Cordova was listed on the list of requirements for third-party SDKs announced by Apple today.

[acn-masatadakurihara]

Feature Request

Cordova was listed on the list of requirements for third-party SDKs announced by Apple today. Is there any push on Cordova's part to include Privacy Manifests files or sign the SDK? https://developer.apple.com/support/third-party-SDK-requirements/

Motivation Behind Feature

If this is not addressed, Cordova apps will not be able to be submitted to the AppStore starting in the spring of 2024.

Feature Description

Privacy Manifests PR is found. Has anything been done about signing the SDK? Or does it need to be signed on the part of the app developer using Cordova?

Alternatives or Workarounds

[dpogue]

Cordova itself is not distributed as a .framework or .xcframework file, so as far as I'm aware no SDK signing is necessary. When you create a Cordova app, the CordovaLib code is included as part of the app project.

As for privacy manifests, Cordova itself does not collect or store any user data and does not use any of the APIs that Apple has labelled as privacy impacting. However, plugins might use those APIs, so the challenge is figuring out how to manage plugins declaring their own privacy manifests.

[breautek]

Cordova itself is not distributed as a .framework or .xcframework file, so as far as I'm aware no SDK signing is necessary. When you create a Cordova app, the CordovaLib code is included as part of the app project.

I'm not sure if this is entirely true.

Cordova is distributed as source, but it is it's own independent project. We just don't pre-compile it. But the CordovaLib project has 2 targets, a static CordovaLib target, and a Cordova framework target. I'm not sure if the Cordova framework target is actually used because on the App project, it looks like it links against the CordovaLib static library. In my own project built by the Cordova CLI, there is no sign of cordova.framework present, i think the target just exists for whatever (probably legacy) reasons. Perhaps some people have their XCode projects modified to use the unsigned framework instead of the static library (or maybe there is a cordova flag that controls this too?). I'm not sure if there is any benefit of having a .framework target vs just the static library target, so maybe one can be removed?

If any project is actually using the Cordova.framework target, that target will need to be signed. But I'm not sure if it can be signed by the app developer of it needs to be signed by Apache for a globally consistent signature.

Now with signatures for SDKs, when you adopt a new version of a third-party SDK in your app, Xcode will validate that it was signed by the same developer, improving the integrity of your software supply chain.

Like I'm not 100% sure what this means or how they are really doing the validating.

As for the privacy manifest, most plugins don't have their own XCode project and instead their sources are directly added to the app project. So the app needs a xcprivacy file.

Good news is, we can probably have an intermediate JSON structure that is used to help de-dupe or generate the xcprivacy file and we can probably incorporate some plugin.xml directives that helps plugins control it.

A sample xcprivacy that I have for a geolocation project will look something like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>NSPrivacyCollectedDataTypes</key>
    <array>
        <dict>
            <key>NSPrivacyCollectedDataType</key>
            <string>NSPrivacyCollectedDataTypePreciseLocation</string>
            <key>NSPrivacyCollectedDataTypeLinked</key>
            <false/>
            <key>NSPrivacyCollectedDataTypeTracking</key>
            <false/>
            <key>NSPrivacyCollectedDataTypePurposes</key>
            <array>
                <string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
            </array>
        </dict>
        <dict>
            <key>NSPrivacyCollectedDataType</key>
            <string>NSPrivacyCollectedDataTypeCoarseLocation</string>
            <key>NSPrivacyCollectedDataTypeLinked</key>
            <false/>
            <key>NSPrivacyCollectedDataTypeTracking</key>
            <false/>
            <key>NSPrivacyCollectedDataTypePurposes</key>
            <array>
                <string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
            </array>
        </dict>
    </array>
    <key>NSPrivacyTracking</key>
    <false/>
</dict>
</plist>

You don't put any actual human facing text in it. It's all constants that describe what privacy-sensitive features you're using, and constants that explain the reason or purpose for using. This was always required when distributing apps but it was done through the App Connect web portal, so this newer xcprivacy file allows more programmatic usage as well as putting the responsibility for SDK authors to provide their own privacy manifests (rather than the app developer trying to guess what a SDK may or may not do).

