Preparing for iOS 17: Privacy manifests, SDK signatures, and API required reasons
Announced at Apple’s WWDC23 in June this year, iOS 17 (currently in public beta) is scheduled for release in September. Among a swathe of information on feature upgrades for users came the key set of updates for mobile app marketers and developers—details regarding what’s new in privacy on the App Store.
Update: Apple announced at their Wanderlust event on September 12 that iOS 17 will be released on Monday, September 18. Note that the privacy changes detailed below won’t be enforced until Spring 2024.
iOS 17’s privacy updates aim to ensure that app users understand how developers collect and share data, that they have a clear oversight of third party SDK activities, and that everything is declared and reported. The new privacy manifests, in which the new required reason APIs will be included, are designed to make it easier for developers to create accurate Privacy Nutrition Labels (more below).
These changes further align the App Store with Apple’s App Tracking Transparency (ATT) framework and privacy vision. Let’s take a look at how it all works.
What are privacy manifests?
Privacy manifests are designed to help developers gain clarity over how third-party SDKs use data. Xcode will combine privacy manifests provided by SDKs and send it to the developer in one easy-to-use PDF report (Privacy Report) when publishing the app to the App Store. This comprehensive, aggregated report enables developers to create accurate Privacy Nutrition Labels.
Wait, what is a Privacy Nutrition Label?
Introduced with iOS 14, Privacy Nutrition Labels are an App Store feature aimed at providing users with enhanced transparency regarding the data that an app collects from their device, along with how that data is used. They offer standardized information to help users make informed decisions.
App developers are responsible for providing accurate information in these labels, which is what privacy manifests are designed to further enable.
In short, all apps and SDKs will need to create privacy manifests to provide full transparency regarding what they collect and what they track.
The Privacy Report generated, which combines the privacy manifests of all third-party SDKs in the app, is easily accessible by developers. The standardized information makes it easier to review, understand, and describe the privacy practices of the individual app itself, as well as those of any integrated SDKs.
Some of the critical pieces of information that will need to be outlined by all SDKs (for apps being newly published or updated) in their privacy manifests include:
1. Required reasons for APIs
This new category of APIs, designed specifically to further combat the use of Apple’s long banned fingerprinting, will need to be declared. Apps referencing such APIs will be required to state an allowed reason in the privacy manifest.
On July 27, Apple published the list of APIs that require reasons along with some more details. Starting with iOS 17, when you upload a new app or app update to App Store Connect that uses an API from the list, you will receive a notice if you haven’t provided an approved reason in your privacy manifest. Spring 2024 onward is when the approved reason will be required to update or upload at all.
For the time being, if you’re using one of the APIs listed by Apple, you can also submit feedback requesting new approved reasons to be added. For the relevant APIs used by Adjust's iOS SDK, we have identified the approved reasons to be reflected in the privacy manifest.
2. Data usage categories
Apart from the required reasons, Apple has asked app developers to add a ‘dictionary’ in the privacy manifest explaining the usage of specific categories of data that their app or third-party SDK collects.
This dictionary needs to contain the following four keys:
- Indicates the type of data collected.
- Shows whether the data is linked to end-users’ identities.
- Reveals if the data is used to perform any type of tracking.
- Lists the reasons for which the data is collected.
For the latter, Apple has predefined a set of purposes. A dictionary will also be provided in the privacy manifest for Adjust’s iOS SDK. To see the categories of data our SDK collects, please see the following article on our Help Center.
3. Preventive blocking
Apple will require app developers to provide transparency on the usage of external domains in apps and third-party SDKs. In the privacy manifest, a list should be included that identifies all external domains that could be used for tracking purposes. Depending on the data, some of these domains may be subjected to preventive blocking until the user has provided ATT consent.
In terms of how we’re approaching this at Adjust, we’re working to ensure that our technology complies with Apple’s latest privacy guidelines and ATT requirements as of iOS 17. Clients can be confident that our measurement functionalities will remain unaffected and that we can continue to support their growth, just as we have since the release of iOS 14.
Privacy-impacting SDKs and new SDK signatures
iOS 17 also comes with new SDK signatures, which will allow new versions of third-party SDKs to be signed and verified by Apple. So, when a new version of an SDK is installed, Xcode will verify that it was signed by the same developer. The goal here is to improve clarity and integrity in the software supply chain.
Apple has identified some third-party SDKs within the app ecosystem that have a particularly high impact on user privacy. The list of these SDKs will be made available later this year.
From iOS 17 onward, these will be categorized and referred to by Apple as privacy-impacting SDKs. Apps that include a privacy-impacting SDK will be required to include a copy of that SDK with a privacy manifest. All SDKs are encouraged to include a signature as best practice, and apps that include a privacy-impacting SDK are also required to ensure that it is signed.
Getting ready for iOS 17 with Adjust
As we await more detailed information from Apple, including the list of privacy-impacting SDKs, and further insight into tracking domains, Adjust is prepared to fully support clients to avoid any road bumps as a result of the iOS 17 privacy updates. Until the technical specifications and lists are published, you can already learn more about privacy manifests or check out Apple’s information on verifying app dependencies with digital signatures.
For more personalized information on how we can support you to prepare for iOS 17, get in touch with your Adjust contact person or feel free to request a demo.
Craving monthly app insights? Subscribe to our newsletter.