APPLE USER PRIVACY & DATA USE UPDATE

Computer Screen with Code

Starting May 1, 2024, Apple will enforce updated privacy requirements for developers, focusing on APIs with potential misuse for fingerprinting—prohibited under the Developer Program License Agreement—and third-party software development kits (SDKs).

Required Reason API

Apple’s announcement in July 2023 mandates developers to justify the use of specific APIs in their app’s privacy manifest. Previously, Apple only notified developers of missing information without taking further action. From May 1, 2024, apps lacking a description of their use of required reason APIs in their privacy manifest will be rejected by App Store Connect.

These APIs are categorized as follows:

  • File timestamp APIs
  • System boot time APIs
  • Disk space APIs
  • Active keyboard APIs
  • User defaults APIs

Developers must match each API with specific reasons for use. For a comprehensive list of APIs and their approved reasons, developers are directed to consult Apple’s official documentation

Developers that use the Required reason APIs required to add a dictionary to the NSPrivacyAccessedAPITypes array within the app’s privacy manifest file, for each category of required reason API utilized, detailing the reasons for using that API category. If a third-party SDK code uses the API, this must be reported in the SDK’s privacy manifest as well.

Third-Party SDKs

To enhance privacy transparency regarding SDK use, apps incorporating any SDK from a specified list by Apple (detailed below) must include a privacy manifest for each SDK. Moreover, when these SDKs are incorporated as binary dependencies, developers are required to utilize “SDK Signatures” for validation.

This move by Apple aims to increase transparency and protect user privacy by ensuring developers and third-party SDKs disclose and justify their use of sensitive APIs.

You may find more information here.

List of SDK

  • Abseil
  • AFNetworking
  • Alamofire
  • AppAuth
  • BoringSSL / openssl_grpc
  • Capacitor
  • Charts
  • connectivity_plus
  • Cordova
  • device_info_plus
  • DKImagePickerController
  • DKPhotoGallery
  • FBAEMKit
  • FBLPromises
  • FBSDKCoreKit
  • FBSDKCoreKit_Basics
  • FBSDKLoginKit
  • FBSDKShareKit
  • file_picker
  • FirebaseABTesting
  • FirebaseAuth
  • FirebaseCore
  • FirebaseCoreDiagnostics
  • FirebaseCoreExtension
  • FirebaseCoreInternal
  • FirebaseCrashlytics
  • FirebaseDynamicLinks
  • FirebaseFirestore
  • FirebaseInstallations
  • FirebaseMessaging
  • FirebaseRemoteConfig
  • Flutter
  • flutter_inappwebview
  • flutter_local_notifications
  • fluttertoast
  • FMDB
  • geolocator_apple
  • GoogleDataTransport
  • GoogleSignIn
  • GoogleToolboxForMac
  • GoogleUtilities
  • grpcpp
  • GTMAppAuth
  • GTMSessionFetcher
  • hermes
  • image_picker_ios
  • IQKeyboardManager
  • IQKeyboardManagerSwift
  • Kingfisher
  • leveldb
  • Lottie
  • MBProgressHUD
  • nanopb
  • OneSignal
  • OneSignalCore
  • OneSignalExtension
  • OneSignalOutcomes
  • OpenSSL
  • OrderedSet
  • package_info
  • package_info_plus
  • path_provider
  • path_provider_ios
  • Promises
  • Protobuf
  • Reachability
  • RealmSwift
  • RxCocoa
  • RxRelay
  • RxSwift
  • SDWebImage
  • share_plus
  • shared_preferences_ios
  • SnapKit
  • sqflite
  • Starscream
  • SVProgressHUD
  • SwiftyGif
  • SwiftyJSON
  • Toast
  • UnityFramework
  • url_launcher
  • url_launcher_ios
  • video_player_avfoundation
  • wakelock
  • webview_flutter_wkwebview

This document is intended to provide only a general background regarding this matter. It should not be regarded as setting out binding legal advice but rather as a practical overview based on our understanding of applicable regulations.

Regards, 
Cyber, Technology, Compliance and Regulation team
Shibolet & Co.

Related News