Reputation: 140
Necessity of Privacy Manifest for third-party SDK in app review
I am currently working as a app developer, and want to about what's the definition of "third-party SDK" that as mentioned in the WWDC23. From the Privacy manifest files | Apple Developer Documentation, We can say that the following targets require a privacy manifest:
Apps and third-party SDKs — distributed as XCFrameworks, Swift packages, or framework bundles — can contain a privacy manifest file
From my understanding, any external library we used in our app qualifies as a third-party SDK. Consequently, they should all contain a Privacy Manifest.
However, my concern is that in our app. We do use some old libraries that have not been updated for like 2-4 years(e.g. ColorAssetCatalog, KeychainAccess). Under this situations, I would like to know that:
- Does these open-source libraries that does not collect any data that Apple mentioned (including Required Reason API, tracking domain), and only provide source code, require the Privacy Manifest?
- Secondly, would the lack of a privacy manifest in a third-party SDK we used in our app result in failing the app review?
I fully understand that Apple wants to ensure our apps are as transparent as possible, but the details are lacking. Even now, I still can't find a list of "Privacy-Impacting SDKs" or any specific information about them.
I would greatly appreciate it if anyone could provide further information or insights on this topic. Many thanks in advance.
Upvotes: 9
Views: 10787
Answers (4)
Reputation: 573
Apps and third-party SDKs — distributed as XCFrameworks, Swift packages, or Xcode projects — can contain a privacy manifest file, named PrivacyInfo.xcprivacy. The privacy manifest is a property list that records the following information:
The types of data collected by your app or third-party SDK. You need to provide this information for your app or third-party SDK on all platforms.
The required reasons APIs your app or third-party SDK uses. You need to provide this information for your app or third-party SDK on iOS, iPadOS, tvOS, visionOS, and watchOS.
For each type of data your app or third-party SDK collects and category of required reasons API it uses, the app or third-party SDK needs to record the reasons in its bundled privacy manifest file.
Important
You need to include a privacy manifest file in your third-party SDK if it’s listed in “SDKs that require a privacy manifest and signature,” in Upcoming third-party SDK requirements. Otherwise, include a privacy manifest file in your third-party SDK if it uses required reasons API, collects data about the person using apps that include the third-party SDK, enables the app to collect data about people using the app, or contacts tracking domains. Providing a privacy manifest file helps app developers to understand the API use and data-collection practices of your third-party SDK.
Create a privacy manifest
To add the privacy manifest to your app or third-party SDK in Xcode, follow these steps:
- Choose File > New File.
- Scroll down to the Resource section, and select App Privacy File type.
- Click Next.
- Check your app or third-party SDK’s target in the Targets list.
- Click Create.
By default, the file is named PrivacyInfo.xcprivacy; this is the required file name for bundled privacy manifests.
Note
You need to add the privacy manifest file to your target’s resources for Xcode to use it when you generate a privacy report. If you distribute your third-party SDK as a static library, use the support for static frameworks in Xcode 15 or later to bundle resources, including the privacy manifest file. Create a framework target in Xcode that builds your product, set its Mach-O type build setting to “Static Library,” and add the privacy manifest file to your target’s bundle resources along with any other resources, for example, image files.
At the top level of this property list file, add the following keys to the dictionary:
NSPrivacyTracking
A Boolean that indicates whether your app or third-party SDK uses data for tracking as defined under the App Tracking Transparency framework. For more information, see User Privacy and Data Use.
NSPrivacyTrackingDomains
An array of strings that lists the internet domains your app or third-party SDK connects to that engage in tracking. If the user has not granted tracking permission through the App Tracking Transparency framework, network requests to these domains fail and your app receives an error.
To provide a list of internet domains in NSPrivacyTrackingDomains, set NSPrivacyTracking to true.
NSPrivacyCollectedDataTypes
An array of dictionaries that describes the data types your app or third-party SDK collects. For information on the keys and values to use in the dictionaries, see Describing data use in privacy manifests.
NSPrivacyAccessedAPITypes
An array of dictionaries that describe the API types your app or third-party SDK accesses that have been designated as APIs that require reasons to access. For information on the keys and values to use in the dictionaries, see Describing use of required reason API.
Upvotes: -2
Reputation: 21
Apple requires a Privacy Manifest for any app dependent on the SDK List defined on their website. These SDKs should have released (or will be soon releasing) an updated version of their SDK that provides a privacy manifest. A potentially incomplete compilation of statuses is available here.
In order to use those SDKs in your application and create a privacy manifest, you will need to update your app to the most recent version of the SDK. Recommend pinging the developers on Github for details and status updates.
Upvotes: 1
Reputation: 28
However, my concern is that in our app. We do use some old libraries that have not been updated for like 2-4 years(e.g. ColorAssetCatalog, KeychainAccess). Under this situations, I would like to know that:
We are in the same situation, what we have decided is we use this tool to check if the SDK's we are using are dependent on API that need to provide a reason for use. If yes
- Open source: we fork it and include it our selves / try to remove the dependency.
- Proprietary: connect with the support team. for paid SDK's the teams are professional and are providing with updates.
Secondly, would the lack of a privacy manifest in a third-party SDK we used in our app result in failing the app review?
Yes of course as per here: https://developer.apple.com/news/?id=3d8a9yyh
Does these open-source libraries that does not collect any data that Apple mentioned (including Required Reason API, tracking domain), and only provide source code, require the Privacy Manifest?
Nope they are excluded. We are good to go with them without the manifest.
Upvotes: 0
Reputation: 178
Apple has included the list here(https://developer.apple.com/support/third-party-SDK-requirements/) of SDKs that require a privacy manifest and signature and you can use Xcode 15 to add PrivacyInfo.xcprivacy (https://developer.apple.com/documentation/bundleresources/privacy_manifest_files)and follow the steps in the https://developer.apple.com/videos/play/wwdc2023/10060/ to get the requirement fulfilled.
Upvotes: 4
Related Questions
- Always Receiving email ITMS-91061: Missing privacy manifest
- Facebook privacy manifest update
- ITMS-91053: Missing API declaration - Privacy
- ITMS-91065: Missing Signature in Privacy Impacting SDK
- Apple Third Party Privacy Manifest Requirement
- Necessity of Privacy Manifest and Signature for third-party SDK in app review
- Privacy Nutrition Labels are not showing up in privacy report for a sample iOS app built using my third party SDK?
- Privacy Manifest for third party SDKs - iOS
- Apple Privacy: How do I check if a version of an sdk I am using in my app uses a privacy impacting sdk?