The Curious Case of Apple’s Third-Party SDK List for Privacy Manifests jessesquires.com

Apple:

Starting May 1, 2024, new or updated apps that have a newly added third-party SDK that‘s on the list of commonly used third-party SDKs will need all of the following to be submitted in App Store Connect:

  1. Required reasons for each listed API

  2. Privacy manifests

  3. Valid signatures when the SDK is added as a binary dependency

Jesse Squires:

Historically, Apple has rarely, if ever, explicitly acknowledged any third-party SDK or library. It took years for them to even acknowledge community tools like CocoaPods in Xcode’s release notes. Thus, it is interesting to see which SDKs they have deemed important or concerning enough to explicitly mandate a privacy manifest. And, in typical Apple fashion, I’m pretty sure SDKs authors were not notified about this in advance. We all learned which SDKs need privacy manifests at the same time — when the list was published.

When this requirement was announced at WWDC last year, I assumed this list would be dominated by SDKs for analytics, authentication, logging, advertising, and other potentially sensitive use cases. After all, it came on the heels of reporting by the Markup and the Wall Street Journal about SDKs invisible to end users and implicated in mass surveillance, with one such software package — X-Modebanned by Apple and Google.

This list of SDKs contains seemingly few such packages. As of writing, there are 87 SDKs on Apple’s list and fully one-quarter of them — by my count — are Flutter packages intended to simplify cross-platform development. I can see how there could be risks to file and photo pickers, for example, but this list sure looks more like it is comprised of popular SDKs, not necessarily ones of privacy concern. Kits from Facebook and Snap are on the list, but TikTok’s is nowhere to be found. Several Google SDKs are on the list, including Firebase analytics, but Google’s standalone ads framework is not; Unity is on the list, but not Unity’s ad kit.

As Squires writes, any documentation about why these SDKs are on Apple’s list would be helpful. I would even take a sentence fragment.