Add privacy manifest for Apple

[mvanbeusekom]

Starting from April 2024 SDKs used by applications that are published to the Apple App Store need to specify a privacy manifest and digital signature.

Apple reached out with the following:

I lead the Creative Pro Partnership Management team in Apple Worldwide Developer Relations. We manage the relationship with developers who create developer tools, photography, music, 2D/3D design, 3D and gaming pipeline, and production-focused apps and hardware.

As you may know, in June, Apple announced new features to help users understand developers’ privacy and data collection and sharing practices. These new features include privacy manifests and signatures, which we encourage all third-party SDKs to adopt to provide transparency to users and help secure the software supply chain. Third-party SDKs that impact user privacy will be expected to include a privacy manifest and signature, and starting in Spring 2024, new and updated apps that include these third-party SDKs will need to include their manifest and signature to submit to the App Store.

Your SDK geolocator_apple, may have significant impact on the privacy of the users of apps that include it. We’re reaching out to make sure you are aware of this upcoming change, and to provide resources to help. If you have any questions about implementing privacy manifests and/or signatures, you can reach out to me and I’ll do my best to escalate your questions.

Here are some additional resources that may be helpful:

• You can read documentation about creating a privacy manifest file.
• Our User Privacy and Data Use page has details about requirements for developers.
• You can watch videos about adopting privacy manifests and signatures for your SDK.

Flutter is tracking this in flutter/flutter#131940

[stuartmorgan]

Have you had any communication with Apple about how to describe usage of location information an the SDK level, given that it's the client application that will ultimately use the data?

[mvanbeusekom]

@stuartmorgan, I did contact Apple with the following question:

Thank you for reaching out to us. I have been going through the documentation regarding the new privacy manifest and I am struggling with one question. In the case of the geolocator_apple package we do not track data nor do we link data to a user, it simply exposes the CLLocationManager SDK to a Dart interface so Flutter developers can easily consume the SDK using the Dart programming language. Does this mean we can use a simple manifest file which simply explains we do not track data or do we still need to specify entries for the "NSPrivacyCollectedDataTypes" dictionary?

I am a bit confused on the term "collect" used in the Apple documentation. Does Apple consider the geolocator_apple package to "collect" location information because it makes calls into the CLLocationManager SDK even if the package doesn't persist this data?

They confirmed they will look into the questions however they haven't responded back.

[stuartmorgan]

Thanks, that tracks with what I've heard from other developers as well. I'll reach out to everyone if/when we hear more.

[ShuheiSuzuki-07]

Hello!

What is the status of the response to this matter? You may need an empty manifest even if you are not collecting anything 😭 https://github.com/flutter/flutter/issues/131940#issuecomment-1881641272

If an empty manifest is ok I may be able to create a PR for you too.

[yh-luo]

Apple has indicated an enforcement date of May 1st for Privacy Manifests.

Starting May 1, 2024, apps that don’t describe their use of required reason API in their privacy manifest file aren’t accepted by App Store Connect.

[mvanbeusekom]

We have just release version 2.3.7 of the geolocator_apple package which includes the required privacy manifest. More details can be found in PR #1462.