ios – Unexpectedly Lacking API Declaration: Understanding Apple’s new Privateness Manifest Guidelines

To start with I apologize to everybody for the lengthy query I’m going to ask, however I believed it will be higher to let you know my query and what I’m engaged on to resolve it.

You might have heard about Apple’s new Privateness Manifest requirement for brand new apps to be launched to the app retailer. After I heard about it, I made an inventory of all dependencies utilized in my venture after which up to date them to the variations that embody the Privateness Manifest file. Since I solely use UserDefaults in my venture, which is among the required cause APIs specified by Apple, I added it and my cause for utilizing it within the Privateness Manifest file.

After I launched a bundle with this growth, I obtained a brand new notification electronic mail from Apple saying that whereas they was once upset with me about UserDefaults, they’re now not, so it appears that evidently Apple has accepted my cause for utilizing UserDefaults within the software.

Nevertheless, Apple was additionally upset about Required Purpose APIs on this checklist that I do not really use (e.g. SystemBootTime API, DiskSpace API, FileTimestamp API).

I considered what could possibly be inflicting this.

• To start with, it could possibly be that one of many dependencies I exploit did not specify the Required Purpose API within the Privateness Manifest file or specified it incorrectly.

  • Nevertheless, I did not assume this was doubtless as a result of I am utilizing frequent dependencies (e.g. Firebase, Alamofire, Lottie, and many others.) and I did not discover any points within the repos for them.

• Then it occurred to me that we’ve got a binary dependency embedded statically within the venture. I regarded on the repo of this dependency and within the newest variations they added the Privateness Manifest file, however they added an empty privateness manifest file.

  • This SDK is definitely a service that we purchased as an organization. Due to this fact, I do not assume there can be an issue. If they do not use Required Purpose API, I feel it may well’t be the reason for the mail. Nonetheless, our Enterprise Analysts will contact the SDK house owners.

• Then I noticed that though it’s on the checklist of SDKs that Apple requires to incorporate a privateness manifest, I couldn’t replace it. That is nanopb. Truly, this isn’t a direct dependency of mine, however it’s a dependency of Firebase.

  • Like nanopb, there are different packages which can be depending on Firebase and are listed by apple (e.g. abseil, Guarantees, GTMSessionFetcher and many others.) These are included as SPMs within the Package deal.swift file of Firebase that I’ve added to my venture, with particular model ranges. If I replace it, I get the most recent model of the suitable SPM model.

For instance guarantees had been added for Firebase 10.16.0 as follows. The earlier model didn’t have the Privateness Manifest. So I up to date it to 2.4.0 by doing Challenge Navigator > Package deal Dependencies > Replace To Newest Package deal Variations on Xcode.

.bundle(
      url: “https://github.com/google/guarantees.git”,
      “2.1.0” ..< “3.0.0”
    ),

This model included the Privateness Manifest, which solved my drawback. However for nanopb the state of affairs is as follows and no model of nanopb offers Privateness Manifest. I am not even certain if there’s a model of nanopb just like the one beneath.

.bundle(
      url: “https://github.com/firebase/nanopb.git”,
      “2.30909.0” ..< “2.30910.0”
    ),

After I did some analysis on the difficulty, I got here throughout one thing like this.

The Google developer wrote “This bug will be closed as a result of this repo doesn’t launch a binary distro of nanopb for Apple platforms.” in response to the difficulty.

However as a non-native English speaker, I do not perceive this clarification.

In consequence, Apple acknowledged within the mail that I used to be utilizing these Required Purpose APIs (I’ll give an instance of the mail beneath). I attempted to search out it though it was not the case. Three potentialities got here to my thoughts and I considered these potentialities.

Lastly, I made a decision to seek the advice of you.

1. What do you assume is inflicting this (is it broadly used sdk’s that don’t specify or incorrectly specify the explanation for utilizing required cause api’s? is it static library? is it nanopb?)

2. Is there any method to see Apple’s analysis on this notification electronic mail with out releasing the bundle? Will I check whether or not I’ve fastened this or not by continually releasing packages?

Any feedback can be very appreciated. Thanks very a lot upfront for all of your feedback and solutions!

E mail (Think about that the equal exists within the SystemBootTime API and DiskSpace API beneath.):

ITMS-91053: Lacking API declaration – Your app’s code within the “MyAppName” file references a number of APIs that require causes, together with the next API classes: NSPrivacyAccessedAPICategoryFileTimestamp. Whereas no motion is required at the moment, beginning Could 1, 2024, once you add a brand new app or app replace, you should embody a NSPrivacyAccessedAPITypes array in your app’s privateness manifest to offer authorized causes for these APIs utilized by your app’s code. For extra particulars about this coverage, together with an inventory of required cause APIs and authorized causes for utilization, go to: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

Truly, I discussed what I attempted whereas describing the issue, however to clarify briefly:

• I checked the dependencies used within the venture to make it possible for they appropriately specify the required cause APIs of their privateness assertion recordsdata.

• I checked a binary dependency that was statically positioned within the venture and verified that the brand new model contained the required privateness manifest file however an empty Privateness Manifest. I reached out to the SDK house owners for clarification.

• I investigated the nanopb dependency and checked the problems within the repos for updates on the privateness manifest integration for the nanopb dependency.