I’ve started getting a multiple warnings from App Store Connect about API usage when I upload my builds:
**ITMS-91053: Missing API declaration** - Your app’s code in the “Photo Tape” file references one or more APIs that require reasons, including the following API categories: [API BEING ACCESSED]. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.
They’re definitely not being called by my own declares. Possible causes could be:
XOJO’s runtime
MBS plugins
iOSKit framework
IOSDesignExtensions framework
Since this may be an issue for others, perhaps we can figure out the root cause? Or figure out a blanket reason to provide in a privacy manifest.
I’ve been working on an app for two years that’s close to release. If the warnings can’t be made to go away, or we don’t have a sufficient explaination in the privacy manifest, then myself and others may be up a creek.
I created a PrivacyInfo.xcprivacy resource in Xcode and added it to my XOJO build in a CopyFiles build step, to copy it to the Resources folder.
The binary was uploaded to App Store Connect and I got a successful upload email, rather than the warning email I usually get. For the 4 APIs indicated, these are the reasons I gave:
System Boot Time
35F9.1
Declare this reason to access the system boot time in order to measure the amount of time that has elapsed between events that occurred within the app or to perform calculations to enable timers.
Information accessed for this reason, or any derived information, may not be sent off-device. There is an exception for information about the amount of time that has elapsed between events that occurred within the app, which may be sent off-device.
User Defaults
CA92.1
Declare this reason to access user defaults to read and write information that is only accessible to the app itself.
This reason does not permit reading information that was written by other apps or the system, or writing information that can be accessed by other apps.
File Timestamp
C617.1
Declare this reason to access the timestamps, size, or other metadata of files inside the app container, app group container, or the app’s CloudKit container.
Disk Space
E174.1
Declare this reason to check whether there is sufficient disk space to write files, or to check whether the disk space is low so that the app can delete files when the disk space is low. The app must behave differently based on disk space in a way that is observable to users.
Information accessed for this reason, or any derived information, may not be sent off-device. There is an exception that allows the app to avoid downloading files from a server when disk space is insufficient.
These are based on conservative, educated guesses but it would be great if XOJO could clarify, or better yet, provide a default manifest (either now or in future builds)
Yes, there are privacy considerations with these APIs. The main concern is the uninterrupted distribution of non-privacy-violating XOJO apps in the App Store.
This becomes difficult in cases like this when Xojo has huge framework of everything and almost nothing conditionally compiled out then you have things like File dates and File size that always would get compiled in I am guessing.
As to explain to Apple why you have it I am not sure how you can
Thanks; I’ll try dragging it into the project navigator. As it turns out, I just got an email saying that there are still issues, so copying it to the bundle resources didn’t quite work.
(The file itself isn’t a .plist file, it’s a .xcprivacy file, and XOJO doesn’t merge it with the info.plist.)
Trying another test: Dragging “PrivacyInfo.xcprivacy" into the project navigator, and XOJO puts the file where it needs to be when you building the app: At the root of the app bundle.
However, what’s different here is that I haven’t seen a word from XOJO about this and the deadline is approaching quickly. Unity has docs, at least. If there isn’t one already, I’d suggest a blog post, at the very least.
It actually needs to be a separate file called “PrivacyInfo.xcprivacy” and is a new file-based resource type you can create in Xcode.
Apps and third-party SDKs — distributed as XCFrameworks, Swift packages, or Xcode projects — can contain a privacy manifest file, named PrivacyInfo.xcprivacy .
I imagine Xojo may need to add something to the plugin SDK also and or package iOS plugins into something else than dylib, like framework of some sort maybe. Since I am not sude a PrivacyInfo file can be embedded on dylib.
I could share a quick tutorial step-by-step later today, but these are each developer’s privacy declarations to Apple and shouldn’t be copy-and-pasted from one developer to another.
Basically, go to Xcode and make a new privacy manifest file. It’s an option in the New dialog. Then select the entries that correspond to the descriptions I linked above.
This worked. No warning more emails from Apple.