[breautek]

Also watching https://developer.apple.com/forums/thread/742835 to see if there is a Apple response, if we do need that .framework target it will be helpful to know if SDK signatures requires a globally consistent signature if the app developer can sign their copy. It's not really clear on how exactly will XCode validate third-party SDK updates and such.

[acn-masatadakurihara]

I will also share an Issue that is being addressed by Flutter, which is facing the same problem. https://github.com/flutter/flutter/issues/131940

[acn-masatadakurihara]

https://developer.apple.com/news/?id=3d8a9yyh They say the policy will be applied in May.

[jcesarmobile]

I've tried master branch and I can see the privacy manifest in the CordovaLib project, but I don't think it's in the CordovaLib.a library file that gets generated from the CordovaLib project. So are we sure the merged change will be enough when the Cordova's manifest doesn't seem to be part of the resulting user app? Or will we need to switch to using a Cordova.framework as breautek commented? (despite his comment was about signing, but might be needed for adding the privacy manifest too)

[erisu]

I believe the PrivacyInfo.xcprivacy manifest file in CordovaLib only used when CordovaLib is loaded into a project by CocoaPods. It is not used when a project is created by Cordova-CLI.

When the project is created by Cordova-CLI, the project's template PrivacyInfo.xcprivacy will be used.

@dpogue can confirm this.

[jcesarmobile]

Yeah, that's what I'm thinking, and since Apple tagged Cordova as a "framework" that needs to ship a privacy manifest, I don't think current changes cover the problem for most users as most users use Cordova from the CLI/npm, not from CocoaPods.

Not sure if users or us can try to argue with Apple and say that Cordova is being used as a Library and not as a Framework so they remove the requirement.

[dpogue]

So are we sure the merged change will be enough when the Cordova's manifest doesn't seem to be part of the resulting user app?

Since the CordovaLib privacy manifest is essentially an empty set of declarations (since CordovaLib doesn't use any impacted APIs), I'm not sure that it actually matters as long as the app has a manifest that covers the same declarations.

Or will we need to switch to using a Cordova.framework as breautek commented?

I tried this locally, and Xcode complained that the framework wasn't signed. It's probably not too hard (in Xcode) to set it up to sign locally and do a test, but trying to set up the framework project to use the same codesigning settings as the app via the CLI is probably going to be a pain.

I also, for what it's worth, tried pulling in CordovaLib as a Swift package, and the results are also weird there. It does include a bundle resource with the Privacy Manifest, but Xcode doesn't seem to pick that up when assembling the combined manifest, and a few people on the Apple forums have noted the same issue.

[breautek]

Or will we need to switch to using a Cordova.framework as breautek commented?

I think the main strength of using Cordova.framework is that the privacy manifest file can be managed independently of the app's privacy manifest. But realistically I don't ever foresee us having to add a privacy entry for the framework code, so the privacy manifest will effectively just be an empty file. I don't think the core framework will ever use any privacy-sensitive API so I don't really see much value of switching to a .framework.

The con of using the static library approach, if we do have to add a privacy-sensitive API usage in the core framework, then we will need to make sure we can merge the entry into the app's privacy manifest, but I don't think we will ever need to do this, so it's not really a significant con.

[jcesarmobile]

My concern is that Apple has flagged the Cordova "framework" as one of the frameworks that has to provide a manifest, not users using the Cordova "framework", but the Cordova "framework" itself. So, even if it's a blank manifest, the Cordova "framework" should provide it. I've seen other frameworks on that list to provide an empty manifest, but provide it anyway.

Maybe we can tell the person from Apple who offered to help us if we had problems with the manifest, that CordovaLib is not distributed as a framework and that it doesn't use any privacy-sensitive API and ask them to remove Cordova from the list of frameworks that are required to ship a manifest. But I doubt they will do that.

