Connect with us

Hi, what are you looking for?


Application Security

Apple Lists APIs That Developers Can Only Use for Good Reason

To boost user privacy, Apple is requiring app developers to declare a reason to use specific APIs.

In an effort to boost user privacy by preventing unwanted data collection, Apple is requiring application developers to declare the reason for using specific APIs.

Initially announced at its developer conference last month, the initiative targets a small set of APIs that, Apple says, “can be misused to collect data about users’ devices through fingerprinting”, which is prohibited by the company’s developer program.

To prevent misuse, Apple will require developers to include in their application’s privacy manifest the reasons for using such APIs, to ensure that the APIs are used for their intended purpose only.

“Your app or third-party SDK must declare one or more approved reasons that accurately reflect your use of each of these APIs and the data derived from their use. You may use these APIs and the data derived from their use for the declared reasons only,” Apple explains.

The application’s functionality, the tech giant explains, must reflect the declared reason and app developers are prohibited from using the APIs or the derived data for tracking users.

The APIs covered by this policy include those used for accessing file timestamps, the system boot time, the available disk space, the list of active keyboards, and user defaults.

Starting this fall, Apple will notify developers if they submit or update applications that use such an API without providing a reason in the app’s privacy manifest.

Advertisement. Scroll to continue reading.

Starting 2024, all new applications or app updates will need to include an approved reason in their privacy manifests, to reflect the use of the API. The policy, Apple announced, applies to APIs from third-party SDKs as well.

Apple has published both the list of required reason APIs and details on what developers need to do to declare approved reasons for them.

Developers with applications that use required reason APIs “to provide benefits to the people using the app” for reasons not covered are encouraged to contact Apple to submit requests for an approved reason.

Related: Apple Blocked 1.7 Million Applications From App Store in 2022

Related: Apple Patches Another Kernel Flaw Exploited in ‘Operation Triangulation’ Attacks

Related: Apple Updates Advisories as Security Firm Discloses New Class of Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.