Apple’s New Policy to Protect User Privacy in the App Store
In an ongoing effort to prioritize user privacy, Apple has implemented various measures within its App Store. These include rules on data collection, app labeling requirements, anti-tracking features, and the introduction of “Sign in with Apple.” Now, Apple is introducing a new policy that requires developers to provide explanations for accessing specific data. This policy aims to crack down on the misuse of APIs.
The Role of APIs and the Issue of Fingerprinting
Developers use Application Programming Interfaces (APIs) to extract and exchange data. However, some APIs can be utilized by developers to collect information about users’ devices through a method called “fingerprinting.” This involves accessing certain device signals to identify the device or user. Apple strictly prohibits fingerprinting, even if the user has granted permission to track them.
This form of largely invisible user and device tracking gained popularity in the advertising industry as traditional methods became less viable due to increased privacy protections enforced by companies like Apple and Mozilla. The launch of Apple’s App Tracking Transparency in 2021 banned the use of fingerprinting but lacked sufficient measures for thorough enforcement.
New Developer Requirement: Providing Reasons for API Access
In order to access certain APIs, developers now must state a reason for doing so. Apple outlines a selection of “approved reasons” which explain how their app will utilize the API. Consequently, the app may only use the API for those specified purposes. The affected APIs include file timestamps, disk space usage, system boot time, active keyboard, and user defaults.
This requirement will become effective in fall 2023. Developers who upload or update their apps on the App Store thereafter without providing a reason for API access will receive notifications to add an approved reason to their app’s privacy manifest before resubmitting. This requirement also applies to third-party SDKs used by the app.
Furthermore, starting in spring 2024, apps and app updates lacking a stated reason for API access will be rejected.
Apple encourages developers to reach out if they believe their app needs to use an API for a different reason that should be approved.
Developer Concerns and Apple’s Response
Some concerns were raised among developers on Hacker News regarding the need to provide a reason for using UserDefaults, a commonly-used API. However, others clarified that this requirement does not indicate a crackdown on legitimate usage but rather a necessity to state the purpose.
Giving Developers Time to Adapt
While new rules always carry the risk of increased App Store rejections, a source of worry for app developers, Apple is offering several months’ notice before implementation. Developers will initially receive warnings explaining the necessary changes.