[breautek]

I believe Cordova was flagged because if anybody is using the framework version of Cordova, (which the Cordova project does have, just isn't used by the CLI afaik) then it needs to provide a manifest, even if it's just an empty one, as you stated as others have done.

So in otherwords if we keep the CordovaLib framework target it should bundle a privacy manifest. That manifest can be an empty manifest since that manifest will be specific to the code within the framework bundle and we don't use any sensitive APIs.

Only swift packages, framework bundles or XCframeworks can have a privacy manifest file according to Apple's Docs, so by extension I don't think our static target needs a manifest file. If I'm wrong... then that might mean Apple is going to start restricting distribution to one of those above methods.

I've browsed the Apple dev forums for any kind of answer with static libraries, and some people are adding relevant manifest entries as part of the app manifest, others are wrapping the static library into a framework... And no one really seems to know what is the proper approach is.

[mnowak-umich]

A newly upload app to test flight is getting flagged with this issue -- is there a resolution?

[breautek]

A newly upload app to test flight is getting flagged with this issue -- is there a resolution?

PR https://github.com/apache/cordova-ios/pull/1406 was landed to allow app developers to declare the privacy manifest entries. It doesn't provide a means for plugin authors to declare what their plugin uses. That will likely come at some later date and it's actively being discussed in our dev mailing lists. #1406 should be a stopgap however.

The PR is not in any stable release at the time of writing. You can try it out by installing nightly, feedback would be appreciated. But I'd recommend keeping an eye on our blog or subscribe to the RSS feed for the stable release announcement.

[RedLightning123]

I just wanted to clarify how we actually make our apps compliant with this new requirement if possible please.

So we don't use any of these apis in our project but they are used in various cordova plugins we have installed.

Do we need to declare how the plugins are using these apis in our apps privacy manifest? Or is it just the third party sdks that need to add their own manifests and we can just use an empty one?

If we do need to update ours how is this done? I noticed PR #1383 which adds the empty file but how do we actually amend this so that it's picked up each build?

[breautek]

I just wanted to clarify how we actually make our apps compliant with this new requirement if possible please.

So we don't use any of these apis in our project but they are used in various cordova plugins we have installed.

Do we need to declare how the plugins are using these apis in our apps privacy manifest? Or is it just the third party sdks that need to add their own manifests and we can just use an empty one?

If we do need to update ours how is this done? I noticed PR #1383 which adds the empty file but how do we actually amend this so that it's picked up each build?

Sorry I linked the wrong PR, the correct PR is https://github.com/apache/cordova-ios/pull/1406

1383 is to add the default empty file for the project, and an empty file for core cordova framework project. #1406 introduces a config.xml API to add entries to the app's privacy manifest. I've updated my original post to link the correct PR.

I don't think the keys are documented anywheres at this time, but if you create a xcode app project and add a Privacy Manifest item to it, you should be able to discover all the valid key entries. Not on a mac right now, but if needed I can provide more detailed steps / screenshots.

Note that it's Apple's intention for framework/library authors to provide their own manifest entry so that they can declare if they use any privacy sensitive APIs. Cordova Plugins aren't frameworks, they are just loose source code that gets added to the app project, which kind of puts the responsibility on the app developer to add those entries, if those plugins uses any sensitive APIs, from Apple's perspective. At this point of time, there isn't a way for plugin authors to declare their own privacy entries, so if you wanted to be compliant today, you may have to do some code analysis of all your used plugins. This is something we obviously want to improve on.

[RedLightning123]

Thank you that helps clear up how we actually declare our manifest file.

So essentially review all the plugins to identify which of them use these apis and why, then declare all of this in the new privacy manifest node of the config.xml file?

[breautek]

So essentially review all the plugins to identify which of them use these apis and why, then declare all of this in the new privacy manifest node of the config.xml file?

In my understanding, yes I think you got it.

