Apple's update to their API policy - Required Reason in Privacy manifest

Question

Apple's update to their API policy - Required Reason in Privacy manifest

kdvmgn opened this issue 8 months ago · 4 comments

Hi,

From Fall 2023 Apple starts rolling out new privacy requirements, The apps and third-party SDKs should contain a privacy manifest file when they access required reason API. TrustKit SDK uses [NSUserDefaults].(https://developer.apple.com/documentation/foundation/nsuserdefaults) which is required description of use in PrivacyManifest.
Otherwise, apps that don’t describe their use of required reason API in their privacy manifest file won’t be accepted by App Store Connect. Here is a link to the [Apple documentation].(https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api).

Do you have plans to add privacy manifest files to the TrustKit?

Answer 1 · 2024-02-26T23:43:16.000Z

Apple published a list of the SDKs that require a manifest: https://developer.apple.com/support/third-party-SDK-requirements

It's my understanding that SDKs not on this list do not require the manifest

Answer 2 · 2024-02-27T14:22:46.000Z

@EthanArbuckle

These are just the high profile ones that are used by tons of developers so Apple is forcing their hands to comply. It is still a best practice for all libraries to provide the privacy manifest.

The intent is to make the ecosystem a safer place for users, as well as developers. The digital signature part of the manifest is designed to detect dependency graph injections / attacks.

IMHO, all third party libraries should do this. I remember back in the day some SDK was using Location APIs but didn't disclose it in their compiled binary which forced my team to add a location usage description string even though we didn't use location.

You don't want to be the SDK that cost a developers HOURS trying to figure out why their code is rejected by Apple app processing for using a required reason API when their code doesn't do it--but your library does.

Answer 3 · 2024-02-29T08:58:52.000Z

I see that TrustKit is using NSUserDefaults thus the SDK needs a Privacy manifest.
https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

Answer 4 · 2024-03-15T02:42:34.000Z

Hello, I have submitted a PR to resolve the issue at hand. As noted in the body of the PR, it would be helpful if we could consider together whether the NSPrivacyAccessedAPITypeReasons I selected are appropriate. #325