Apple has announced plans to require developers to submit reasons to use certain APIs in their apps starting later this year with the release of iOS 17, iPadOS 17, macOS Sonoma, tvOS 17, and watchOS 10 to prevent their abuse for data collection.
“This will help ensure that apps only use these APIs for their intended purpose,” the company said in a statement. “As part of this process, you’ll need to select one or more approved reasons that accurately reflect how your app uses the API, and your app can only use the API for the reasons you’ve selected.”
The APIs that require reasons for use relate to the following –
- File timestamp APIs
- System boot time APIs
- Disk space APIs
- Active keyboard APIs, and
- User defaults APIs
The iPhone maker said it’s making the move to ensure that such APIs are not abused by app developers to collect device signals to carry out fingerprinting, which could be employed to uniquely identify users across different apps and websites for other purposes such as targeted advertising.
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
The policy enforcement, which goes live in Fall 2023 and also extends to visionOS, will require developers submitting new apps or app updates to declare the reasons for using these “required reason APIs” in their app’s privacy manifest. Starting Spring 2024, apps that don’t describe their use of the APIs in their privacy manifest file will be rejected.
“Regardless of whether a user gives your app permission to track, fingerprinting is not allowed,” Apple explicitly cautions in its developer documentation. “Your app or third-party SDK must declare one or more approved reasons that accurately reflect your use of each of these APIs and the data derived from their use.”
“You may use these APIs and the data derived from their use for the declared reasons only. These declared reasons must be consistent with your app’s functionality as presented to users, and you may not use the APIs or derived data for tracking.”