[mnowak-umich]

Is this new PR going to get rolled into a release or do I need to apply this myself -- apologies if this is a dumb question.

[breautek]

Is this new PR going to get rolled into a release or do I need to apply this myself -- apologies if this is a dumb question.

No such thing as a dumb question. The 2 mentioned PRs is merged so it will be included in the next release, but I can't reliably say when that will be done due to the volunteer nature of Apache Cordova. Currently this can be tested by using @nightly, or installing from directly from git using the https git clone url.

[FranGhe]

First of all.. thanks to all for your hard work.

Just today I published my app update and I have had the same notice from Apple about:

NSPrivacyAccessedAPITypes -> NSPrivacyAccessedAPICategoryUserDefaults
NSPrivacyAccessedAPITypes -> NSPrivacyAccessedAPICategoryFileTimestamp
NSPrivacyAccessedAPITypes -> NSPrivacyAccessedAPICategoryDiskSpace

Reading many posts #1391 #1383 #1406 I think to have understand that the trouble is around to the installed plugin and it will be fixed with next release (7.1.0).

There will be in config.xml a setting like this:

<platform name="ios">
    <privacy-manifest>
        <key>NSPrivacyTracking</key>
            <false/>

        <key>NSPrivacyTrackingDomains</key>
            <array/>

        <key>NSPrivacyCollectedDataTypes</key>
            <array/>

        <key>NSPrivacyAccessedAPITypes</key>
            <array>
              <dict>
                  <key>NSPrivacyAccessedAPIType</key>
                  <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
                  <key>NSPrivacyAccessedAPITypeReasons</key>
                  <array>
                      <string>C617.1</string>
                  </array>
              </dict>

              <dict>
                  <key>NSPrivacyAccessedAPIType</key>
                  <string>NSPrivacyAccessedAPICategoryUserDefaults</string>
                  <key>NSPrivacyAccessedAPITypeReasons</key>
                  <array>
                      <string>CA92.1</string>
                  </array>
              </dict>

              <dict>
                  <key>NSPrivacyAccessedAPIType</key>
                  <string>NSPrivacyAccessedAPICategoryDiskSpace</string>
                  <key>NSPrivacyAccessedAPITypeReasons</key>
                  <array>
                      <string>E174.1</string>
                  </array>
              </dict>
            </array>
    </privacy-manifest>
</platform>

Than, after cordova build there will be an PrivacyInfo.xcprivacy

Is it all correct?... or I'll have to do something else?

References: https://stackoverflow.com/questions/78163859/itms-91053-missing-api-declaration-privacy https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

[Scooby27]

I tested @FranGhe's example with config.xml with the nightly build and it was accepted by App Store Connect without warnings, thank you all! Will wait for the 7.1.0 release

[alexp25]

So once I have a list of the required declarations from the App Store report (NSPrivacyAccessedAPICategoryFileTimestamp, NSPrivacyAccessedAPICategoryUserDefaults, etc.), I would just have to update the cordova-ios to the 7.1.0 version (or currently the nightly build) and then declare these in config.xml as @FranGhe and @Scooby27 suggested?

[FranGhe]

I'll wait for the stable version... I don't have any updates to make on my app at the moment. In any case you must give your right permissions to:

• NSPrivacyAccessedAPICategoryFileTimestamp
• NSPrivacyAccessedAPICategoryUserDefaults
• etc...

following here so as not to have problems with Apple, because I don't know what your App does.

That ones that I wrore (C617.1 | CA92.1 | E174.1) it's just for example

[jcesarmobile]

cordova-ios 7.1.0 was released a few hours ago

[mnowak-umich]

That's great news -- is there a blog post or updated documentation to show us what to do exactly?

[jcesarmobile]

https://cordova.apache.org/announcements/2024/04/03/cordova-ios-7.1.0.html

[muneer-khan]

Are there any plans to release a 6.x version with support for node v10 and including the privacy Manifest? I'm currently using cordova-ios 6.3 version and have some limitations upgrading to v7.

