to get warnings for our frameworks that used required reason APIs.
We also expected to get warnings for frameworks in the "list of commonly used third-party SDKs"
Why are the warnings not as expected?
Is this because Test Flight is not making the same kind of warning emails that will be created for the App Store?
I thought I read somewhere in the privacy manifest documentation that they were not required for app extensions because extensions will inherit the privacy info from their parent apps and SDKs, but now I can't find a reference for that.
If that is the case, I don't think it is working correctly, because we are getting warnings about missing API declarations for things that should be covered by an app or SDK manifest from what I can tell.
Will an app be rejected after the 1st of May 2024 if it contains a Embedded Dynamic XCFramework that uses a Required Reason API and it does not declare the Required Reason API usage inside its Privacy Manifest?
Important note: I am asking about dynamic xcframeworks that are NOT on Apple's list of commonly-used SDKs.
I am asking because I'm only getting warnings about missing API declaration for the main app binary and app extensions. I do not get any warnings for the embedded dynamic xcframeworks that i have in my app.
My organization is using mutual TLS authentication for HTTPS, with PIV cards storing the certs. We observe that some OS X devices send only the leaf certs when establishing the mTLS connection, whereas others send the entire chain. We cannot validate the leaf cert without the intermediate cert, so those clients are rejected.
What drives the decision whether to send the whole chain, vs the leaf cert only?
For more details, and some things we observed.
The PIV cards are US DoD CAC cards: https://www.cac.mil/common-access-card/
The client cert chain on the card looks like this:
Leaf client cert, CN=LastName.Name
Intermediate cert, CN=DOD ID CA-70
"Root" cert, CN=DoD Root CA 6
through 8.: Additional interoperability certs.
Our system is set up to trust the "root" cert CN=DoD Root CA 6.
Neither the leaf cert, nor other certs in the chain are trusted by Apple Keychain Trust Store by default.
We find that most laptops will send the entire chain, 1 through 8, when establishing the mTLS connection with our servers. This allows us to validate them correctly.
On a subset of OS X devices, Google Chrome will only send the leaf chain. This happens even when we use exact same PIV card, and exact same PIV reader as on working laptops. Safari will not send any cert at all.
We found that if we explicitly add the CN=DoD Root CA 6 to the Apple Trust Store, Google Chrome and Safari will start sending a short chain, containing only certs 1 through 3. This allows the server to validate them. When we remove it from Trust Store, Chrome is back to sending only leaf, but Safari will not even send the leaf.
Again, this only happens on some laptops; on most of the laptops, both Safari and Google Chrome will send the entire chain, regardless of whatever is set up in Trust Store.
My suspicion is that for some reason, on those laptops, Safari will not send the client certs that OS X doesn't trust. This makes sense, but this is not the behavior we want. We want the same behavior on the working laptops, which is to send the whole chain.
All of our laptops are on OS X 14.4
Hello!
I am using the eventDidReachThreshold callback in the DeviceActivityMonitor in order to shield a target app after the user has spend x amount of time on it (e.g. x = 5 minutes).
Many times this works fine, and I can trigger my shield after the specified threshold has been met.
However sometimes, when they leave the target app before the threshold has been reached, the eventDidReachThreshold callback gets called randomly while they are doing something else on their phone (e.g. using a different app, on the Home Screen, phone locked…).
From my perspective this does not make sense, since they are not actively spending time on the target app, and that time should not be counted towards the target app’s threshold.
And it is also very confusing for the users because they will then find a blocked target app even though they haven’t used their time budget completely.
This is not related to the intervalDidStart / intervalDidEnd callbacks, because they are not correlating with the timing of when the eventDidReachThreshold callback is called unexpectedly.
Any ideas what this could be related to?
I have an app that uses Endpoint security.
I have 1 client that registered many AUTH and NOTIFY event types.
When I I recive an Endpoint Security message (event) and my handler is called. Which thread does it use?
If I have 1 client will it always just use the same 1 thread?
If not, can it ever happen that I register 1 client, and he will handle more then 1 event in the same time? regardless of the event type or any thing else
I am developing an app that uses the Endpoint Security API.
I need to mute a few processes like: my own process, xcode, etc' ...
However, if the muted processes create child processes, I want these processes to be muted as well. The full process tree under muted processes should be muted.
How can that be done?
Cant see in docs and can't find an example.
If it can't be done, whats the closest thing to that I can implement.
Thanks!
Hello, I have a question regarding the Privacy Manifest of a third-party SDK.
We are using a static third-party SDK. This third-party SDK use the UserDefaults API, and it is also specified in the Privacy Accessed API Types within PrivacyInfo.xcprivacy. The static third-party SDK is added as a dependency via CocoaPods, and PrivacyInfo.xcprivacy is included in the Pods Resource. Additionally, our app does not use UserDefaults API.
When we generate the Privacy Report, it correctly shows the data collected by the third-party SDK. However, when we submitted for review, we received a warning email stating that UserDefaults is being used in the app but is missing from the Privacy Manifest.
ITMS-91053: Missing API declaration - Your app’s code in the “MyApp” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.
I have the following questions:
When submitting the app for review, does Apple not consider the PrivacyInfo.xcprivacy of the third-party SDK?
What steps should be taken to ensure that Apple reviews the PrivacyInfo.xcprivacy of the third-party SDK?
1C8F.1 seems to cover all the situations that CA92.1 covers, plus 1C8F.1 covers data for app extensions and App Clips.
If our SDK uses UserDefaults, and our group debates that
some functionality is about data only accessible to the app and would be covered by code CA92.1
some functionality is about data accessible to extensions and App Clips and would be covered by code 1C8F.1
Can we declare both codes in our manifest file (PrivacyInfo.xcprivacy) ?
Or should we only declare 1C8F.1 to cover both parts?