Apple for years has made user privacy a focus for its App Store with rules around data collection, plus requirements around app labeling, anti-tracking measures, and the more private “Sign in with Apple” option. Now, Apple will begin to require that developers explain why they need access to select data, under some circumstances, with a new policy designed to crack down on the misuse of APIs.
APIs, or Application Programming Interfaces, are used by developers to extract and exchange data. In the context of the new App Store rule, Apple explains that some APIs can be missed by developers to collect data about users’ devices through “fingerprinting.” That means the APIs are being used to access certain device signals for the purpose of identifying the device or the user. Apple doesn’t allow fingerprinting, even if the user has given the app permission to track them.
As The New York Times reported in 2019, the use of this largely invisible method of user and device tracking was on the rise in the ad industry in response to the increased privacy protections companies like Apple and others, such as Mozilla, had implemented over the years. Those changes made it more difficult for advertisers to use more traditional tracking methods, like cookies or pixels embedded in social media buttons, for instance, the report explained. And with the launch of Apple’s App Tracking Transparency in 2021, the use of fingerprinting was prohibited, but without additional measures to fully police it.
That is starting to change with the new app developer requirement.
Now, when developers want to access certain APIs they will need to provide a reason. Apple explains developers will need to select from one or more of the “approved reasons” that explain how their app will use the API, and then the app can only use the API for those stated purposes. Among the APIs impacted are those around file timestamps, disk space, system boot time, active keyboard, and user defaults.
The requirement will go into effect in fall 2023, Apple says. Developers who upload an app or an app update to the App Store after that point without providing a reason for their use of the API will be informed they need to add the approved reason to their app’s privacy manifest before resubmitting. This also extends to third-party SDKs (software development kits) their app is using.
Then, in spring 2024, apps and app updates that don’t include a reason will be rejected.
Apple says if the app needs to use an API for a different reason the developer believes should be approved, they should reach out.
In conversations on Hacker News, a site frequented by developers, there were concerns expressed over the requirement to provide a reason for UserDefaults, a basic and regularly-used API. But others pushed back on this, noting that it’s not a crackdown on legitimate use, it’s merely a requirement to provide a stated reason.
While new rules always come with the threat of increased App Store rejections, a troubling subject for app developers, Apple in this instance is giving developers several months of lead time to make the necessary changes by starting with warnings that explain what needs to be done.