[breautek]

Are there any plans to release a 6.x version with support for node v10 and including the privacy Manifest? I'm currently using cordova-ios 6.3 version and have some limitations upgrading to v7.

No. Node v10 also has been out of LTS for a significant amount of time now.

You can try forking cordova-ios and cherry-picking https://github.com/apache/cordova-ios/pull/1383 and https://github.com/apache/cordova-ios/pull/1406 but I'm not sure if they are any dependencies on other changes so mileage may vary.

[kunalSBasic]

I have updated my cordova-ios to 7.1.0 and also added the manifest code in config.xml with all the required reasons. Though when i run the command ionic cordova prepare ios and then open the xcworkspace file in xCode and under the CordovaLib folder check the privacy manifest file it does not have the updates that I made using config file, it is still the template file that cordova is providing by default. How can i fix that?

Here's my manifest code from config file:

<privacy-manifest>
            <key>NSPrivacyTracking</key>
            <false/>

            <key>NSPrivacyTrackingDomains</key>
            <array/>

            <key>NSPrivacyCollectedDataTypes</key>
            <array/>

            <key>NSPrivacyAccessedAPITypes</key>
            <array>
                <dict>
                    <key>NSPrivacyAccessedAPIType</key>
                    <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
                    <key>NSPrivacyAccessedAPITypeReasons</key>
                    <array>
                        <string>0A2A.1</string>
                    </array>
                </dict>
                <dict>
                    <key>NSPrivacyAccessedAPIType</key>
                    <string>NSPrivacyAccessedAPICategoryDiskSpace</string>
                    <key>NSPrivacyAccessedAPITypeReasons</key>
                    <array>
                        <string>E174.1</string>
                    </array>
                </dict>
                <dict>
                    <key>NSPrivacyAccessedAPIType</key>
                    <string>NSPrivacyAccessedAPICategoryUserDefaults</string>
                    <key>NSPrivacyAccessedAPITypeReasons</key>
                    <array>
                        <string>C56D.1</string>
                    </array>
                </dict>
            </array>
        </privacy-manifest>

[ion-dev]

I have exactly the same as @kunalSBasic but only with NSPrivacyAccessedAPITypes listed in config.xml. I also see nothing in xCode:

[ion-dev]

Ah I found it. @kunalSBasic we were looking in the wrong place... the privacy file is found in the project folder below "CordovaLib", here:

I still need to test this in the real world!

[kunalSBasic]

Ah I found it. @kunalSBasic we were looking in the wrong place... the privacy file is found in the project folder below "CordovaLib", here:

I still need to test this in the real world!

Oh yes got it!! It's inside the folder name of my app name, it includes all the key/values that i mentioned in the config. Still gotta test it out if it is accepted by app store or not. Do update here if yours is accepted by the store.

[breautek]

I have exactly the same as @kunalSBasic but only with NSPrivacyAccessedAPITypes listed in config.xml. I also see nothing in xCode:

For context, the one inside CordovaLib is the declaration file for the Cordova framework which essentially consists of a view controller for the webview and plugin management code. Itself doesn't really use much hence why it's empty. Other plugins may import bundles which may include additional privacy manifest files.

The other one is within the application project, e.g. your application and it declares what your app uses or collects and for what reasons.

I've done a test upload with one of my apps and didn't receive any kind of warning message, but I wasn't sure what to expect.

[vtellez]

Hello,

Has Apple already approved any of your APPs sent for review with these new specifications in your config.xml?

[Waadd114]

For inexplicable reasons, I have apps that have the warning message and some of them don't. The compilation environment is the same. And I check the file privacyInfo and it is correctly generated from config.xml. I don't know where it came from.

Do you have any ideas?

[vtellez]

Today, we uploaded an APP including the new directives in the config.xml and we did not receive any warning from Apple when processing the binary.

The APP has been reviewed and approved without problems, so it seems that the new situation would be resolved

Thank you very much to everyone for your help.

