In a bold move to strengthen user privacy, Apple Inc. has revealed that it will compel developers to outline their reasons for utilizing specific APIs in their applications. This policy comes into effect with the imminent release of iOS 17, iPadOS 17, macOS Sonoma, tvOS 17, and watchOS 10, aiming to hinder the exploitation of these APIs for unauthorized data collection.
Apple, in an official statement, declared, “The initiative is designed to guarantee that applications use these APIs solely for their original intent. Developers must henceforth indicate one or more legitimate reasons that accurately denote the usage of the API in their application. Furthermore, applications are strictly limited to employ the API for the specified reasons.”
This mandate applies to a range of APIs, including file timestamp APIs, system boot time APIs, disk space APIs, active keyboard APIs, and user defaults APIs. Apple’s intent behind this policy is to prevent these APIs from being misused by developers to collect device signals for ‘fingerprinting.’ This technique allows for the unique identification of users across various applications and websites, often misused for purposes such as targeted advertising.
The policy will be enforced starting Fall 2023, extending to visionOS, and developers submitting new apps or app updates will have to declare the reasons for using these “required reason APIs” in their application’s privacy manifest. From Spring 2024 onward, applications failing to document their API use in their privacy manifest file will face rejection.
Apple, in its developer documentation, states unequivocally, “Irrespective of whether a user provides your app with tracking permission, fingerprinting is strictly forbidden. Your application or third-party SDK must clearly articulate one or more approved reasons that accurately reflect your usage of each of these APIs and the data derived from their usage.”
Developers may only use these APIs and the resulting data for the declared reasons, which must be consistent with the application’s functionality presented to users. The use of APIs or derived data for tracking is strictly prohibited.