[Bug]: Invalid Privacy Manifest

[ir-fuel]

Mapbox Navigation SDK version

2.17.0

Steps to reproduce

Submit an app built with MapboxNavigation 2.17.0 to the App Store

Expected behavior

Nothing should be reported by Apple

Actual behavior

Apple reports the following:

ITMS-91056: Invalid privacy manifest

The PrivacyInfo.xcprivacy file from the following path is invalid: “Frameworks/MapboxCommon.framework/PrivacyInfo.xcprivacy”. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, keys and values in your app’s privacy manifest must be in a valid format. For more details about privacy manifest files, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files.

Is this a one-time issue or a repeatable issue?

repeatable

[kried]

Hi @ir-fuel

Thank you for reporting the issue. The version with the fix will be available soon, we expect to have the compatible Maps SDK version this week.

[jkgz]

Hi @kried

Is there still a pending release that includes a privacy manifest update for the Navigation SDK? I updated the Maps SDK to 10.17.0 as mentioned in your linked thread, which fixed the invalid privacy manifest warning, but am still getting a report from Apple:

Your app’s code in the “VAMOS” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

Based on a binary scan, it looks like there are calls to fstat, stat, etc in MapboxNavigationNative.framework which are mentioned in Apple's link as usages of NSPrivacyAccessedAPICategoryFileTimestamp

Thanks for any info!

[azarovalex]

Hello @jkgz.

MapboxNavigationNative.framework is a dynamic library that is not included in your main executable "VAMOS", so if Apple highlights this file it means something else is triggering the warning.
Could you let me know which SDK versions you are using right now and which package manager? I'll try to upload an empty sample with NavSDK to AppStore to check if it triggers a warning.
I already submitted our public Example with v2.17.0/SPM today and I didn't get any emails from AppStore Connect.

[jkgz]

Hi @azarovalex

I apologize if I was misleading in my post about what Apple mentioned in the warning. Apple only mentioned API usage of NSPrivacyAccessedAPICategoryFileTimestamp. I mentioned MapboxNavigation.framework based on a binary scanner others had posted elsewhere to detect API usage in libraries, but I think that was just confusing and incomplete info.

It looks like the issue is resolved for me now. We had a package reference to an old version of MapboxSearch which we are not actually using. When I removed that package, I saw the binary scanner no longer included fstat and stat as associated with my binary, and on submit to AppStore Connect, it looks like nothing is flagged. Thanks for your attention.

[azarovalex]

@jkgz good to hear your problem is resolved!

Full disclosure: MapboxNavigationNative.framework does use these API, so the scanner you mentioned indeed works, but fortunately for us Apple doesn't enforce privacy manifests for all 3rd party libraries, there is only a small list of them.
I'm going to close the issue based on the fact that the NavSDK sample I submitted didn't trigger any warnings. We'll update MapboxNavigationNative.framework with the manifest in future releases, and every other dynamic framework we ship like MapboxCommon.framework or MapboxCoreMaps.framework already include manifests.