Privacy Manifests

[wlxo0401]

https://developer.apple.com/support/third-party-SDK-requirements

There is 'Toast' in the library list that Apple should provide Privacy Manifests. Is this library correct??

[ZYHshao]

+1 see

[tommyming]

Just checked the repo, I suppose this kind of UI component library won't need a privacy manifest, and I could not find any usage of the required reasons API.

[scalessec]

Sorry for the delay on this. I'll get this updated in the coming days.

[tommyming]

Sorry for the delay on this. I'll get this updated in the coming days.

Thanks a lot, @scalessec!

Sidetrack:
Just wonder if this thing is actually needed, as I can't find any usage of the APIs in the codebase.

[wlxo0401]

Sorry for the delay on this. I'll get this updated in the coming days.

Thanks a lot, @scalessec!

Sidetrack: Just wonder if this thing is actually needed, as I can't find any usage of the APIs in the codebase.

Wouldn't it be necessary to prove that there isn't?

[scalessec]

Yeah, better to just have it even if there are no offending APIs.

[wlxo0401]

Yeah, better to just have it even if there are no offending APIs.

Thank you for taking care of me even though you are busy.

Happy New Year.

[scalessec]

I pushed a first pass at this (and fixed all unrelated warnings), but need a bit more time for regression testing. I'll cut a new release once that's done.

[tommyming]

@scalessec If any help/assistance is needed, please feel free to tag me, currently available this week and early next week.

[scalessec]

I just pushed 5.1.0. I'd appreciate if you could give it a test drive if you have a moment. I confirmed the new PrivacyInfo.xcprivacy resource is copied into the target when using SPM, CocoaPods, and Carthage. One thing to note—when I integrated the lib into a new app, archived, and then attempted to Generate Privacy Report, it generated an empty PDF. I tried with multiple 3rd party libraries (not just Toast-Swift), and always had the same result. I'm not sure what's going on with that, but as far as I can tell this should meet Apple's requirement. Please let me know if you find otherwise. Thanks again for opening this issue.

[tommyming]

I just pushed 5.1.0. I'd appreciate if you could give it a test drive if you have a moment. I confirmed the new PrivacyInfo.xcprivacy resource is copied into the target when using SPM, CocoaPods, and Carthage. One thing to note—when I integrated the lib into a new app, archived, and then attempted to Generate Privacy Report, it generated an empty PDF. I tried with multiple 3rd party libraries (not just Toast-Swift), and always had the same result. I'm not sure what's going on with that, but as far as I can tell this should meet Apple's requirement. Please let me know if you find otherwise. Thanks again for opening this issue.

The issue might be the problem that we don't have any declared reasons?
Not sure the 3rd party libraries you used. But agree with you that this should fulfill Apple's requirement.

Will try to test it tomorrow, thanks!

[tommyming]

Update: It works fine on my applications, but might require more results from others.

[wlxo0401]

Update: It works fine on my applications, but might require more results from others.

@tommyming

I'm in the same situation as @scalessec

I also tried 'Generation Privacy Report' after Arcive.

But the PDF didn't show anything.

I installed more libraries with Privacy Manifest added for testing.

As I've been testing so far, all of them were not displayed in PDF except for the 'ZIPFoundation' library.

However, 'File Timestamp' from 'ZIPFoundation' was not displayed.

For the 'SDWebImage' library, even though I set it up in PrivacyInfo to use 'File Timestamp', it does not appear in the PDF.

I used SPM.

How should Privacy Manifest look if it works properly??

[tommyming]

Not sure in this case.
Since Apple does not provide any sample of a successful report/failure report, I performed the below testing.

I tried to add only Toast-Swift, and included it with some privacy usage in the app's plist, but the generated report PDF is also empty.
So my assumption here is: If the report is empty, then it means successful?

To reproduce a failure case, I tried to install AWS Amplify, which does not declare data collection types in the privacy manifest, and the report will show the error correctly.
In this case, my assumption is there will be errors shown in the report if you really missed something or set it up wrong.

I haven't tried on the additional data case, so please feel free to provide more info.

[scalessec]

Thanks for your help, @tommyming @wlxo0401 !

[tommyming]

Some updates about the privacy manifest:

https://developer.apple.com/news/?id=3d8a9yyh

Seems the App Store will start to warn developers if there are any issues about the privacy manifest in the app.
If there are any issues about this repo, I think people will start to report.

[freefa]

See this for resolution:
https://apnspush.com/add-privacy-manifest-sdk
For cocoapods, you should put privacy manifest file into a resource bundle, but not spec.resources item:
spec.resource_bundles = {'Toast-Swfit' => ['resource/*.xcprivacy']}
the reason is at the bottom of this page:
https://developer.apple.com/forums/thread/733537

[tommyming]

@freefa thanks for the info.
Maybe someone who imports toast using cocoapods can try to test on this approach? Thanks.

[iblacksun]

@tommyming I've test it and create a merge request #215

[tommyming]

@scalessec Some updates about the privacy manifest:

Seems Apple doesn't recommend an empty one, as I go through the discussion of RxSwift about the privacy manifest.
ReactiveX/RxSwift#2567 (Yeah an extremely long discussion)

Do you have any recommendations on this? I am not sure in this case, since Apple's guidelines are start to become unclear for me...

[scalessec]

Thank for the updates, I'll do my best to get this resolved this weekend.

[scalessec]

Sorry for the delay all. I merged #215 and published 5.1.1. Please let me know of any issues. Thanks!