App Privacy Manifest Files – Quick How To
Starting May 1st 2024 App Store requires that new submissions contain a Privacy manifest file for some specific APIs, this blog post will go briefly over how to add the required privacy manifest file and how to conform to these new rules
What are the rules?
According to Apple:
Starting May 1, 2024, apps that don’t describe their use of required reason API in their privacy manifest file aren’t accepted by App Store Connect.
Currently the APIs that require a usage reason are:
(Links to each individual allowed reasons list)
Furthermore, Apple also states:
Your app or third-party SDK must declare one or more approved reasons that accurately reflect your use of each of these APIs and the data derived from their use. You may use these APIs and the data derived from their use for the declared reasons only. These declared reasons must be consistent with your app’s functionality as presented to users, and you may not use the APIs or derived data for tracking.
In short it means that any access to those listed APIs must conform to the declared reason and must be used for that reason only. Neither of these APIs can be used for tracking.
Third Party SDKs
The rules state that any API accessed by a third party SDK must be declared by the SDK itself. If your code depends on a package that may use these APIs such as Firebase, you need to update the package to a version that conforms to this new rule. Firebase for instance recommends developers update it to version 10.24.0 or later.
If you use the API in your third-party SDK’s code, then you need to report the API in your third-party SDK’s privacy manifest file. Your third-party SDK can’t rely on the privacy manifest files for apps that link the third-party SDK
Currently there's no easy way to check if a specific API is being used by an SDK except manually looking for the Privacy Manifest file or by inspecting the code (which isn't possible for dynamic libraries). Apple may send an Email warning that your App is not declaring usage reason for an API but you need to manually inspect if it's your application code or a third party dependency.
In turn if you are developing a third party SDK, you should include the Privacy declaration (See below section on how to include it).
App
In order to comply to the new rules on either your app or library, you must add a PrivacyInfo.xcprivacy file to the root of your project. This file is a property list containing all usage description for the APIs.
Under the App Privacy Configuration key, you should add a new array with the key Privacy Accessed API Types. This is a list of all APIs you use along with their reason.
Each item in this list should contain the key Privacy Accessed API Type with the name of the API (Xcode auto completes it) and the array key Privacy Accessed API Reasons.
Privacy Accessed API Reasons is a list of the reasons why you use the API, though unlike other privacy information like Tracking Status or Camera Usage, this list should only contain the allowed reasons listed in Apple's website
Your app or third-party SDK must declare one or more approved reasons that accurately reflect your use of each of these APIs and the data derived from their use.
While there's no way to check locally if your App is complying to these new rules, once you upload a new build to TestFlight external testing or to App Store review, Apple may send an email containing the missing API declarations or reject the submission with a list of the missing APIs declaration.