Preparing for iOS 17: Privacy manifests, SDK signatures, and API required reasons

iOS 17’s privacy updates aim to ensure that app users understand how developers collect and share data, that they have a clear oversight of third party SDK activities, and that everything is declared and reported. The new privacy manifests, in which the new required reason APIs will be included, are designed to make it easier for developers to create accurate Privacy Nutrition Labels (more below).

These changes further align the App Store with Apple’s App Tracking Transparency (ATT) framework and privacy vision. Let’s take a look at how it all works.

In short, all apps and SDKs will need to create privacy manifests to provide full transparency regarding what they collect and what they track.

The Privacy Report generated, which combines the privacy manifests of all third-party SDKs in the app, is easily accessible by developers. The standardized information makes it easier to review, understand, and describe the privacy practices of the individual app itself, as well as those of any integrated SDKs.

Some of the critical pieces of information that will need to be outlined by all SDKs (for apps being newly published or updated) in their privacy manifests include:

1. Required reasons for APIs

This new category of APIs, designed specifically to further combat the use of Apple’s long banned fingerprinting, will need to be declared. Apps referencing such APIs will be required to state an allowed reason in the privacy manifest.

On July 27, Apple published the list of APIs that require reasons along with some more details. Starting with iOS 17, when you upload a new app or app update to App Store Connect that uses an API from the list, you will receive a notice if you haven’t provided an approved reason in your privacy manifest. Spring 2024 onward is when the approved reason will be required to update or upload at all.

For the time being, if you’re using one of the APIs listed by Apple, you can also submit feedback requesting new approved reasons to be added. For the relevant APIs used by Adjust's iOS SDK, we have identified the approved reasons to be reflected in the privacy manifest.

2. Data usage categories

Apart from the required reasons, Apple has asked app developers to add a ‘dictionary’ in the privacy manifest explaining the usage of specific categories of data that their app or third-party SDK collects.

This dictionary needs to contain the following four keys:

1. Indicates the type of data collected.
2. Shows whether the data is linked to end-users’ identities.
3. Reveals if the data is used to perform any type of tracking.
4. Lists the reasons for which the data is collected.

For the latter, Apple has predefined a set of purposes. A dictionary will also be provided in the privacy manifest for Adjust’s iOS SDK. To see the categories of data our SDK collects, please see the following article on our Help Center.

3. Preventive blocking

Apple will require app developers to provide transparency on the usage of external domains in apps and third-party SDKs. In the privacy manifest, a list should be included that identifies all external domains that could be used for tracking purposes. Depending on the data, some of these domains may be subjected to preventive blocking until the user has provided ATT consent.

In terms of how we’re approaching this at Adjust, we’re working to ensure that our technology complies with Apple’s latest privacy guidelines and ATT requirements as of iOS 17. Clients can be confident that our measurement functionalities will remain unaffected and that we can continue to support their growth, just as we have since the release of iOS 14.