Necessity of Privacy Manifest for third-party SDK in app review

Asked 1/11, 2023 at 4:53 Answered 8/5, 2024 at 5:59

ios xcode sdk privacy-manifest required-reason-api

I am currently working as a app developer, and want to about what's the definition of "third-party SDK" that as mentioned in the WWDC23. From the Privacy manifest files | Apple Developer Documentation, We can say that the following targets require a privacy manifest:

Apps and third-party SDKs — distributed as XCFrameworks, Swift packages, or framework bundles — can contain a privacy manifest file

From my understanding, any external library we used in our app qualifies as a third-party SDK. Consequently, they should all contain a Privacy Manifest.

However, my concern is that in our app. We do use some old libraries that have not been updated for like 2-4 years(e.g. ColorAssetCatalog, KeychainAccess). Under this situations, I would like to know that:

Does these open-source libraries that does not collect any data that Apple mentioned (including Required Reason API, tracking domain), and only provide source code, require the Privacy Manifest?
Secondly, would the lack of a privacy manifest in a third-party SDK we used in our app result in failing the app review?

I fully understand that Apple wants to ensure our apps are as transparent as possible, but the details are lacking. Even now, I still can't find a list of "Privacy-Impacting SDKs" or any specific information about them.

I would greatly appreciate it if anyone could provide further information or insights on this topic. Many thanks in advance.

Jardine answered 1/11, 2023 at 4:53 Comment(11)

I faced with the same problem. And after researching their documentation I came to conclusion that for the very old libraries if you aware about what this library does, you can declare needed info in your app's PrivacyInfo... – Renee 18/1, 2024 at 12:33

@DmitriyMitiai I have the same problem. Are you telling me to add PrivacyInfo to my app if the library developer is not responding?? – Raddatz 25/1, 2024 at 4:36

@Raddatz Yes. Eventually at the final step everything collects into one file gathering all PrivacyInfos into one. This is the purpose of this PrivacyManifest to simplify the life. So if you know that some outdated library uses coarse location you can mention it in your PrivacyManifest. Because finally this lib will be a part of your code – Renee 25/1, 2024 at 9:7

@DmitriyMitiai There is something I lack a lot of understanding because I use a translator... So if I don't have PrivacyInfo in my third-party library, should I create PrivacyInfo myself in my app project and apply what the library is about? Then, if the third-party library does not have anything corresponding to PrivacyInfo, does it not have to have PrivacyInfo files? Even if there is, can I check the code of the third-party library and put it in my app project PrivacyInfo?? I'm sorry I feel like I'm repeating the same question. English is difficult for me. – Raddatz 26/1, 2024 at 1:17

@Raddatz Yes. Create a file and setup it. If your application doesn't directly use some feature, but third-party library does - mention it in your PrivacyInfo file – Renee 30/1, 2024 at 13:59

Hi @DmitriyMitiai, I am actually a SDK provider. In my SDK, i am not collecting any data. What has to be added in the privacy manifest file of my SDK project. So that I can distribute it to my customers for their smooth app updates in the Appstore. Thanks in advance. – Overset 8/2, 2024 at 4:58

Hi @GJDK, For more information, please read their documentation. Apple described everything pretty clear. Even if you use UserDefaults, you should mention this. In case you completely doesn't have anything to collect, you can skip it – Renee 8/2, 2024 at 9:58

@DmitriyMitiai Are you sure that we can skip the need of Privacy Manifest file if the pod does not collect or store anything? I don't see this piece of info in apple doc or WWDC. – Requirement 6/3, 2024 at 6:19

I'm saying not about one pod. I'm just saying that if your application and pods don't use anything described in privacy manifest section, what will add there? I mean if you don't have anything to add there, you can skip it. Of course, if your app uses UserDefaults, but pod not - you should create privacy manifest. If pod uses UserDefault, but your app not - you should create privacy manifest. On a build step all available privacy manifests in the project(your app and pods) will be merged into one – Renee 7/3, 2024 at 10:32

@DmitriyMitiai: Thanks for sharing information for privacyinfo file. But I heard that Apple now needs "Signatures for SDKs" too. So, same question. What can I do for old libraries' "Signatures"? Can you elaborate so I can know what to do with my app? – Citronella 1/5, 2024 at 9:40

@Mirant, Not 100%sure, but Apple has some list of libraries which should provide you signature file. In theory if library is NOT in this list, Apple may not monitor about it. But if that's not the case and library is no longer supporting I see the only solution to add this library as part of your project and not as Pod/Package Dependency – Renee 15/5, 2024 at 14:57

Apple has included the list here(https://developer.apple.com/support/third-party-SDK-requirements/) of SDKs that require a privacy manifest and signature and you can use Xcode 15 to add PrivacyInfo.xcprivacy (https://developer.apple.com/documentation/bundleresources/privacy_manifest_files)and follow the steps in the https://developer.apple.com/videos/play/wwdc2023/10060/ to get the requirement fulfilled.

