Necessity of Privacy Manifest for third-party SDK in app review

Question

I am currently working as a app developer, and want to about what's the definition of "third-party SDK" that as mentioned in the WWDC23. From the Privacy manifest files | Apple Developer Documentation, We can say that the following targets require a privacy manifest:

Apps and third-party SDKs — distributed as XCFrameworks, Swift packages, or framework bundles — can contain a privacy manifest file

From my understanding, any external library we used in our app qualifies as a third-party SDK. Consequently, they should all contain a Privacy Manifest.

However, my concern is that in our app. We do use some old libraries that have not been updated for like 2-4 years(e.g. ColorAssetCatalog, KeychainAccess). Under this situations, I would like to know that:

• Does these open-source libraries that does not collect any data that Apple mentioned (including Required Reason API, tracking domain), and only provide source code, require the Privacy Manifest?
• Secondly, would the lack of a privacy manifest in a third-party SDK we used in our app result in failing the app review?

I fully understand that Apple wants to ensure our apps are as transparent as possible, but the details are lacking. Even now, I still can't find a list of "Privacy-Impacting SDKs" or any specific information about them.

I would greatly appreciate it if anyone could provide further information or insights on this topic. Many thanks in advance.

Answer 1

Apple has included the list here(https://developer.apple.com/support/third-party-SDK-requirements/) of SDKs that require a privacy manifest and signature and you can use Xcode 15 to add PrivacyInfo.xcprivacy (https://developer.apple.com/documentation/bundleresources/privacy_manifest_files)and follow the steps in the https://developer.apple.com/videos/play/wwdc2023/10060/ to get the requirement fulfilled.

Answer 2

Apple requires a Privacy Manifest for any app dependent on the SDK List defined on their website. These SDKs should have released (or will be soon releasing) an updated version of their SDK that provides a privacy manifest. A potentially incomplete compilation of statuses is available here.

In order to use those SDKs in your application and create a privacy manifest, you will need to update your app to the most recent version of the SDK. Recommend pinging the developers on Github for details and status updates.

Answer 3

However, my concern is that in our app. We do use some old libraries that have not been updated for like 2-4 years(e.g. ColorAssetCatalog, KeychainAccess). Under this situations, I would like to know that:

We are in the same situation, what we have decided is we use this tool to check if the SDK's we are using are dependent on API that need to provide a reason for use. If yes

1. Open source: we fork it and include it our selves / try to remove the dependency.
2. Proprietary: connect with the support team. for paid SDK's the teams are professional and are providing with updates.

Secondly, would the lack of a privacy manifest in a third-party SDK we used in our app result in failing the app review?

Yes of course as per here: https://developer.apple.com/news/?id=3d8a9yyh

Does these open-source libraries that does not collect any data that Apple mentioned (including Required Reason API, tracking domain), and only provide source code, require the Privacy Manifest?

Nope they are excluded. We are good to go with them without the manifest.