How to quickly get a PrivacyInfo.xcprivacy file for your iOS app
I’ve created a form that let’s you quickly and easily generate the `PrivacyInfo.xcprivacy` manifest file now mandatory for all iOS apps.
Here’s the link if you just want try it out (or read on for the full story):
What’s a Privacy Manifest?
A privacy manifest is an XML file, following Apple’s .plist format, that lives in the root of your iOS app’s bundle and is named PrivacyInfo.xcprivacy.
The privacy manifest describes all the ways that your app might collect data about you, or your device, and if that data is used for ‘tracking’. In this context, ‘tracking’ means giving the data to some other company that will use that data to show you targeted ads (like, um, Google and Meta?).
There’s 3 main types of data to be supplied in the Privacy Manifest:
- A yes/no question about whether your app uses data for ‘tracking’ and, if so, what domains the data being sent to.
- A list of all the types of data being collected, noting why that data is being collected and if it’s being used for tracking.
- A list stating which (if any) of six categories of iOS framework methods you’re using, referred to as ‘Required reason’ APIs, noting why you’re using them.
The structure of the data in the ‘types of data being collected’ section closely matches ‘App Privacy > Data Types’ section in App Store Connect.
The ‘Required reason’ APIs (is a grammatical abomination and also) is there because the methods it covers can potentially be used to link one device across different apps. Being able to identify the same user (and track their behaviour) across multiple apps is of particular interest to suppliers of common advertising related SDKs that are used widely across many iOS apps.
There’s quite a bit more to this, especially in regards to the 3rd party SDKs, which I’m not covering in this article. Click here to read Apple’s official documentation.
Do you need a Privacy Manifest for your app?
Oh yes, this is mandatory.
In early 2024, Apple announced that all apps would soon need to include a Privacy Manifest file, named PrivacyInfo.xcprivacy, with warning emails starting to be sent since 1 April 2024 and apps without a PrivacyInfo.xcprivacy file expected to be rejected from 1 May 2024.
How do you get a Privacy Manifest file?
Xcode has a .plist editing interface that can generate the necessary XML for your PrivacyInfo.xcprivacy file. However, the interface is clunky and awkward, has various usability issues and some subtle inaccuracies (e.g. the list of ‘reasons’ to choose for a Required Reason API don’t filter for selected API category).
Using Xcode is also not ideal if you’re building apps using other frameworks, like Flutter, React or .NET MAUI.
I run an app development company and we have 60+ apps built on various platforms, so I have a lot of apps that will need PrivacyInfo.xcprivacy files. The very first time I faced this task I Googled “ios online privacy manifest generator” and nothing came up. To streamline the process, I created a form for myself that let me tick a few boxes to generate the necessary XML, rather than fuss around with Xcode.
After tidying things up a bit, I decided to make it available on our website (entirely free and publicly accessible):
https://wemakeapps.net/manifest-maker
Why are Apple doing this?
These privacy manifest files are another evolution of Apple’s laudable commitment to protecting user’s privacy.
These privacy manifest files added directly to the app are just one part of this process; Apple are also encouraging (and in some cases requiring) the publishers of 3rd party SDKs to also embed a PrivacyInfo.xcprivacy in their code. When an app is actually published, the privacy manifests for the main app and all integrated SDKs are aggregated and the resulting tracking, data collection and API info is what will be presented to end users on the App Store.
Personally, I have some reservations about the whole exercise.
There’s some obvious shortcomings in this approach. App and SDK developers are simply being asked to self-report their use of the data collected, so could simply lie if they wanted to. I also think that the disclosure of the ‘Required reasons’ APIs are simply too technical for end users, who won’t properly grasp the implications of what they’re being informed about.
However, these are just minor concerns and there isn’t an obvious better alternative.
The bigger story is why Apple are so fixated on this particular aspect of user privacy, with it’s narrow focus on preventing SDKs from linking your behaviour across apps, ahead of the multitude of other social issues associated with technology (like excessive screen time, misinformation, concentration of power, equality of access or, say, the way supranational tech firms avoid paying tax).
The reason Apple is prepared to lean on their app developers to enforce this kind of privacy is because it undermines their main competitors, Google and Meta. Further preventing the tracking of user behaviour across apps degrades the accuracy of the targeted advertising that the big digital ad networks rely on, making their service less compelling for advertisers.
But all those power plays may as well be happening in another dimension from the perspective of us mere mortal app developers. Apple have decreed that we need a PrivacyInfo.xcprivacy file, and so it shall be done.
And you can use my form to make it easier.
