Following the same topic in RxSwift offical slack. According to the definition of "third-party SDKs" that as mentioned in the WWDC23, new documents: Privacy manifest files | Apple Developer Documentation and the new announcement from Apple. It seems like RxSwift/RxCocoa/RxRelay require a privacy manifest and signature as well.

I was wondering if the Privacy Manifest update will be introduce in following updates, and, whether it is possible for us to know the schedule so that we can plan and manage our app releases more effectively.. Deeply appreciated.

Platform/Environment

• iOS
• macOS
• tvOS
• watchOS
• playgrounds

Installation method:

• CocoaPods
• Carthage
• Git submodules

Level of RxSwift knowledge:
(this is so we can understand your level of knowledge
and formulate the response in an appropriate manner)

• just starting
• I have a small code base
• I have a significant code base

+1

+1

Agree that this needs to be added, there are still a lot of apps using RxSwift I think.

Definitely something we'll add by the deadline. There's almost a year by then. Thanks!

If one of you who has already looked into this could add it, that would be fantastic. If you have any questions about the library itself. Reach out to me on Slack.

Yeah, actually if anyone wants to open a relevant PR that would help immensely 🙏 thanks!

Here's an example, even though RxSwift doesn't track anything or does any API calls on its own, so there's really no privacy content to describe: https://github.com/BranchMetrics/ios-branch-sdk-spm/blob/main/BranchSDK/PrivacyInfo.xcprivacy

@freak4pc

I simply looked it up, and it seems like 'mach_absolute_time' is used, did I make a mistake?

@freak4pc

I simply looked it up, and it seems like 'mach_absolute_time' is used, did I make a mistake?

Might be missing something but what's the privacy concern with mach time ?

Apple Doc

I was just looking up the API list in the Apple document in the RxSwift project.

The way I did it is as follows.

1. Clone the RxSwift project to my computer
2. I opened the project using Xcode.
3. Through the entire search, the API was searched one by one.
   (If the above method is wrong, please let me know.)

I checked and found that 'mach_absolute_time' exists in the 'Tests' folder, isn't this a problem??

Not a problem. It just needs a reason for being there.

The RxSwift tests harness uses mach_absolute_time() in order to test performance only; it is not used in the production code and is not sent off device.

@danielt1263

Here's an example, even though RxSwift doesn't track anything or does any API calls on its own, so there's really no privacy content to describe:

Oh, I'm afraid I didn't say it correctly. It's my mistake to say "problem."
(I am not good at English.)

I mean... @freak4pc said 'so there's really no privacy content to description', shouldn't we write down the description in PrivacyInfo if RxSwift use 'mach_absolute_time'??

Yes, the description needs to be added to the privacy info. I provided you the description above.

if mach_absolute_time() is the only API that is used in the project, mentioned by @wlxo0401, I think we just need to declare the use of the API and its purpose in the privacy file, as mentioned by Apple. then it should work?

For reference, this is a PR of Kingfisher, adding privacy manifest to the project:
onevcat/Kingfisher#2156

I can try to work on this on the 1st week of 2024, if anyone is free to work it out these days, feel free to create a PR.

@tommyming

Apple specifically mentioned RxSwift, but within the RxSwift ecosystem, there are various related libraries like RxCocoa, RxRelay, RxBlocking, RxTest, and RxSwift-Dynamic, among others.
(And we can only choose what we want.)

The question is whether you should include PrivacyInfo documentation for each of these libraries separately or if a single PrivacyInfo entry is sufficient.

(Use Chat GPT for translation)

@tommyming

Apple specifically mentioned RxSwift, but within the RxSwift ecosystem, there are various related libraries like RxCocoa, RxRelay, RxBlocking, RxTest, and RxSwift-Dynamic, among others. (And we can only choose what we want.)

The question is whether you should include PrivacyInfo documentation for each of these libraries separately or if a single PrivacyInfo entry is sufficient.

(Use Chat GPT for translation)

According to the Apple's Article:
RxCocoa, RxRelay, RxSwift is on the list.

If that's the case, I think adding privacy files to these 3 libraries should do the job?

@tommyming

Thank you so much for your quick response.

I have another question about Privacy Manifest, not Rx content...

1. If Apple does not mention the library, but there is something to record in 'PrivacyInfo'
2. If Apple mentions it but there is nothing to record in 'PrivacyInfo'
3. If Apple doesn't mention it and doesn't have anything to write in "PrivacyInfo"

What happens to each of the above situations?

