On May 1, 2024, the App Store will implement a new privacy mandate for app submissions, significantly altering the submission process for developers. This initiative builds on Apple’s ongoing commitment to enhancing user privacy and security, marking a critical evolution in how developers must approach app submissions.
Background on App Store Privacy Initiatives
Apple has continually integrated robust privacy and security measures to protect users and enhance transparency and control. Features such as Privacy Nutrition Labels and App Tracking Transparency have set industry standards. These initiatives are foundational in maintaining user trust and securing personal data within the app ecosystem.
Detailed Explanation of the New Privacy Requirement
The forthcoming changes pertain primarily to the inclusion and use of third-party SDKs in apps. Starting May 1, 2024, developers submitting new or updated apps that include newly added third-party SDKs from a predetermined list will need to meet the following requirements:
- Required reasons for each listed API.
- Privacy manifests documenting data usage.
- Valid signatures for SDKs added as binary dependencies.
Specifics of the New Mandate
The new requirements stipulate:
- Reasons for API Usage: Developers must now provide explicit reasons for the use of each API included in their app submissions.
- Privacy Manifests: A new requirement, privacy manifests must outline how each third-party SDK utilizes data.
- Signature Validity: Third-party SDKs added as binary dependencies must have valid signatures to be accepted.
Failure to comply with these requirements will result in app rejections. Specifically, apps will be rejected if:
- They lack a reason for a listed API.
- The code is part of a dynamic framework embedded via the Embed Frameworks build phase and involves a newly added SDK.
Impact on Developers
These new mandates will require developers to:
- Thoroughly document the use and necessity of APIs.
- Implement and maintain up-to-date privacy manifests.
- Ensure all third-party SDKs are properly signed and verified.
Step-by-Step Compliance Guide
To comply with the new mandates, developers should:
- Document API Usage: Provide comprehensive reasons for each API used, linked directly to app functionality.
- Create Privacy Manifests: Develop manifests that clearly describe data handling and privacy implications of third-party SDKs.
- Verify SDK Signatures: Ensure that all SDKs have valid signatures before submission.
Future Implications
Looking ahead, these requirements will expand to include the entire app binary, emphasizing the need for developers to review and rationalize the use of all APIs and SDKs within their apps.
Developer Resources and Support
Developers can access a range of resources through App Store Connect, including:
- Detailed guides on API documentation.
- FAQs addressing common questions about privacy manifests.
- Direct support channels for submission queries.
MacReview verdict
This new mandate represents a significant shift in the App Store’s approach to privacy and security. By adhering to these new guidelines, developers not only comply with Apple’s policies but also contribute to a safer, more transparent app marketplace.