Apple has long prioritized user privacy within its App Store, enforcing stringent regulations on data collection, app labeling, anti-tracking measures, and the “Sign in with Apple” feature. Now, the company is taking further steps to curb API misuse by requiring developers to justify their access to specific data under certain conditions.
Application Programming Interfaces (APIs) serve as a means for developers to extract and exchange data. In the context of the new App Store policy, Apple addresses the potential abuse of APIs for “fingerprinting,” a method that involves accessing device signals to identify users or devices. Regardless of user permission to track, Apple prohibits fingerprinting.
As reported by The New York Times in 2019, the ad industry turned to this largely inconspicuous user and device tracking technique due to the enhanced privacy protections adopted by companies like Apple and Mozilla. With Apple’s introduction of App Tracking Transparency in 2021, fingerprinting was banned, but the lack of comprehensive policing left room for potential violations.
The new requirement for app developers aims to rectify this situation. Moving forward, developers seeking access to certain APIs must provide a reason for doing so. Apple outlines a selection of “approved reasons” that specify the app’s API usage, restricting its use solely to those stated purposes. Among the affected APIs are those related to file timestamps, disk space, system boot time, active keyboard, and user defaults.
This policy change is slated to take effect in fall 2023. After that point, developers who upload new apps or app updates without providing a reason for API usage will be prompted to add the approved reason to their app’s privacy manifest before resubmitting. Third-party SDKs integrated into their apps must also comply.
In spring 2024, apps and app updates lacking a stated reason for API usage will face rejection. However, Apple encourages developers to reach out if their app requires an API for a reason they believe should be approved.
While this requirement has raised concerns among developers, particularly with regards to the basic and commonly used API, UserDefaults, others view it as a necessary step, not a crackdown on legitimate use.
Apple is providing developers with ample lead time to make the necessary adjustments, starting with warnings that clearly explain the required changes. By implementing these measures, Apple aims to uphold its commitment to user privacy while ensuring a more transparent and accountable app development process.