As far as I know, Privacy Manifest is compulsory for third-party libraries, but when I look at other library communities, I'm confused because some places can't even be mentioned.

As far as I know, Privacy Manifest is compulsory for third-party libraries, but when I look at other library communities, I'm confused because some places can't even be mentioned.

May I know the reference from Apple that Privacy Manifest is compulsory for 3rd party libraries?
If that's the case, then many old libraries in cocoapods may require updates, which may cause a massacre of the whole community.

According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.

@tommyming

Apple Doc

From Fall 2023 you’ll receive an email from Apple if you upload an app to App Store Connect that uses required reason API without describing the reason in its privacy manifest file. From Spring 2024, apps that don’t describe their use of required reason API in their privacy manifest file won’t be accepted by App Store Connect.

It is part of the contents of the above document.

The contents that can be included in 'PrivacyInfo' are as follows.
[NSPrivacyTracking, NSPrivacyTrackingDomain, NSPrivacyCollectedDataType, NSPrivacyAccessAPType]

However, in the case of 'NSPrivacyAccessAPType', the document had the above contents.

I understood that, 'All third party libraries should add Privacy Manifest if they have a 'Describing use of required reason API'.

Did I get it too differently?

All third-party libraries should add a Privacy Manifest if they have a 'Describing use of required reason API'

Agree on this.

But I think Apple understands that a massacre will be summoned if they enforce all 3rd party libraries need to add Privacy Manifest lol. So that's why they provided a list of must-provide SDKs.

A bit off-topic. I will try to add a privacy manifest to the 3 repositories mentioned by Apple next week.

Please feel free to provide info related to this issue, thanks.

Seems @wlxo0401 has created a PR (as mentioned above), please feel free to take a look.

According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.

Actually, all libraries or SDK which use this functions Apple Doc have to add Privacy Manifest, Apple just mentioned few of them which are common libraries, so all SDK developers should review their own SDK whether they are mentioned by Apple or not. CMIIW

According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.

Actually, all libraries or SDK which use this functions Apple Doc have to add Privacy Manifest, Apple just mentioned a few of them which are common libraries, so all SDK developers should review their own SDK whether they are mentioned by Apple or not. CMIIW

Agree on this.

But then Apple announced a list(on early December 2023) of libraries/SDK that need to add privacyInfo, or else the app cannot submitted to app store. That's why I used the word compulsory in the statement.

Clarify one thing is, I agree that eventually all 3rd party SDK may need to add the file. I just worried about the long-term ongoing progress of the review process.

Thanks for the info @lambda123254! Much appreciated.

I discovered a new while testing.

Until now, most of the libraries that have added PrivacyInfo have not been marked in PrivacyReport.

However, when an item is added to the 'Privacy Nutrition Label Types', the library name is displayed in the PrivacyReport.

Many libraries have updated PrivacyInfo without adding anything from 'Privacy Nutrition Label Types'.

Does anyone know about this? Is 'Privacy Nutrition Label Types' a must-have item?

Or is it not necessary to display it in the privacy report?

Please feel free to leave opinion.

(I used a translator.)

I guess this is something from HealthKit, where this type of info should treated properly?

I guess this is something from HealthKit, where this type of info should treated properly?

I didn't use HealthKit.

The comment I posted seems to have a translation error, so I corrected it again.😭

I discovered a new while testing.

Until now, most of the libraries that have added PrivacyInfo have not been marked in PrivacyReport.

However, when an item is added to the 'Privacy Nutrition Label Types', the library name is displayed in the PrivacyReport.

Many libraries have updated PrivacyInfo without adding anything from 'Privacy Nutrition Label Types'.

Does anyone know about this? Is 'Privacy Nutrition Label Types' a must-have item?

Or is it not necessary to display it in the privacy report?

Please feel free to leave opinion.

(I used a translator.)

May I know wdym by PrivacyReport? Thanks.

May I know wdym by PrivacyReport? Thanks.

The 'PrivacyReport' I'm talking about can be downloaded as a PDF if you archive the app.

https://developer.apple.com/videos/play/wwdc2023/10060/
Please refer to 3:20.

1. Open your project in Xcode.

2. Choose Product > Archive. Xcode creates the archive and reveals it in the organizer.

3. Control-click the archive in the organizer and choose Generate Privacy Report.

May I know wdym by PrivacyReport? Thanks.

The 'PrivacyReport' I'm talking about can be downloaded as a PDF if you archive the app.

https://developer.apple.com/videos/play/wwdc2023/10060/ Please refer to 3:20.

