I have an app that is getting rejected from TestFlight because of this error: ITMS-90683: Missing purpose string in Info.plist - Your app’s code references one or more APIs that access sensitive user data, or the app has one or more entitlements that permit such access. The Info.plist file for the “TurtleTuner.app” bundle should contain a NSCameraUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. If you’re using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. For details, visit: https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/requesting_access_to_protected_resources. The app does not use the camera, only the microphone. I cannot find references to the camera in any of the third party libraries I'm using. What are some ways to troubleshoot this beyond looking for "camera" in the few dependencies? For context, this commit allows the app to get through successfully to TestFlight: https://github.com/tsargent/turtle-tuner/commit/67d4a52e62839ad6c2a49848bea9c408d983f17a While this following commit, which reverts the commit, fails on TestFlight with the mentioned camera permission error: https://github.com/tsargent/turtle-tuner/commit/c95b0b16c4e85d77e625d36b816ed53faa826cf5

Hello Everyone, Is there any method or callback event to obtain the current time and date mode (Automatic or Manual) in Swift? In Android, Settings.Global.AUTO_TIME is used for the same. Could anyone advise on the equivalent functionality or approach for iOS development? Thanks in advance!

Hello, according to this doc Apple will begin blocking app store submissions in Spring 2024 when an application or one of its 3rd-party SDKs calls certain iOS/iPadOS system APIs without declaring a reason for doing so via a privacy manifest. It seems that for framework and app targets, adding a privacy manifest is relatively straightforward: Add the xcprivacy file to the project and make it a member of the appropriate build target. For apps and fameworks, this will cause the privacy manifest to be copied into the root directory of the .app or .framework bundle at build time. I work on a SDK which ships to application developers as a static library (.a) bundled within a xcframework. It seems that Xcode will not allow a privacy manifest file to be added as a member of a static library target. Which I assume is because when compiled, a static library build target does not produce a bundle like a ".app" or ".framework" which you'd get when compiling an app or framework target. Just a standalone (.a) file. What is the recommended way for developers of static libraries to provide application developers with a privacy manifest for their SDK? Is there a mechanism for including the privacy manifest somewhere within the xcframework bundle at the time it is created for the static lib, so that it automatically gets copied into an application which may link to it? If not, can the privacy manifest be included in a resource bundle which we already provide to our partners along with the static lib? Or does the manifest need to exist within the root directory of the application bundle since the contents of the static lib will ultimately get embedded into the app binary? If that is the case, do we need to provide our app partners with a separate standalone xcprivacy file, which they would need to incorporate into their project?

Current situation. I'm using third-party sdk make by myself with my app. my app use UserDefaults api, and My sdk(framework) too Recently, apple store policy changed, apple says If you use "Userdefaults API", Include Privacy Manifest. As a result My app including two Privacy manifest If I create 10 SDKs, and all of these SDKs use "Userdefaults API", and one app itself also uses the "Userdefaults API", is it correct to include 11 "Privacy manifests" in this app?

Hello, I am developing a smartcard CTK extension for macOS. I have trouble to smartcard logon the first time after a reboot or a logout (e.g. when there is the text "Your password is required to enable touch id"). Trouble = I'm not asked for the PIN. But time to time after a logout (from whatever account), I can login with the smartcard. After a lockscreen I can always login with the smartcard. Is there an easy way to debug the logon process ? Regards, ++dom

Hi! In the team I work with, we develop an sdk for iOS which has support for two internal variations, one with basic capabilities and another with full ones, embedded in the same xcframework. The thing is with the privacy manifest change in the horizon, we are wondering if the sdk in the basic version can have a manifest with some values and the manifest in the sdk full version can have a different value, since the capabilities enabled in one may have different nutrition label types values than the other. Is that scenario feasible, or there is a different way for this situation? Thanks

What is the difference between ASPasskeyCredentialIdentity.userName and ASPasskeyCredentialIdentity.user ? From https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-displayname there should be only displayName.

We are trying to integrate "Sign in with Apple" and are facing an issue where all users who chose to use Apple's private relay with the hide my email feature are unable to receive any mail sent by us. We have added our domain, mail from domain & email address to https://developer.apple.com/account/resources/services/configure and also verified the SPF. We also have DKIM setup. We use SES as our email provider and have added its SPF as recommended aswell. I have attached a sample delivery log from SES below. {"notificationType":"Delivery","mail":{"timestamp":"2024-01-17T10:20:07.592Z","source":"\"Redacted\" <admin@redacted>","sourceArn":"arn:aws:ses:ap-south-1:redacted:identity/redacted","sourceIp":"34.redacted","callerIdentity":"redacted-ses","sendingAccountId":"redacted","messageId":"redacted","destination":["redacted@privaterelay.appleid.com"]},"delivery":{"timestamp":"2024-01-17T10:20:12.385Z","processingTimeMillis":4793,"recipients":["redacted@privaterelay.appleid.com"],"smtpResponse":"250 2.0.0 Ok: queued as redacted","remoteMtaIp":"redacted","reportingMTA":"redacted.smtp-out.ap-south-1.amazonses.com"}}

The sign in with Apple prereqs state that: you must have an existing app in the App Store that uses Sign in with Apple If you want to support sign in with apple on a website but do not need an iOS app specifically for that website is possible to have a "dummy" app that isn't released to the app store but will serve to support sign in with Apple?

