keychain-swift icon indicating copy to clipboard operation
keychain-swift copied to clipboard

Published 20 hours ago verified publisher icon evgenyneu

Privacy Manifest

Open nokiaowner opened this issue 1 year ago • 8 comments

Hello,

At WWDC23 Apple announced that apps and SDKs that make use of certain "required reason" APIs etc will need to provide a privacy manifest. Does KeychainSwift need to include this manifest? Is this update on the roadmap for the team? I appreciate that enforcement won't happen until Spring 2024 but I wanted to make contact so that we can plan our own app releases to take this into account.

Here’s some useful references:

https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests

https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

https://developer.apple.com/videos/play/wwdc2023/10060/

Thanks

nokiaowner avatar Dec 01 '23 15:12 nokiaowner

Not the owner, but I use this in an app near release.

My understanding, is that it is up to the app developer to provide the privacy manifest. I have a few apps on the store, but most don’t collect PID (so simple manifest). The new one, however, will collect a small amount of PID, and we need to indicate this.

I don’t think most end-users care how the data is stored; only that it is respected and treated with care, which the manifest describes (along with our published privacy policy).

ChrisMarshallNY avatar Dec 01 '23 16:12 ChrisMarshallNY

Hi @ChrisMarshallNY ,

Apple states that it is the responsibility of the SDK developer to include a privacy manifest (source: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests)

image

We just need to be sure that Keychain-swift is exempt from including a privacy manifest or if a target date/release version is planned in the near future which will include a privacy manifest.

Thanks

nokiaowner avatar Jan 05 '24 10:01 nokiaowner

Howdy. It's not my library, so I can't be of any help, in this instance. Also, Apple can't "require" anything, from third-party SDKs. The only leverage that they have, is from the end app developers. They can insist that the app developers not include SDKs that don't have manifests, but I suspect that will not end well, as pretty much every app out there, uses all kinds of third-party code from fairly robust organizations that are unlikely to be thrilled at Apple trying to strongarm them through their users.

However, it's actually a good idea. I plan to add a PRIVACY.md file to my own packages. I don't think that I'll use Apple's XML manifest format, though.

ChrisMarshallNY avatar Jan 05 '24 12:01 ChrisMarshallNY

I added the privacy manifest https://github.com/evgenyneu/keychain-swift/commit/6b6fc468877a5f01fe211fcf0af840b9ecce9d98

Please let me know if that works for you.

evgenyneu avatar Jan 06 '24 03:01 evgenyneu

As long as it conforms to apple requirements it should be fine.

When can we expect a new version of KeychainSwift please?

Thanks

nokiaowner avatar Jan 19 '24 09:01 nokiaowner

@nokiaowner I just released version 21.0 that contains the privacy manifest. Let me know if it works for you. Ty

evgenyneu avatar Jan 20 '24 01:01 evgenyneu

Also, Apple request to SDK developers to sign the sdk. Is it planned to integrate that?

Reference: https://developer.apple.com/news/?id=r1henawx

Thanks

JLLA113 avatar Feb 01 '24 22:02 JLLA113

The library should provide Privacy Manifest if it collects information or access "Required Reasons API" Screenshot 2024-03-08 at 09 26 02

iharkatkavets avatar Mar 08 '24 09:03 iharkatkavets