1. Open your project in Xcode.
2. Choose Product > Archive. Xcode creates the archive and reveals it in the organizer.
3. Control-click the archive in the organizer and choose Generate Privacy Report.

Understand, could you provide a sample project which can reproduce this condition? That could help on the investigation.

The privacy report is organized in a similar way to Privacy Nutrition Labels.

I think what you mean is something here:
reference

I am just guessing the privacy labels can only be seen when you upload the app to the app store connect page, and let them help you make the thing.

@tommyming
Um... I'm sorry. I think I asked a question without really understanding 'PrivacyRport' and 'Privacy Nutrition Label Types'. Let me find out again.😥

@tommyming Um... I'm sorry. I think I asked a question without really understanding 'PrivacyRport' and 'Privacy Nutrition Label Types'. Let me find out again.😥

Huge thanks to @wlxo0401 for putting together #2572, it's very much appreciated 🙏 I've worked with Privacy Manifests a fair bit, and I'd be very surprised if any of the Rx repos were accessing any of the data on this list. There's maybe a tiny chance that they're accessing data in the Identifiers and/or Diagnostics categories- but again, that sounds very unlikely. Anything I might be overlooking @freak4pc @danielt1263?

Following the same topic in RxSwift offical slack. According to the definition of "third-party SDKs" that as mentioned in the WWDC23, new documents: Privacy manifest files | Apple Developer Documentation and the new announcement from Apple. It seems like RxSwift/RxCocoa/RxRelay require a privacy manifest and signature as well.

I was wondering if the Privacy Manifest update will be introduce in following updates, and, whether it is possible for us to know the schedule so that we can plan and manage our app releases more effectively.. Deeply appreciated.

Platform/Environment

• iOS

• macOS

• tvOS

• watchOS

• playgrounds

Installation method:

• CocoaPods

• Carthage

• Git submodules

Level of RxSwift knowledge:

(this is so we can understand your level of knowledge

and formulate the response in an appropriate manner)

• just starting

• I have a small code base

• I have a significant code base

Folks, I appreciate the research being done in this thread, could someone please shed a light on why RxSwift (or any other Rx* module for that matter) needs a privacy manifest, if mach_absolute_time is only used in tests, i.e. code that's not deployed to users?

... could someone please shed a light on why RxSwift (or any other Rx* module for that matter) needs a privacy manifest, if mach_absolute_time is only used in tests, i.e. code that's not deployed to users?

Because some automated tool at Apple went over the RxSwift library and flag its use.

Hi all, is there a timeline for when we can expect this to be completed? According to Apple's documentation: Upcoming third-party SDK requirements, the deadline is spring 2024.
I see there's a PR up: #2572. Is there anything we can do to finish what's left so that it can be merged? Thank you.

Hi all, is there a timeline for when we can expect this to be completed? According to Apple's documentation: Upcoming third-party SDK requirements, the deadline is spring 2024. I see there's a PR up: #2572. Is there anything we can do to finish what's left so that it can be merged? Thank you.

+1

Apple just announced the exact timelines for this: warning emails are starting on March 13, and app rejections will start on May 1.

Could one of the project maintainers review and hopefully merge #2572 soon? @danielt1263 Is that something you're able to do?

Not me... As far as I know only @freak4pc can do this.

Hey all,

I commented on the opened PR - the mach_absolute_time API is irrelevant to consumers of this SDK, it's only in our own tests so the privacy manifest shouldn't be relevant here. If it is still required by Apple, it won't have anything to report from a privacy perspective.

See note here:
#2572 (review)

Hey all,

I commented on the opened PR - the mach_absolute_time API is irrelevant to consumers of this SDK, it's only in our own tests so the privacy manifest shouldn't be relevant here. If it is still required by Apple, it won't have anything to report from a privacy perspective.

See note here: #2572 (review)

Hi @freak4pc,

I understand your point, but that's irrelevant. Ultimately, Apple has mandated that RxCocoa, RxRelay, and RxSwift, all need to include privacy manifest and signature. They're specifically called out in Upcoming third-party SDK requirements.

It's totally reasonable to include a manifest to declare that they're not using any of the affected APIs or track anything. However, they must include such file regardless. Otherwise, it can be a reason for rejection when the rule comes into effect. It will be really unfortunate if we have to fork the repos just to add this manifest to avoid being rejected by Apple. This is why many of us have been asking for progress.

Thank you.

