Give your simulator superpowers

RocketSim: An Essential Developer Tool
as recommended by Apple

Win a copy of The macOS App Icon Book with thisfree giveaway

Solve Missing API declaration using required reason (ITMS-91053)

Apps submitted to the App Store must define API declarations using the required reasons. Apps that don’t will be rejected until they do. This requirement counts for APIs declared in your app’s code and third-party libraries. For the latter, you might be dependent on the library maintainers.

While Apple provides rich documentation, it’s hard to understand what you must do. Therefore, I decided to simplify the process and added a frequently asked questions section to help you.

What is an API declaration?

An API declaration describes the reasons for an app to use specific APIs. There are several NSPrivacyAccessedAPITypes: APIs that access privacy-sensitive data. Each APIs requires a matching reason inside a so-called privacy manifest file.

What does ITMS-91053: Missing API declaration mean?

ITMS stands for (Integrated Task Management Systems), and number 91053 refers to a missing API declaration. Simply said, your app or 3rd party libraries make use of a privacy accessed API without declaring the reason for doing so.

You’ve likely received a rejection email containing something similar to:

ITMS-91053: Missing API declaration – Your app’s code in the “App Name” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryUserDefaults. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code.

This email contains important information to continue fixing this issue, as it describes the API categories that miss the required reasons. In this example, we haven’t added reasoning for the NSPrivacyAccessedAPICategoryUserDefaults category. In other words, our app is accessing user default values but doesn’t describe why.

Stay updated with the latest in Swift & SwiftUI

The 2nd largest newsletter in the Apple development community with 19,234 developers. Don't miss out – Join today:

You can always unsubscribe, no hard feelings.

How to create an app privacy manifest file with required reasons?

Once you’ve discovered which categories are missing the required reasons, you can add them to your privacy manifest file using API declarations. If you don’t have one, you must start by creating a privacy manifest file.

1. Creating a privacy manifest file

To add the privacy manifest to your app or third-party SDK in Xcode, follow these steps:

Start by creating an App Privacy manifest file to store required reasons API declaration.
Start by creating an App Privacy manifest file to store the required reasons for API declaration.
  • Choose File → New File
  • Filter on “privacy” and select the App Privacy file type
  • Click Next
  • Check your app or third-party SDK’s target in the Targets list
  • Click Create

A new PrivacyInfo.xcprivacy file will be created in which you can add the required reasons. Note that you must use this file name for bundled privacy manifests (e.g., inside frameworks).

2. Find out the required reasons to add

The next step is to determine the reasons you need to add to your privacy manifest file for each API declaration. Our rejection email told us to add reasons for using NSPrivacyAccessedAPICategoryUserDefaults. We can navigate to Apple’s documentation and search for this specific key:

Search for the given category (e.g. NSPrivacyAccessedAPICategoryUserDefaults) inside Apple's documentation.
Search for the given category (e.g., NSPrivacyAccessedAPICategoryUserDefaults) inside Apple’s documentation.

On this page, you’ll find relevant values defined inside a list. For my Stock Analyzer app, I’m only reading and writing values from my App Group. The 1C8F.1 reason matches this perfectly:

Declare this reason to access user defaults to read and write information that is only accessible to the apps, app extensions, and App Clips that are members of the same App Group as the app itself.

I now know that I need to add the 1C8F.1 reason for the NSPrivacyAccessedAPICategoryUserDefaults category.

3. Adding the required reason to your privacy manifest file

After finding out the exact reasons, it’s time to add them as an API declaration entry in your PrivacyInfo.xcprivacy file.

  1. Add an Privacy Accessed API Types array
  2. Create a new item and set the key to match your category (e.g., NSPrivacyAccessedAPICategoryUserDefaults)
    Note: NSPrivacyAccessedAPICategoryUserDefaults is a raw key and will be replaced by a readable string “User Defaults”
  3. Add an Privacy Accessed API Reasons array and add all the reasons your app requires. Note that you can add multiple reasons if needed

I recommend pasting the raw keys inside the fields to simplify the process. You’ll notice these values will be replaced by readable strings matching the given category or reason. I’ve demonstrated this process in the following video:

FAQ

When must we add the reasoning API to our privacy manifest file?

Starting May 1, 2024, App Store Connect will not accept apps that don’t describe their use of the required reason API in their privacy manifest file. A list of all APIs that require reasoning can be found here.

Do we need to do it for all platforms, including macOS?

You need to describe the reasons for your app or third-party SDK only on iOS, iPadOS, tvOS, visionOS, and watchOS. As of now, an API declaration is not required for macOS.

What if a third-party library uses an API that requires reasons?

Third-party libraries are required to define the required reasons inside a PrivacyInfo.xcprivacy file. It’s essential for them to use this specific file name, as the required reasons would otherwise not be detected by Apple. An example pull request can be found in WeTransfer’s Diagnostics framework.

Can I rely on my app’s privacy manifest file to add reasoning for third-party libraries myself?

Your app’s privacy manifest file will not apply to any third-party libraries. Each library that uses required reasoning APIs will have to define a privacy manifest file in the bundle that includes the executable or dynamic library. See Placing content in a bundle for the expected location of frameworks and dynamic libraries.

Do I need to create a privacy manifest file for each app extension?

You can reuse the same privacy manifest file only if the reasons match exactly. Your main app will likely use more APIs that require reasoning, in which case creating a privacy manifest file per individual target is recommended.

Conclusion

Apple requires us to define reasoning for using APIs that access privacy sensitive data. Our app will get rejected if we don’t, followed by an email describing the categories for which you’ll need to define reasoning. Any third-party libraries using similar APIs must declare a privacy manifest file inside their bundle.

If you like to improve your Xcode knowledge, even more, check out the Xcode category page. Feel free to contact me or tweet me on Twitter if you have any additional tips or feedback.

Thanks!