Ladida answered 8/12, 2023 at 11:50 Comment(5)

Can I enter multiple reasons in the required description API? – Raddatz 13/2, 2024 at 9:9

what about other pods like FSCalendar which is not in Apple Doc's pod list? – Requirement 6/3, 2024 at 6:11

This could be healppful as well. gist.github.com/MarcoEidinger/22feb1588c3d7be41c42853a77e52772 – Pliers 4/4, 2024 at 18:3

@Raddatz yes you can – Ladida 13/6, 2024 at 9:37

@DeepakThakur Those who are not included in Apple docs can be ignored. But it is important to make sure to add the requirement and reasoning in the privacy manifest for the main app usecase. – Ladida 13/6, 2024 at 9:38

Apple requires a Privacy Manifest for any app dependent on the SDK List defined on their website. These SDKs should have released (or will be soon releasing) an updated version of their SDK that provides a privacy manifest. A potentially incomplete compilation of statuses is available here.

In order to use those SDKs in your application and create a privacy manifest, you will need to update your app to the most recent version of the SDK. Recommend pinging the developers on Github for details and status updates.

Quoin answered 27/2, 2024 at 2:31 Comment(3)

What if developer of library does not include privacy manifest till 1st May? Should developer of mobile app (who is using this library), remove the library from app to be able to upload update to AppStore or will be other way to deal with that? – Irby 20/3, 2024 at 17:26

Which SDK are you talking about? Most should have published by now. – Quoin 28/3, 2024 at 1:33

RxSwift doesn't have one for example – Fitted 2/4, 2024 at 16:1

However, my concern is that in our app. We do use some old libraries that have not been updated for like 2-4 years(e.g. ColorAssetCatalog, KeychainAccess). Under this situations, I would like to know that:

We are in the same situation, what we have decided is we use this tool to check if the SDK's we are using are dependent on API that need to provide a reason for use. If yes

Open source: we fork it and include it our selves / try to remove the dependency.
Proprietary: connect with the support team. for paid SDK's the teams are professional and are providing with updates.

Secondly, would the lack of a privacy manifest in a third-party SDK we used in our app result in failing the app review?

Yes of course as per here: https://developer.apple.com/news/?id=3d8a9yyh

Does these open-source libraries that does not collect any data that Apple mentioned (including Required Reason API, tracking domain), and only provide source code, require the Privacy Manifest?

Nope they are excluded. We are good to go with them without the manifest.

Engobe answered 23/3, 2024 at 12:52 Comment(0)

-1

Apps and third-party SDKs — distributed as XCFrameworks, Swift packages, or Xcode projects — can contain a privacy manifest file, named PrivacyInfo.xcprivacy. The privacy manifest is a property list that records the following information:

The types of data collected by your app or third-party SDK. You need to provide this information for your app or third-party SDK on all platforms.

The required reasons APIs your app or third-party SDK uses. You need to provide this information for your app or third-party SDK on iOS, iPadOS, tvOS, visionOS, and watchOS.

For each type of data your app or third-party SDK collects and category of required reasons API it uses, the app or third-party SDK needs to record the reasons in its bundled privacy manifest file.

Important

You need to include a privacy manifest file in your third-party SDK if it’s listed in “SDKs that require a privacy manifest and signature,” in Upcoming third-party SDK requirements. Otherwise, include a privacy manifest file in your third-party SDK if it uses required reasons API, collects data about the person using apps that include the third-party SDK, enables the app to collect data about people using the app, or contacts tracking domains. Providing a privacy manifest file helps app developers to understand the API use and data-collection practices of your third-party SDK.

Create a privacy manifest

To add the privacy manifest to your app or third-party SDK in Xcode, follow these steps:

Choose File > New File.
Scroll down to the Resource section, and select App Privacy File type.
Click Next.
Check your app or third-party SDK’s target in the Targets list.
Click Create.

By default, the file is named PrivacyInfo.xcprivacy; this is the required file name for bundled privacy manifests.

Note

You need to add the privacy manifest file to your target’s resources for Xcode to use it when you generate a privacy report. If you distribute your third-party SDK as a static library, use the support for static frameworks in Xcode 15 or later to bundle resources, including the privacy manifest file. Create a framework target in Xcode that builds your product, set its Mach-O type build setting to “Static Library,” and add the privacy manifest file to your target’s bundle resources along with any other resources, for example, image files.

At the top level of this property list file, add the following keys to the dictionary:

NSPrivacyTracking

A Boolean that indicates whether your app or third-party SDK uses data for tracking as defined under the App Tracking Transparency framework. For more information, see User Privacy and Data Use.

NSPrivacyTrackingDomains

An array of strings that lists the internet domains your app or third-party SDK connects to that engage in tracking. If the user has not granted tracking permission through the App Tracking Transparency framework, network requests to these domains fail and your app receives an error.

To provide a list of internet domains in NSPrivacyTrackingDomains, set NSPrivacyTracking to true.

NSPrivacyCollectedDataTypes

An array of dictionaries that describes the data types your app or third-party SDK collects. For information on the keys and values to use in the dictionaries, see Describing data use in privacy manifests.

NSPrivacyAccessedAPITypes

An array of dictionaries that describe the API types your app or third-party SDK accesses that have been designated as APIs that require reasons to access. For information on the keys and values to use in the dictionaries, see Describing use of required reason API.

Aright answered 8/5, 2024 at 5:59 Comment(0)

Recommended topics

Hot tags