Apple's update to their API policy - Required Reason in Privacy manifest about trustkit HOT 4 CLOSED

@EthanArbuckle

These are just the high profile ones that are used by tons of developers so Apple is forcing their hands to comply. It is still a best practice for all libraries to provide the privacy manifest.

The intent is to make the ecosystem a safer place for users, as well as developers. The digital signature part of the manifest is designed to detect dependency graph injections / attacks.

IMHO, all third party libraries should do this. I remember back in the day some SDK was using Location APIs but didn't disclose it in their compiled binary which forced my team to add a location usage description string even though we didn't use location.

You don't want to be the SDK that cost a developers HOURS trying to figure out why their code is rejected by Apple app processing for using a required reason API when their code doesn't do it--but your library does.

from trustkit.

I see that TrustKit is using NSUserDefaults thus the SDK needs a Privacy manifest.
https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

from trustkit.

Apple published a list of the SDKs that require a manifest: https://developer.apple.com/support/third-party-SDK-requirements

It's my understanding that SDKs not on this list do not require the manifest

from trustkit.

Hello, I have submitted a PR to resolve the issue at hand. As noted in the body of the PR, it would be helpful if we could consider together whether the NSPrivacyAccessedAPITypeReasons I selected are appropriate. #325

from trustkit.