Developers of iOS apps and SDKs should mark their calendars for upcoming changes to Apple privacy requirements and block out time to familiarize yourselves with them to avoid App Store rejections.
Apple announced at the Worldwide Developers Conference (WWDC) 2023 in June new initiatives to increase transparency about mobile app privacy. All mobile app developers will be required to submit a privacy manifest that details data collection practices and usages when they add or update an iOS app in App Store Connect, the platform used for publishing and tracking performance in the App Store.
NowSecure Chief Technology Officer David Weinstein recently briefed the mobile app community about the evolution of Apple privacy practices at the NowSecure Connect: Stranger Vulns 2 mobile app security testing and mobile DevSecOps virtual conference. In the “Privacy in Mobile: New Mandates & NowSecure Innovations” session available for replay, the NowSecure CTO explained the coming privacy changes and previewed a new solution that aids developers in verifying the security and privacy posture of all third-party components they use to build their mobile apps.
Weinstein reiterated that devs hold responsibility for all code in their iOS apps including first party-code they write and third-party code from SDKs and other tools per the App Store Review Guidelines. In addition, Apple forbids the use of fingerprinting on mobile apps. Read on to learn more about the requirements that you’ll need to comply with or risk the App Store blocking your app from being updated or accepted.
Apple Privacy Pillars
Apple regards privacy as a fundamental human right and one of its core values. The company’s multi-layered approach to data privacy includes four principles that it uses when thinking about the privacy of Apple products and services. The four Apple privacy pillars are as follows:
- Data minimization – Reduces amount of information collected
- On-device processing – Makes it so data doesn’t necessarily need to leave the device or be stored on the server
- Transparency and control – Empowers users to make better decisions and remove access to data when necessary or desired
- Security protections – protecting data in transit, on the file system or store it correctly in the keychain, for example.
Apple Privacy Nutrition Labels
A few years ago, Apple debuted Privacy Nutrition Labels to help users learn more about how mobile apps collect and use their data so they can make good choices. The labels cover three categories:
- Data Used to Track You
- Data Linked to You
- Data Not Linked to You
On Dec. 8, 2020, Apple began requiring developers to complete the data collection disclosures for mobile apps upon submitting them to the App Store. While this information provides much-needed transparency, it’s entirely self reported by developers and based on the honor system. That means some Privacy Nutrition Labels may be inaccurate, either due to bad intent by the mobile app maker or more likely, because iOS developers lack insight into the privacy practices of the many third-party software development kits (SDKs) they use to build their mobile apps.
The new Apple privacy manifests aim to bridge that gap. While the Privacy Nutrition Labels help users decide which mobile apps to trust, privacy manifests provide useful information to mobile app developers about the privacy practices of their dependencies stemming from third-party SDKs. Because SDKs have major implications for mobile app privacy, privacy manifests will old developers more accountable for accurately representing third-party code they include in their builds in their Privacy Nutrition Labels.
We’ve been working on crafting tools that will help easily ensure the privacy and security of the application while minimizing App Store surprises. – NowSecure CTO David Weinstein
Apple Privacy Manifests
A privacy manifest captures details about both first and third-party code in your mobile apps. In developer documentation, Apple defines the privacy manifest as a “property list that records the types of data collected by your app or third-party SDK, and the required reason APIs your app or third-party SDK uses.”
Apple has prepared a list of iOS functionality that has the potential to impact privacy and be misused for fingerprinting. It calls these required reason APIs. They include:
- File timestamp APIs
- System boot time APIs
- Disk space APIs
- Active keyboard APIs
- User defaults APIs
For each of the above categories, Apple lists approved reasons to access these APIs based on their use cases. For example, one required reason API is NSFileSystemFreeSize, which indicates the amount of free space on the file system. One approved reason allowing this use is to leverage this API to check whether there’s sufficient disk space before writing files to disk. But if your mobile app is a flashlight or calculator, for instance, it shouldn’t need access to disk space or active keyboard APIs according to privacy by design principles.
When developers incorporate any required reason APIs into their mobile apps, they must choose one or more approved reasons that accurately reflect their use of each of those APIs and the data derived from their use. To protect users from possible fingerprinting, Apple allows apps and SDKs to access the required reason APIs only for approved reasons. Developers declare this information as part of the process of completing privacy manifest files in Xcode. If your mobile app uses a required reason API to benefit users for a reason that Apple doesn’t list, you can submit a request for a new approved reason.
App Store Enforcement Dates
Apple will offer a grace period for developers to become familiar with the forthcoming privacy requirements.
- Beginning in fall 2023, Apple will email developers via when an app uses a privacy-impacting SDK without providing a privacy manifest or taps a required reason API without specifying a valid explanation in the privacy manifest.
- Starting in spring 2024, the privacy manifest will become mandatory and Apple will begin enforcing that requirement as part of the app review process.
To recap, mobile app developers should now prepare for the privacy changes that will arrive soon. “Reviewing Apple’s evolving privacy requirements, we can see that in 2020, Privacy Nutrition Labels were introduced,” said Weinstein. “At WWDC 23, privacy manifests were introduced. And finally in 2024, we can expect manifest enforcement as mentioned by Apple in its developer documentation.”
Introducing NowSecure Observer
NowSecure sees the opportunity to aid iOS developers in complying with the new Apple privacy mandates. “We’ve been working on crafting tools that will help easily ensure the privacy and security of the application while minimizing App Store surprises,” Weinstein said. Providing greater visibility to sensitive data flows will empower devs to better meet privacy requirements while boosting DevSecOps efficiency.
Currently available in beta, the NowSecure Observer developer tool simplifies mobile privacy and security during the coding stage. It provides real-time visibility into how sensitive data is being used, stored and transmitted by first- and third-party code. It also enables developers to quickly resolve security and privacy issues and avoid App Store surprises and rejections.
Once developers add it to their iOS project, the NowSecure Observer SDK collects telemetry as the developer codes and at runtime. The SDK feeds information to the NowSecure Observer web app so you can see data flows, observe dependencies that have been introduced over time and generate Apple privacy manifests and mobile Software Bill of Materials (SBOM) reports. In addition, line of code-level detail and backtrace context ease remediation so developers understand what issues are critical to address and how. Developers can also receive guidance through the app store submission process in the form of a customized publication checklist to avoid rejections, and secure code training from NowSecure Academy.
“We also want to make sure that you, developers, our users, have a great experience and help drive productivity that’s needed today,” said Weinstein. See NowSecure Observer in action in Weinstein’s demo and sign up to join the beta.