For a security product, I wonder if security extension has a capability to catch a file during copy operation (I guess it's composed out of multiple basic ops like file read and file write). I'd like to store the file in some quarantined temporal (let's say when someone copy file from external file system like usb/network location and copy it back once the file has properly scanned. So far, i've used the authorization capabilities of the security extension. I wonder if there's also an option to change the target location of a file being copied ? Thanks.

Hey all, so I currently have a passkey provider application on iOS that works for every RP except for google. I found this post here saying the AttestationObject needs to be an ordered dictionary and can confirm on https://webauthn.me/debugger that my object is an ordered dictionary in the correct format. However, google fails to create the key every time saying generically the passkey can't be saved at this time. I'm just curious if there is something unique about google, like are they maybe whitelisting providers? Or do they require something extra that I need to send? I can't find any other information for why google wouldn't work while everyone else does. Thanks in advance for any help!

We develop SDKs that are distributed as XCFramework to our clients. We seek clarification regarding the necessity of attaching a Privacy Manifest, especially in instances where our SDK does not interact with data that would typically be covered under such a manifest. Additionally, in the scenario where our SDK's primary function is the transmission and reception of data, which may potentially include personal data, are we required to declare in the Privacy Manifest that we handle personal information? This query persists even when all personal data processing is executed on the server side. From our current understanding, based on the information available at https://developer.apple.com/support/third-party-SDK-requirements/, it appears that SDKs are only obligated to have a signature, and incorporating a Privacy Manifest may not be compulsory. We would appreciate further insight or confirmation on this matter.

For example my app is using Firebase and Alamofire. Still I could find the Manifest files for the above SDKs. What would be impact on app if the above api's is not updated with their Manifests.

Hi Team, 

I am developing a sample authPluggin which should connect to a mobile app via bluetooth connection, 
So here are the scenario

 Authplugin with Bluetooth connection shoould work on lockscreen+login 

I have created mechanism- prepared:privillaged, main, clean:Privilaged Calling corebluetoothmanager initiation at the time of prepared:privilaged mechanism I have to add my auth plugin’s mechanism before loginwindow:success mechanism

 But I always gets unauthorized = 3, from power state of bluetooth

 Note: With App, bluetooth connection is working fine, Its giving error with authPlugin How to achieve my ultimate goal, is this the right way?

Hello, I am creating this post to ask if there is any plan for bringing the Attestation Service support for macOS or any plans for supporting it in macOS. We implemented it in iOS and it increased the security for our users and partners but we are evaluating deprecated macOS and keeping only Windows and linux because of this restriction on the Attestation Service... if you recommend any other provider to attest the device please bring me some recommendations.

Are a privacy manifest and signature required for any SDKs other than those listed on the following page? https://developer.apple.com/jp/support/third-party-SDK-requirements/ We integrate the LINE SDK for Unity (https://developers.line.biz/ja/docs/line-login-sdks/unity-sdk/overview/) in our apps. LINE SDK for Unity uses an API corresponding to the Required Reason API on the following page. https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api Can you please let us know whether a privacy manifest and signature are required for this third-party SDK as well? Thank you in advance for your attention to this matter.

Our company has a library that can be used internally. This is being used as a .a file. The languages are in C and C++. C code contains stat. Is this the same stat as Apple refers to?? How do you solve this??

I am encountering an issue with accessing the system keychain on macOS [macOS 13.6.3]. When running our product, the following error message is logged: [com.apple.securityd:secitemratelimit] Not internal release, disabling SIRL [com.apple.securityd:keychain] System Keychain Always Supported set via feature flag to disabled As a result, our product is unable to access the system keychain, which is impacting functionality. Note: In many other devices this issue is not seen. Steps to Reproduce: The moment pkg is installed it creates a key in keychain. For an affected device SecItemCopyMatching is returning errSecInteractionNotAllowed Question: Is there a way to enable the system keychain access or address the issue with the feature flag being disabled? Are there any suggestions or recommendations for handling this case? Any assistance or guidance on resolving this issue would be greatly appreciated. Thank you in advance for your help.

How to make an APP offer to save access credentials in the iCloud keychain

Hello, I have questions regarding the Privacy Manifest compliance, If I am using an third party SDK's, listed in the document should have their own manifest file? Or in our app manifest we can include the details collected by the SDK's if the SDK's doen't have their manifest file? Do we have any other options if the listed SDK's doesn't conatins the manifest file, can handle with our application manifest? Thanks!