According to Apple, its App Review team reviews more than 100,000 application proposals every week. The App Review team is responsible for approving or rejecting a developer’s request to publish an application on the App Store.
But the review process is strict, and Apple has announced on its Apple Developer website that certain requirements will be reinforced. Starting this fall, developers will have to explain why they use certain application programming interfaces (APIs).
APIs under control to protect from fingerprinting
APIs are software components of an application, but some standard and common APIs can be misused to access a user’s sensitive data.
The App Store will not require developers to explain each API used in their application. Only applications whose code can be misused to “fingerprint” (or identify) devices or users via fingerprint must be justified by the developer – for now, at least.
The APIs that can be used to take users’ digital fingerprints are considered by Apple as “mandatory APIs”. These APIs include file timestamp APIs, system boot time APIs, disk space APIs, active keyboard APIs, and user default APIs.
We speak of fingerprinting when the code or a third-party software development kit (SDK) accesses the device’s signals in order to identify the device or the user. Software development kits are the framework that developers use to create software for a specific platform or operating system
A progressive entry into application for developers
SDKs usually include at least one API. Even if a user authorizes an application to track their activity in the application or in other applications, the App Store prohibits digital fingerprinting.
Therefore, if a third-party application or SDK includes an API that requires support, developers will be notified by Apple of the inclusion of this API in the application they have submitted. From spring 2024, applications that do not explain their use of a mandatory reason API will be rejected by App Store Connect.
Apple specifies that developers who use the targeted APIs must explain one or more acceptable reasons that accurately describe the use of the data collected from the application. In addition, in the event of approval, the developers cannot use the data collected from the application for reasons other than those provided and justified.
No more app rejections in the future?
Developers who want to publish an iOS, iPadOS, tvOS, visionOS or watchOS application must ensure that their third-party APIs and SDKs comply with the App Store’s API policy. Officially, this policy is put in place to better protect the privacy of users who download applications from the App Store.
However, some developers have told 9to5Mac that default APIs are commonly used in applications and that including them in the list of APIs that require justification could increase the number of App Store app rejections. The default APIs allow the user to adapt the behavior of an application to their preferences.
However, developers can appeal an application rejection, and Apple says it will frequently review the list of APIs subject to its new policy.