[kunalSBasic]

Today, we uploaded an APP including the new directives in the config.xml and we did not receive any warning from Apple when processing the binary.

The APP has been reviewed and approved without problems, so it seems that the new situation would be resolved

Thank you very much to everyone for your help.

Yes even we uploaded our App and it was accepted without any issues.

[ion-dev]

I uploaded today and received this message from Apple:

ITMS-91056: Invalid privacy manifest - The PrivacyInfo.xcprivacy file from the following path is invalid: “PrivacyInfo.xcprivacy”. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, keys and values in your app’s privacy manifest must be in a valid format. For more details about privacy manifest files, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files.

Any ideas where I'm going wrong?

[ion-dev]

I uploaded today and received this message from Apple:

ITMS-91056: Invalid privacy manifest - The PrivacyInfo.xcprivacy file from the following path is invalid: “PrivacyInfo.xcprivacy”. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, keys and values in your app’s privacy manifest must be in a valid format. For more details about privacy manifest files, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files.

Any ideas where I'm going wrong?

Ah maybe because of the typo: "NSPrivacyAccessedAPITypes" - I think this should be "NSPrivacyAccessedAPIType"!

[breautek]

I think you're privacy manifest is malformed.

You have NSPrivacyAcceessedAPITypes key repeated, that key is to declare the array

The array dicts should have a key NSPrivacyAcceessedAPIType followed by the string node.

Ah maybe because of the typo: "NSPrivacyAccessedAPITypes" - I think this should be "NSPrivacyAccessedAPIType"!

Yup you got it! lol

[barettjfed]

I am also coming across the ITMS-91056: Invalid privacy manifest - The PrivacyInfo.xcprivacy file from the following path is invalid: “PrivacyInfo.xcprivacy” issue. Before updating the config.xml I was getting the ITMS-91053: Missing API declaration. Per documentation I tested using just

<privacy-manifest>
      <key>NSPrivacyTracking</key>
      <true/>
      <key>NSPrivacyCollectedDataTypes</key>
      <array/>
      <key>NSPrivacyAccessedAPITypes</key>
      <array/>
      <key>NSPrivacyTrackingDomains</key>
      <array/>
  </privacy-manifest>

Is it expected that just these changes would have the malformed error? Thanks

[breautek]

Is it expected that just these changes would have the malformed error?

It doesn't make sense to declare that you're tracking without declaring what data you're collecting for tracking. You'll probably also need at least 1 domain in the NSPrivacyTrackingDomains list, as well as at least one NSPrivacyCollectedDataTypes entry.

You might also want to review https://developer.apple.com/app-store/app-privacy-details/ to see if your handling of data is considered collecting & tracking. If the data stays on the device, or even if it's moved off device but isn't stored on your server, it's not considered collected data.

If you're collecting data but it isn't used for tracking the user, then NSPrivacyTracking should be false.

[barettjfed]

@breautek Thanks for the response. I updated my config.xml to include this

<privacy-manifest>
      <key>NSPrivacyTracking</key>
      <false/>
      <key>NSPrivacyCollectedDataTypes</key>
      <array/>
      <key>NSPrivacyAccessedAPITypes</key>
      <array>
        <dict>
          <key>NSPrivacyAccessedAPIType</key>
          <string>NSPrivacyAccessedAPICategoryUserDefaults</string>
          <key>NSPrivacyAccessedAPITypeReasons</key>
          <array>
            <string>CA92.1</string>
          </array>
        </dict>
      </array>
      <key>NSPrivacyTrackingDomains</key>
      <array/>
</privacy-manifest>

And I still received the ITMS-91056: Invalid privacy manifest error. Any ideas?

[breautek]

And I still received the ITMS-91056: Invalid privacy manifest error. Any ideas?

Your manifest looks right to me.

