Apple’s SDK requirements: What each of the 86 privacy manifest requiring SDKs does
Apple just unveiled a list of 86 SDKs that will require privacy manifests starting in the spring of 2024. The SDKs cover a wide range of functionality, including networking, authentication, database management, UI development, and more. There’s a lot of Facebook and Google SDKs here, including at least 12 for Firebase alone and many for Flutter, Google’s open source cross-platform development package. The list includes a significant number of Meta SDKs as well, including one for AEM, Meta’s Aggregated Event Management that limits privacy-sensitive data transmission while enabling conversion and engagement measurement.
Organizations or maintainers with the most SDKs on the list:
- Google: 24
- Flutter community: 19
- Meta: 7
- OneSignal: 4
Some of the common capabilities of the SDKs on the privacy manifest list:
- Video and image tasks: 10
- Data management, storage, parsing: 9
- Network and networking tasks: 5
- Notifications: 5
- User login/authentication: 4
- Web views in apps: 3
- Sharing library: 3
- Encryption: 2
Here’s a list with all 86 iOS app development SDKs and libraries, along with brief overviews of what they do, and the companies, organizations, or maintainers behind each. More on what’s NOT on the list below …
All 86 privacy manifest requiring SDKs
| SDK/Library | Overview | Company/Organization/Maintainer |
| Abseil | C++ libraries for data types and algorithms | |
| AFNetworking | Networking library for HTTP requests | Alamofire Software |
| Alamofire | Swift-based networking library | Alamofire Software |
| AppAuth | OAuth 2.0 and OpenID Connect library | OpenID Foundation and contributors |
| BoringSSL / openssl_grpc | Cryptographic libraries | Google (BoringSSL), gRPC Project (openssl_grpc) |
| Capacitor | Cross-platform app development framework | Ionic Framework |
| Charts | Swift library for interactive charts | Apple |
| connectivity_plus | Flutter plugin for network connectivity | Flutter community |
| Cordova | Cross-platform app development framework | Apache Software Foundation |
| device_info_plus | Flutter plugin for device information | Flutter community |
| DKImagePickerController | Image picker library | Dang-Khoa Nguyen |
| DKPhotoGallery | Photo gallery library | Dang-Khoa Nguyen |
| FBAEMKit | Facebook Analytics Event Manager Kit | |
| FBLPromises | Promises library for Objective-C/Swift | |
| FBSDKCoreKit | Facebook SDK core functionality | |
| FBSDKCoreKit_Basics | Facebook SDK core functionality | |
| FBSDKLoginKit | Facebook SDK for user authentication | |
| FBSDKShareKit | Facebook SDK for content sharing | |
| file_picker | Flutter plugin for picking files | Flutter community |
| FirebaseABTesting | Firebase service for A/B testing | |
| FirebaseAuth | Firebase service for user authentication | |
| FirebaseCore | Firebase service for app configuration | |
| FirebaseCoreDiagnostics | Firebase service for app diagnostics | |
| FirebaseCoreExtension | FirebaseCore extension | |
| FirebaseCoreInternal | FirebaseCore internal configurations | |
| FirebaseCrashlytics | Firebase service for crash reporting | |
| FirebaseDynamicLinks | Firebase service for deep linking | |
| FirebaseFirestore | Firebase NoSQL database | |
| FirebaseInstallations | Firebase service for installations tracking | |
| FirebaseMessaging | Firebase service for push notifications | |
| FirebaseRemoteConfig | Firebase service for remote config | |
| Flutter | Google’s UI toolkit for cross-platform | |
| flutter_inappwebview | Flutter plugin for in-app webviews | Flutter community |
| flutter_local_notifications | Flutter plugin for local notifications | Flutter community |
| fluttertoast | Flutter plugin for toast notifications | Flutter community |
| FMDB | SQLite database management in iOS apps | Flying Meat Inc. |
| geolocator_apple | Flutter plugin for geolocation on iOS | Baseflow |
| GoogleDataTransport | Framework for data transport | |
| GoogleSignIn | Library for Google Sign-In | |
| GoogleToolboxForMac | Utilities for Google services on macOS/iOS | |
| GoogleUtilities | Utilities and helper functions for Google | |
| grpcpp | C++ implementation of gRPC | gRPC Project |
| GTMAppAuth | Library for integrating AppAuth with Google | |
| GTMSessionFetcher | Google library for network request management | |
| hermes | JavaScript engine for React Native apps | |
| image_picker_ios | Flutter plugin for picking images (iOS) | Flutter community |
| IQKeyboardManager | Library for managing the iOS keyboard | Michael Tyson |
| IQKeyboardManagerSwift | Swift version of IQKeyboardManager | Michael Tyson |
| Kingfisher | Swift library for image downloading/caching | Wei Wang |
| leveldb | Google’s LevelDB database library | |
| Lottie | Library for adding animations to iOS apps | Airbnb |
| MBProgressHUD | Library for displaying loading indicators | Matej Bukovinski |
| nanopb | Protocol Buffers implementation in C | Dave Garton and contributors |
| OneSignal | Push notification service | OneSignal Inc. |
| OneSignalCore | Core functionality for OneSignal | OneSignal Inc. |
| OneSignalExtension | Extension for OneSignal notifications | OneSignal Inc. |
| OneSignalOutcomes | OneSignal analytics and outcomes tracking | OneSignal Inc. |
| OpenSSL | Cryptographic library for secure comm. | OpenSSL community |
| OrderedSet | Data structure for ordered collections | Apple |
