Embrace the Evolution: Preparing Your iOS App for the “Required Reason API”
Fingerprints everywhere

Embrace the Evolution: Preparing Your iOS App for the “Required Reason API” and learn about Privacy Manifests

Jochen Holzer

--

Since iOS 14.5 the IDFA for user identification can only be used with the user’s permission. It seems that as a consequence, some apps have used (forbidden) fingerprinting to make devices uniquely identifiable.
Therefore, Apple now introduces new measures to protect the user’s privacy and to avoid fingerprints that makes a device identifiable across app boundaries.

How do fingerprints work?
Fingerprints are unique identifiers used to distinguish devices from one another. They are created by combining various parameters such as the operating system’s uptime, remaining disk space and other device-specific details. This amalgamation generates a distinctive fingerprint for each device. By utilizing these fingerprints, 3rd Party Tracking SDKs integrated into different apps can determine if they are operating on the same device.

To make fingerprinting more difficult Apple introduced the required reason API.
This contains API calls that can be used (in combination) to create a fingerprint of the device.
If an app uses functions/ properties from the required reason API, the reason must be explained in the privacy manifest.

When does it need to be implemented?

In 2023 Apples said:

From Fall 2023 you’ll receive an email from Apple if you upload an app to App Store Connect that uses required reason API without describing the reason in its privacy manifest file. From Spring 2024, apps that don’t describe their use of required reason API in their privacy manifest file won’t be accepted by App Store Connect.

Update: By May 1, 2024, all applications must be updated and equipped with a PrivacyInfo.xcprivacy file containing accurately completed privacy information.

Hands on — How to implement it

Step 1: Find out if your app uses required reason API

First, we want to find out if our app uses required reason API at all. You could manually examine your Xcode project to see if it uses required reason API by checking your code against the list on this website.

The easier way to get a quick overview is to use the following bash script. The scan is very rudimentary and based on comparing strings, but should be very helpful for a first analysis.

  1. Download the file required_reason_api_scanner.sh
  2. Run the analysis by executing

sh required_reason_api_scanner.sh YourAppDirectory

3. The script will output something like this:

Found potentially required reason API usage 'UserDefaults' 
in './ViewController.swift' Line numbers: 128

If you find out that “required reason API” was found in code of 3rd party libraries you can exclude them from the analysis.
Just modify line 4. e.g.:

excluded_dirs=("Pods" "3rdPartyLibs")

Step 2: Provide Reason Apps Privacy Manifest

Now that we have identified the use of the “required reason API” it is time to create the app privacy manifest:

  1. Create a privacy manifest file (only Xcode 15 (Beta) supports the Resource/App Privacy Template):
    In Xcode choose File > New File, and scroll down to the Resource section. Select the App Privacy file type, click Next, then click Create.

2. This is what our PrivacyInfo.xcprivacy file should look like:

The easiest way to do this is to edit the source code of PrivacyInfo.xcprivacy file.
Select the PrivacyInfo.xcprivacy file in Xcode, Right Click -> Open as source code. Then paste the following source Code and adapt it to your “Required Reason API” usage.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSPrivacyAccessedAPITypes</key>
<array>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>CA92.1</string>
</array>
</dict>
</array>
</dict>
</plist>

You can find the values for the justifications (such as “CA92.1”) on this page.

Mick Byrne has implemented a privacy manifest generator – checkout his post.

3rd Party Libs

Third-party SDKs need to provide their own privacy manifest files that record the types of data they collect. Your app’s privacy manifest file doesn’t need to cover data collected by third-party SDKs that your app links to.

Finally…

And there you have it, dear Swift-wielding wizards of iOS development! You’ve now unlocked the magical mysteries of the required reason API. May your apps be forever bug-free, and your Xcode compiler never throw tantrums!

If you have any questions or need further guidance, don’t hesitate to reach out. Happy coding, and may your coffee stay hot and your code run smoothly!

Thanks for reading, and remember: “Swift”-ly conquer those challenges in your app-making adventures! 🚀

🔔 Be sure to take a look at this articles if you’re encountering any hiccups or glitches with the Privacy Manifest. It’s a comprehensive resource, gathering both problems and solutions on the topic!

Useful Links

https://github.com/Wooder/ios_17_required_reason_api_scanner/

https://developer.apple.com/documentation/bundleresources/privacy_manifest_files

https://developer.apple.com/documentation/bundleresources/privacy_manifest_files

https://www.wwdcnotes.com/notes/wwdc23/10060/

https://jochen-holzer.medium.com/essential-utilities-for-ios-developers-part-1-fabe6f5ddd24?source=friends_link&sk=4b1a338fb5c6a14e52472fe8138ffcbb

--

--

Jochen Holzer
Jochen Holzer

Written by Jochen Holzer

"Seasoned (iOS) Engineer. Expert in the Apple Universe, Mobile DevOps and App Maintenance.