So few things to double check:

1. Cordova-ios@7.1.0 or later is required, that's the version that introduces privacy management for the app.
2. You can double check the PrivacyInfo.xcprivacy file in the native project to ensure it looks right there.
3. You can scan for other PrivacyInfo.xcprivacy files. Each framework/SDK that you import should be providing their own manifest file. Maybe a privacy manifest being imported from an SDK is malformed.

When doing your scan, you'll should find at least 2 PrivacyInfo.xcprivacy files: one that belongs to CordovaLib, which is the privacy manifest for the cordova core framework itself. It does not collect or use any priviledged APIs that requires declaration so the privacy file is essentially empty, declaring it does no tracking, or collects any APIs.

The second privacy manifest file would be your application manifest file, that is managed by the privacy-manifest tag as you have declared. You'll find this at platforms/ios/<Your App Name>/PrivacyInfo.xcprivacy

It won't be formatted, but you can copy it into any XML formatter to get it pretty-formatted. Your contents should be within:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<!-- contents of your privacy-manifest in here -->
</plist>

If you see your contents it there successfully, then I'll start to think it's a third-party SDK. They will have their own PrivacyInfo.xcprivacy files bundled in their .framework, .xcprivacyor sometimes inside a.bundle` files, which are just folders that can expanded and browsed. If it's an issue with a third-party SDK, then it would be on them to address it.

If only Apple actually provided us details instead of saying "something is wrong, go guess what it is".

You could also try authoring the privacy manifest inside XCode using their plist editor (an UI that imo is not very intuitive) and then compare/copy the resulting xcprivacy contents into your privacy-manifest, just in case there is a dumb typo somewhere that neither of us is seeing.

[barettjfed]

Thanks for the response! My issue has been resolved, but I cannot completely understand why. Curious if you would have any additional knowledge to explain it. We started with the issue:

ITMS-91053: Missing API declaration - Disk Space ITMS-91053: Missing API declaration - Timestamp ITMS-91053: Missing API declaration - User Defaults

We then updated to cordova-ios 7.1.0 and attempted to change the config.xml to include the <privacy-manifest>. Any changes that we made to that it would cause this issue:

ITMS-91056: Invalid privacy manifest

Then after many other attempts I removed the <privacy-manifest> tag from the config and did not receive a warning. So I think the only necessary change was updating cordova-ios to 7.1.0. Does that make sense?

[breautek]

Not sure. cordova will only look for <privacy-manifest> and create the app PrivacyManifest.xcprivacy starting in 7.1.0. Older versions will probably just simply ignore the directive.

On 7.1.0, If you don't have a <privacy-manifest> declared, it will just create an empty manifest file.

Plugins typically import .bundle resource for their own privacy manifest, this would work with any cordova-ios version. If the plugin imports a pod or framework, then the framework should have a manifest bundled inside their own framework as a resource asset.

[remoorejr]

Running some tests today and found that the Archive Privacy Report does NOT include any info on the API Types Accessed. I was trying to confirm that the privacy manifest generated when the app is built contained the additional privacy manifests included with the new file and device plugins.

The report does include entries for Privacy Nutrition Labels. That was the the way I could confirm that the PrivacyInfo.xcprivacy file that I created and that the privacy manifest files from the file and device plugins were being used. Seems odd that this is missing from the Archive Privacy Report.

Am I missing something here?

[erisu]

@remoorejr I believe the generated report will only display collected data, not API reasons.

From Apple Developer docs: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests

App developers can use Xcode to create a privacy report, summarizing the information about collected data in their app and the third-party SDKs the app links to.

This page is specific to "collected data" and it states its in the generated report.

The page concerning the definition of API reasons (https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api) does not explicitly mention their inclusion in the report.

[ion-dev]

Ah maybe because of the typo: "NSPrivacyAccessedAPITypes" - I think this should be "NSPrivacyAccessedAPIType"!

I can confirm that my last iOS release was accepted without any warnings using my config I posted but with the fixes quoted above.

https://github.com/apache/cordova-ios/issues/1391#issuecomment-2082625352