I am currently working as a app developer, and want to about what’s the definition of "third-party SDK" that as mentioned in the WWDC23. From the Privacy manifest files | Apple Developer Documentation, We can say that the following targets require a privacy manifest:
Apps and third-party SDKs — distributed as XCFrameworks, Swift packages, or framework bundles — can contain a privacy manifest file
From my understanding, any external library we used in our app qualifies as a third-party SDK. Consequently, they should all contain a Privacy Manifest.
However, my concern is that in our app. We do use some old libraries that have not been updated for like 2-4 years(e.g. ColorAssetCatalog, KeychainAccess). Under this situations, I would like to know that:
- Does these open-source libraries that does not collect any data that Apple mentioned (including Required Reason API, tracking domain), and only provide source code, require the Privacy Manifest?
- Secondly, would the lack of a privacy manifest in a third-party SDK we used in our app result in failing the app review?
I fully understand that Apple wants to ensure our apps are as transparent as possible, but the details are lacking. Even now, I still can’t find a list of "Privacy-Impacting SDKs" or any specific information about them.
I would greatly appreciate it if anyone could provide further information or insights on this topic. Many thanks in advance.
2
Answers
Apple has included the list here(https://developer.apple.com/support/third-party-SDK-requirements/) of SDKs that require a privacy manifest and signature and you can use Xcode 15 to add PrivacyInfo.xcprivacy (https://developer.apple.com/documentation/bundleresources/privacy_manifest_files)and follow the steps in the https://developer.apple.com/videos/play/wwdc2023/10060/ to get the requirement fulfilled.
Apple requires a Privacy Manifest for any app dependent on the SDK List defined on their website. These SDKs should have released (or will be soon releasing) an updated version of their SDK that provides a privacy manifest. A nice, potentially incomplete compilation of status is available here.
In order to use those SDKs in your application and create a privacy manifest, you will need to update your app to that new version of the SDK. For status updates or details, highly recommend pinging the developers directly on Github!