auth0/SimpleKeychain

Add Privacy manifest file

Closed this issue · 2 comments

yasiraliraj commented

Checklist

  • I have looked into the Readme and the Examples, and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

The primary issue I'm encountering involves the lack of a feature for handling privacy manifests within the JWTDecode.swift library. As per the new App Store guidelines effective from May 1, 2024, all applications are required to include a privacy manifest. This is crucial for ensuring that our app remains compliant with App Store policies and avoids any potential disruption in service or availability on the App Store.

Describe the ideal solution

The optimal solution would be for JWTDecode.swift to integrate a feature that allows for easy creation and management of privacy manifests in accordance with the upcoming App Store requirements. This would ideally include functionalities to specify the data types accessed or collected by our application and any third-party integrations, ensuring a seamless process for developers to declare their app's privacy practices transparently. Such an update would greatly assist in maintaining the app's compliance and streamline the development process for all users of your library.

Alternatives and current workarounds

No response

Additional context

No response

iOSNinja commented

Any update as to when the library would be updated with privacy manifest file & signature?

Thank you.

Widcket commented

Hi @yasiraliraj, thanks for raising this.

The Apple docs instruct that SDKs must include a privacy manifest in the following situations:

  • If Apple explicitly requires it to: Apple published a list of popular libraries deemed to be “privacy impacting“, which are required to include a privacy manifest.
  • If the SDK uses a “required reasons“ API: Apple published a list of system APIs that are commonly abused for fingerprinting purposes. Moving forward, the APIs in that list can only be used for legitimate, explicitly defined reasons. The usage of these APIs and the reasons for using them must be declared in the privacy manifest.
  • If the SDK collects data about the user, or enables the app to do so
  • If the SDK contacts tracking domains: Whenever an SDK sends collected data to a domain for tracking purposes, this domain must be declared in the privacy manifest.
Screenshot 2024-04-11 at 23 20 36

❌ SimpleKeychain is not on the list of libraries published by Apple
❌ SimpleKeychain does not use any “required reasons“ APIs
❌ SimpleKeychain does not collect any data, nor enables the app to do so
❌ SimpleKeychain does not contact any tracking domains

Therefore SimpleKeychain does not need to include a privacy manifest.
Also, SimpleKeychain is provided as a source package only, not as a binary. Therefore, the signature requirement does not apply.