Decoding Apple's Privacy Manifest

Apple introduced Privacy Nutrition Labels in 2022 to provide users with greater control over their data and maintain higher privacy standards across the iOS ecosystem. Fast forward to 2024, Apple aims to simplify and automate declaration of privacy practices with the introduction of privacy manifest. Let's understand the details.

What is privacy manifest?

The privacy manifest is a file added into an app's code, detailing the privacy practices of the app and any third-party SDKs it uses. Xcode compiles all these privacy manifest files into a single report. Apple's systems then automatically scan this report to update the app's privacy information visible on the App Store. What makes this beneficial?

1. Automation for app developers: Privacy manifest streamlines the process of gathering and verifying privacy practices of third-party SDKs, consolidating multiple manifest files into a single report for automatic compilation and updates on the App Stores (previously done manually).
2. More transparency: It provides app developers and users with clear insights into third-party data collection and usage, aiding informed decision-making.
3. Potential end to fingerprinting: Privacy manifest can potentially eradicate fingerprinting and probabilistic attribution. App developers and associated SDKs must declare their use of Apple’s APIs, preventing misuse  of APIs for fingerprinting and promoting SKAdNetwork as the primary attribution mechanism for advertisers.

Four key aspects of privacy manifest

1. Data usage: This section outlines the types of data collected, its intended use, whether it’s linked to users, and if it’s utilized for tracking, as per Apple's guidelines. 
2. Reason API: To prevent fingerprinting, the privacy manifest must describe the APIs used and their purposes, ensuring apps only access APIs specified in the manifest.
3. Tracking domain: If data collected is used for user tracking, the privacy manifest must include a tracking domain to prevent unauthorized tracking. iOS 17 will block tracking domains if a user hasn’t granted permission.
4. Signature: SDKs must be digitally signed for authenticity to ensure the legitimacy of the SDK.

InMobi’s stance

InMobi is dedicated to safeguarding user privacy via strict adherence to industrial privacy standards. Please note that not all aspects of privacy manifest apply to the InMobi SDK. The InMobi SDK isn’t listed in Apple's commonly used SDKs that need to include details on data usage, tracking domains, and SDK signature. We're monitoring this closely and will let you know if anything changes. 

However, all app developers must describe their use of the required Reason API in their privacy manifest. Apple published an update that starting March 13, 2024, if an app uses APIs needing approved reasons, app developers will receive an email stating the missing reasons in the privacy manifest. Starting May 1, 2024, they must include the approved reasons for listed APIs in the app's code.

We have released support for privacy manifest on InMobi SDK 10.7.2 detailing InMobi SDK's Reason API usage. We are committed to ensuring that our upcoming SDK releases include support for any additional requirements. We highly recommend adopting the latest SDK versions listed here to ensure optimal performance and compatibility.

For more information, please contact your dedicated Customer Success Manager or email support@inmobi.com.