Hey all,
I commented on the opened PR - the mach_absolute_time API is irrelevant to consumers of this SDK, it's only in our own tests so the privacy manifest shouldn't be relevant here. If it is still required by Apple, it won't have anything to report from a privacy perspective.
See note here: #2572 (review)

Hi @freak4pc,

I understand your point, but that's irrelevant. Ultimately, Apple has mandated that RxCocoa, RxRelay, and RxSwift, all need to include privacy manifest and signature. They're specifically called out in Upcoming third-party SDK requirements.

It's totally reasonable to include a manifest to declare that they're not using any of the affected APIs or track anything. However, they must include such file regardless. Otherwise, it can be a reason for rejection when the rule comes into effect. It will be really unfortunate if we have to fork the repos just to add this manifest to avoid being rejected by Apple. This is why many of us have been asking for progress.

Thank you.

I'm a bit confused by your response and number of likes. I didn't say we shouldn't add it, I said that the fact they're asking it is based on a mistake, and if we provide it, that manifest should be empty since we have nothing to report. We can continue the discussion in the other thread.

Hello all,
I saw there's a PR in progress, is there any support for code signing?

Hey all,
I commented on the opened PR - the mach_absolute_time API is irrelevant to consumers of this SDK, it's only in our own tests so the privacy manifest shouldn't be relevant here. If it is still required by Apple, it won't have anything to report from a privacy perspective.
See note here: #2572 (review)

Hi @freak4pc,
I understand your point, but that's irrelevant. Ultimately, Apple has mandated that RxCocoa, RxRelay, and RxSwift, all need to include privacy manifest and signature. They're specifically called out in Upcoming third-party SDK requirements.
It's totally reasonable to include a manifest to declare that they're not using any of the affected APIs or track anything. However, they must include such file regardless. Otherwise, it can be a reason for rejection when the rule comes into effect. It will be really unfortunate if we have to fork the repos just to add this manifest to avoid being rejected by Apple. This is why many of us have been asking for progress.
Thank you.

I'm a bit confused by your response and number of likes. I didn't say we shouldn't add it, I said that the fact they're asking it is based on a mistake, and if we provide it, that manifest should be empty since we have nothing to report. We can continue the discussion in the other thread.

The way we can check right away is to review apps that have applied 'Privacy Manifest' without any new updates of the app from March 13th.

Through this, we can check Apple's response.

So I'm going to use 'Manually Release' to do a repetitive test in a way that even if I pass the examination, I'm going to cancel it.

If a lot of people's information is gathered, won't we find a sure way within May??

Hey there,
Our own app (monday.com) will be in review in a few days and I can't believe it will be rejected over this. This seems like an entire mistake on Apple's end. For example, AFNetworking is also in that list and it's been in Archived state for a while now.

I've opened a TSI to Apple Engineering and hoping to hear back from them soon, but I'm 99% we won't be experiencing any problems since RxSwift (and child libraries) don't use any of the privacy-related APIs outlined in Apple's docs.

Let's examine over the next few days. It isn't difficult adding an empty xcprivacy file but Apple recommends not doing that, and we have nothing to report from the framework's side.

Hey there, Our own app (monday.com) will be in review in a few days and I can't believe it will be rejected over this. This seems like an entire mistake on Apple's end. For example, AFNetworking is also in that list and it's been in Archived state for a while now.

I've opened a TSI to Apple Engineering and hoping to hear back from them soon, but I'm 99% we won't be experiencing any problems since RxSwift (and child libraries) don't use any of the privacy-related APIs outlined in Apple's docs.

Let's examine over the next few days. It isn't difficult adding an empty xcprivacy file but Apple recommends not doing that, and we have nothing to report from the framework's side.

Definitely agree on this. The project that I mainly owned will be in review in a few days also, will update here if the situation really happens, and maybe discuss the workaround here.

Hey there, Our own app (monday.com) will be in review in a few days and I can't believe it will be rejected over this. This seems like an entire mistake on Apple's end. For example, AFNetworking is also in that list and it's been in Archived state for a while now.

I've opened a TSI to Apple Engineering and hoping to hear back from them soon, but I'm 99% we won't be experiencing any problems since RxSwift (and child libraries) don't use any of the privacy-related APIs outlined in Apple's docs.

Let's examine over the next few days. It isn't difficult adding an empty xcprivacy file but Apple recommends not doing that, and we have nothing to report from the framework's side.

Do you recall where Apple recommend not adding an empty one?

Snapkit was also called out but has added an empty one here: https://github.com/SnapKit/SnapKit/blob/develop/Sources/PrivacyInfo.xcprivacy

It would seem if the SDK is specifically listed on Apple's documentation list then it would need a manifest whether or not it has anything to report using, right?