blog
Ottorino Bruni  

Understanding Apple’s Privacy Manifest for iOS Apps

Preparing for Apple’s Mandatory Privacy Manifest Policy

It’s surprising and important to note that such a significant deadline for developers hasn’t been explained clearly with examples. That’s why I’ve written this article to provide straightforward guidance and examples to help developers understand and comply with Apple’s new privacy rules.

Apple is rolling out a new privacy policy requiring developers to include privacy manifest files in their new and updated applications destined for iOS, iPadOS, and tvOS platforms on the App Store. MacOS apps are currently exempt from this requirement.

The privacy manifest file, named PrivacyInfo.xcprivacy, serves as a comprehensive record of the types of data collected by your applications, as well as any third-party SDKs and packages, along with the reasons for utilizing specific Required Reason APIs categories.

Apple has already begun issuing notices regarding the implementation of this policy in your apps. Starting May 1, 2024, compliance will become mandatory for passing the App Store review process. In this post, we’ll explore the necessary steps for ensuring your iOS app remains compliant, enabling you to continue releasing updates seamlessly.

What is the Apple Privacy Manifest?

A few years back, Apple initiated a practice of collecting information from developers regarding the data they gather within their iOS apps and how they utilize that data. This information is then displayed to end-users in the App Store listing of respective apps. For instance, you can observe the App Privacy section in listings for apps like Percentage Calc on iOS.

Understanding Apple’s Privacy Manifest for iOS Apps

While this transparency initiative is commendable and serves to safeguard user privacy, it may not always be straightforward for developers to discern the precise data being collected. While developers may be aware of the data gathered within their own apps and how it’s processed, the utilization of third-party libraries introduces additional complexities.

To further enhance the comprehensiveness of the privacy report, Apple is advancing this initiative with the introduction of the Apple privacy manifest. This manifest, also an XML-based metadata file, is expected to be integrated into both apps and libraries where applicable.

By adopting this approach, Apple can consolidate all PrivacyInfo.xcprivacy files from frameworks, libraries, and individual apps, resulting in a comprehensive privacy report displayed on the App Store listing for each app.

Creating a Privacy Manifest for Your App or Third-Party SDK

To incorporate the privacy manifest into your app or third-party SDK in Xcode, follow these steps:

  1. Select File > New File.
  2. Scroll down to the Resource section and choose the App Privacy File type.
  3. Click Next.
  4. Ensure your app or third-party SDK’s target is selected in the Targets list.
  5. Click Create.

By default, the file is named PrivacyInfo.xcprivacy, which is the standard filename for bundled privacy manifests. Within this property list file, add the following keys to the dictionary:

  • NSPrivacyTracking: A Boolean indicating whether your app or third-party SDK utilizes data for tracking purposes as defined under the App Tracking Transparency framework.
  • NSPrivacyTrackingDomains: An array of strings listing the internet domains your app or SDK connects to for tracking. If tracking permission isn’t granted, network requests to these domains fail.
  • NSPrivacyCollectedDataTypes: An array of dictionaries describing the data types collected by your app or SDK.
  • NSPrivacyAccessedAPITypes: An array of dictionaries describing the API types accessed by your app or SDK that require reasons for access.
Understanding Apple’s Privacy Manifest for iOS Apps

Filling out the PrivacyInfo.xcprivacy file with entries like NSPrivacyTracking and NSPrivacyCollectedDataTypes can be confusing. Developers might struggle to understand what exactly to include and how to format it properly. By using external resources and documentation, developers can get a better grasp of what needs to go into the privacy manifest. Two useful resources are Describing data use in privacy manifests and Describing use of required reason API. Starting in spring 2024, it will be mandatory to include a privacy manifest and signature for certain commonly used SDKs in apps submitted to the App Store. This requirement applies to both new app submissions and updates that include any of the listed SDKs as binary dependencies. Any version of the listed SDKs, as well as repackaged versions, will fall under this requirement.

The most efficient way to describe the data collected by your app or third-party SDK is by utilizing the Privacy Report¬†In Xcode 15, you can easily generate a privacy report by performing an Archive build and then clicking the ‘Generate Privacy Report’ button.

Understanding Apple’s Privacy Manifest for iOS Apps

Using the generated report makes it much simpler to fill out your privacy manifest, streamlining the process significantly

Understanding Apple’s Privacy Manifest for iOS Apps

Certainly, to ensure comprehensive compliance with Apple’s privacy requirements, you’ll still need to complete the following sections if your app utilizes them: Privacy Accessed API Types, Privacy Tracking Domains, and Privacy Tracking Enabled.

Understanding Apple’s Privacy Manifest for iOS Apps

 

Third-party libraries play a significant role in your app’s functionality. However, it’s crucial to remember that as the app developer, you are ultimately responsible for ensuring the correct privacy manifest is provided for your apps, regardless of the libraries or frameworks you use. If you continue to receive warnings from the App Store review system, double-check that you have included all necessary entries covering your app code

Understanding Apple’s Privacy Manifest for iOS Apps

Navigating Privacy Complexities with a Headache

Having published apps on the App Store since 2010, with prior experience in developing applications for J2ME and Symbian platforms, I vividly recall the vast array of available applications and the challenges faced by small developers with the introduction of expensive certificates. While I understand the importance of security, I may be among the few who prioritize an app’s privacy over its functionality. However, the burden placed on developers to publish their apps is considerable. I can envision corporate app developers now awaiting legal department approval for inclusion in the privacy manifest. The expanding enclosure of Apple’s policies is evident, and I wonder when it will reach a breaking point for indie developers. Personally, for my future projects, I’m considering turning to web apps or single-page applications (SPAs). I would anticipate Apple to provide automated tools for generating privacy policies to alleviate developers’ workload.

If you think your friends or network would find this article useful, please consider sharing it with them. Your support is greatly appreciated.

Thanks for reading! ????

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.