Understanding privacy manifest files

In WWDC 2023, Apple announced that starting Spring 2024, it will require its developers to declare the reasons for using certain APIs (aka Required Reason APIs) that could be misused to collect data about users' devices within privacy manifest files.

Privacy manifest files allow developers to describe their privacy practices:

  • Data that their app or SDK collects and its purpose.
  • Required Reason APIs that their app or SDK uses and the reason for using them.

In this article, we will walk you through the privacy manifest file for our iOS SDK.

Privacy Manifest File for Fingerprint Identification SDK

Starting with v2.3.2, the Fingerprint Identification SDK for iOS includes a privacy manifest file. Apple requires that every privacy manifest file contains the following keys.

NSPrivacyTracking

Fingerprint Identification SDK does not use the collected data for tracking, and hence, the NSPrivacyTracking key is set to false.

<!-- Privacy manifest file for Fingerprint Identification SDK for iOS -->
<key>NSPrivacyTracking</key>
<false/>

NSPrivacyTrackingDomains

Fingerprint Identification SDK for iOS does not connect with any Internet domains that engage in tracking users. The NSPrivacyTrackingDomains key is set to an empty array of domains.

<!-- Privacy manifest file for Fingerprint Identification SDK for iOS -->
<key>NSPrivacyTrackingDomains</key>
<array/>

NSPrivacyCollectedDataTypes

Apple has identified a list of data types that, when collected, may help to identify/track the device. Identifiers > Device ID is the only data from that list that our iOS SDK collects from the device. Apple also requires describing data use in privacy manifests as part of this dictionary item. This data is represented in the NSPrivacyCollectedDataTypes key in our privacy manifest file:

<!-- Privacy manifest file for Fingerprint Identification SDK for iOS -->
<key>NSPrivacyCollectedDataTypes</key>
<array>
  <dict>
    <!-- The value provided by Apple for 'Device ID' data type -->
    <key>NSPrivacyCollectedDataType</key>
    <string>NSPrivacyCollectedDataTypeDeviceID</string>

    <!-- Fingerprint Identification SDK does not link the 'Device ID' with user's identity --> 
    <key>NSPrivacyCollectedDataTypeLinked</key>
    <false/>

    <!-- Fingerprint Identification SDK does not use 'Device ID' for tracking -->
    <key>NSPrivacyCollectedDataTypeTracking</key>
    <false/>

    <!-- Fingerprint Identification SDK uses 'Device ID' for App Functionality 
         (prevent fraud and implement security measures) -->
    <key>NSPrivacyCollectedDataTypePurposes</key>
    <array>
      <string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
    </array>
  </dict>
</array>

NSPrivacyAccessedAPITypes

Fingerprint Identification SDK for iOS uses the following Required Reason APIs which have to be included in the privacy manifest file:

  1. File timestamp APIs

  2. System boot time APIs

<!-- Privacy manifest file for Fingerprint Identification SDK for iOS -->
<key>NSPrivacyAccessedAPITypes</key>
<array>
  <dict>
    <!-- The value provided by Apple for 'System boot time APIs' -->
    <key>NSPrivacyAccessedAPIType</key>
    <string>NSPrivacyAccessedAPICategorySystemBootTime</string>
		
    <!-- Fingerprint Identification SDK uses 'System boot time APIs' to measure the amount of
          time that has elapsed between events that occurred within the SDK -->
    <key>NSPrivacyAccessedAPITypeReasons</key>
    <array>
      <string>35F9.1</string>
    </array>
  </dict>
  <dict>
    <!-- The value provided by Apple for 'File timestamp APIs' -->
    <key>NSPrivacyAccessedAPIType</key>
    <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>

    <!-- Fingerprint Identification SDK uses 'File timestamp APIs' to manage persistent cache
         data -->
    <key>NSPrivacyAccessedAPITypeReasons</key>
    <array>
      <string>C617.1</string>
    </array>
  </dict>
</array>

Privacy Manifest File for your App

Below, you will find answers to some of the most frequently asked questions with respect to creating privacy manifest files for your iOS apps:

My app uses Fingerprint Identification SDK, but the app itself does not collect any sensitive data. It also does not use any of the Required Reason APIs. Should I still provide a privacy manifest file for my app?

  • No. According to Apple documentation, your app’s privacy manifest file doesn’t need to cover data collected by third-party SDKs that your app links to.

My app uses Fingerprint Identification SDK. The app also collects the same data as the SDK for the same purpose specified in the SDK's privacy manifest file. Should I still provide a privacy manifest file for my app?

  • Yes. Apple will aggregate the privacy manifest files provided for your app and all the third-party SDKs your app links to. See Create your app's privacy report for more information.

My app uses Fingerprint Identification SDK. What kind of assistance can Fingerprint provide towards submitting my app for review?

  • This page is a good starting point for creating the privacy manifest file for your app. For a complete privacy manifest example, you can also refer to the privacy manifest file of our demo app.
  • We can review the privacy manifest file for your app to ensure that the use of Fingerprint Identification SDK is represented correctly.
  • During the app submission process, we will help you answer any questions Apple raises about the data collected/processed by Fingerprint Identification SDK.