| package_info | Flutter plugin for retrieving package info | Flutter community |
| package_info_plus | Extension of package_info with additional | Flutter community |
| path_provider | Flutter plugin for directory paths | Flutter community |
| path_provider_ios | iOS-specific directory path plugin (Flutter) | Flutter community |
| Promises | Swift library for handling asynchronous tasks | |
| Protobuf | Protocol Buffers serialization format | |
| Reachability | Library for monitoring network reachability | Tony Million |
| RealmSwift | Mobile database for data storage/retrieval | MongoDB |
| RxCocoa | RxSwift extensions for Cocoa/UIKit | ReactiveX and contributors |
| RxRelay | RxSwift extension for providing relay behavior | ReactiveX and contributors |
| RxSwift | Reactive programming library for Swift | ReactiveX and contributors |
| SDWebImage | Library for async image loading/caching | Olivier Poitrey and contributors |
| share_plus | Flutter plugin for sharing content | Flutter community |
| shared_preferences_ios | iOS-specific SharedPreferences plugin (Flutter) | Flutter community |
| SnapKit | Swift library for Auto Layout constraints | SnapKit community |
| sqflite | SQLite database plugin for Flutter | Flutter community |
| Starscream | WebSocket library for Swift | Dalton Cherry and contributors |
| SVProgressHUD | Library for displaying HUDs (Head-Up Displays) | Sam Vermette |
| SwiftyGif | Swift library for displaying GIFs | Daniel Martín |
| SwiftyJSON | Swift library for parsing JSON data | Ruoyu Fu |
| Toast | Flutter plugin for displaying toast messages | Hajime Nakamura |
| UnityFramework | Framework for building Unity-based apps | Unity Technologies |
| url_launcher | Flutter plugin for launching URLs | Flutter community |
| url_launcher_ios | iOS-specific URL launcher plugin (Flutter) | Flutter community |
| video_player_avfoundation | Flutter video player plugin for AVFoundation | Flutter community |
| wakelock | Flutter plugin for preventing device sleep | Flutter community |
| webview_flutter_wkwebview | Flutter plugin for WebView with WKWebView support | Flutter community |
(Note: this was partially created by ChatGPT. I’ve double-checked it and updated some data where there have been recent changes or there is confusion, but can’t guarantee it’s 100% accurate in all cases.)
Important note about Apple’s privacy manifest requiring SDKs
Apple says app developers will need to start including privacy manifests for any SDK listed. But there are some conditions on that requirement:
- When you submit a new app
- When you submit an app update that “adds one of the listed SDKs as part of the update”
I’ve added the emphasis on the “adds” above, because based on the plain language of Apple’s notification, you will not need to declare privacy manifests for these SDKs if you’re updating an old app that already includes one of these SDKs. In other words, there’s some grandfathering going on.
Of course, I’m not a lawyer: check with yours to be certain of your obligations.
Why these SDKs and not others?
Of course, we don’t know Apple’s motivation here, but we can speculate why Apple chose these SDKs and not others.
One reason might simply be scale. Any SDK with hundreds of thousands or millions of installs or inclusions in apps represents a broad risk if misused, so simple scale might be a factor here.
Another is a focus on what they do. Any SDKs that offer remote configuration could change app behavior after its App Store submission and Apple’s review, which obviously adds risk. Any SDKs that are used for networking or user ID/authentication have potential for misuse as well, as does any SDK that gets and provides data on device-level hardware, software, or identifier information. We’ve just learned how governments have been using push notifications to surveil end users, so presumably companies or organizations could do the same, and that’s likely why we see some push notification SDKs on the list.
We don’t see MMP SDKs here, suggesting that Apple sees its own SKAdNetwork as a privacy-safe form of marketing measurement and marketing measurement companies that use it as allies in privacy. Given that all the significant players in the mobile measurement space have detailed obligations with the big self-attributing networks, this seems a safe call. Also, depending on what data each individual MMP’s SDK access, if an MMP wants any data from Apple’s other privacy list of required reason APIs, that will force the MMP’s reason to be declared in privacy manifests anyways.
Big picture: it’s a tough job to find all the potentially infringing SDKs, since pretty much any SDK that can run networking and collect data is a potential risk. Ultimately, we might see Apple adopt something like Google’s SDK Sandbox in Privacy Sandbox on Android, which will place SDKs in a specific environment that limits their access to extracurricular data.
More to come?
There is of course the possibility that there are more SDKs to come. Nothing is static in technology, especially in mobile, and as additional SDKs are created, Apple will want to monitor them. It’s worth noting that Apple is guarding against people simply renaming or repackaging SDKs to sidestep the requirements:
“Any version of a listed SDK, as well as any SDKs that repackage those on the list, are included in the requirement,” Apple states.
In other words, you can’t weasel around the requirement.
Stay up to date on the latest happenings in digital marketing
