Understanding privacy manifest files

In WWDC 2023, Apple announced that starting Spring 2024, it will require its developers to declare the reasons for using certain APIs (aka Required Reason APIs) that could be misused to collect data about users' devices.

Privacy manifest files allow developers to describe their privacy practices:

  • Data that their app or SDK collects and its purpose.
  • Required Reason APIs that their app or SDK uses and the reason for using them.

In this article, we will walk you through the privacy manifest file for our iOS SDK.

Privacy Manifest File for Fingerprint Identification SDK

Starting with v2.3.2, Fingerprint Identification SDK for iOS includes a privacy manifest file. Apple requires that every privacy manifest file contains the following keys.

NSPrivacyTracking

Fingerprint Identification SDK does not use the collected data for tracking and hence this key is set to false.

<!-- Privacy manifest file for Fingerprint Identification SDK for iOS -->
<key>NSPrivacyTracking</key>
<false/>

NSPrivacyTrackingDomains

Fingerprint Identification SDK for iOS does not connect with any Internet domains that engage in tracking users. This key is set to an empty array of domains.

<!-- Privacy manifest file for Fingerprint Identification SDK for iOS -->
<key>NSPrivacyTrackingDomains</key>
<array/>

NSPrivacyCollectedDataTypes

Apple has identified a list of data types that when collected may help to identify/track the device. Device ID is the only data from that list that our iOS SDK collects from the device. As part of this dictionary item, Apple also requires the reason this data is collected to be declared in the privacy manifest file. This data is represented in our privacy manifest file:

<!-- Privacy manifest file for Fingerprint Identification SDK for iOS -->
<key>NSPrivacyCollectedDataTypes</key>
<array>
  <dict>
    <!-- The value provided by Apple for 'Device ID' data type -->
    <key>NSPrivacyCollectedDataType</key>
    <string>NSPrivacyCollectedDataTypeDeviceID</string>

    <!-- Fingerprint Identification SDK does not link the 'Device ID' with user's identity --> 
    <key>NSPrivacyCollectedDataTypeLinked</key>
    <false/>

    <!-- Fingerprint Identification SDK does not use 'Device ID' for tracking -->
    <key>NSPrivacyCollectedDataTypeTracking</key>
    <false/>

    <!-- Fingerprint Identification SDK uses 'Device ID' for App Functionality 
         (prevent fraud and implement security measures) -->
    <key>NSPrivacyCollectedDataTypePurposes</key>
    <array>
      <string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
    </array>
  </dict>
</array>

NSPrivacyAccessedAPITypes

Fingerprint Identification SDK for iOS uses File timestamp APIs. It is one of the Required Reason API and thus it needs to be included in the privacy manifest file.

<!-- Privacy manifest file for Fingerprint Identification SDK for iOS -->
<key>NSPrivacyAccessedAPITypes</key>
<array>
  <dict>
    <!-- The value provided by Apple for 'File timestamp APIs' -->
    <key>NSPrivacyAccessedAPIType</key>
    <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>

    <!-- Fingerprint Identification SDK uses 'File timestamp APIs' to manage persistent cache data -->
    <key>NSPrivacyAccessedAPITypeReasons</key>
    <array>
      <string>C617.1</string>
    </array>
  </dict>
</array>

Privacy Manifest File for your App

Below, you will find answers to some of the most frequently asked questions with respect to creating privacy manifest files for your apps:

My app uses Fingerprint Identification SDK but the app itself does not collect any sensitive data. It also does not use any of the Required Reason APIs. Should I still provide a privacy manifest file for my app?

  • No. According to Apple documentation, your app’s privacy manifest file doesn’t need to cover data collected by third-party SDKs that your app links to.

My app uses Fingerprint Identification SDK. The app itself also collects the same data as the SDK for the same purpose specified in the SDK's privacy manifest file. Should I still provide a privacy manifest file for my app?

  • Yes. Apple will aggregate the privacy manifest files provided for your app and all the third-party SDKs that your app links to. See Create your app's privacy report for more information.

My app uses Fingerprint Identification SDK. What kind of assistance can Fingerprint provide towards submitting my app for review?

  • This page is a good starting point for creating the privacy manifest file for your app. For a complete example of a privacy manifest file, you can also refer to the privacy manifest file of our demo app.
  • We can review the privacy manifest file for your app to ensure that the use of Fingerprint Identification SDK is represented correctly.
  • During the app submission process, for any questions that Apple raises about the data collected/processed by Fingerprint Identification SDK, we will help you answer those questions.