Privacy Manifest: How to Fix Required Reason API Rejections
You just got an email with "ITMS-91053" in the subject line. Your perfectly working app got rejected because of something called a "privacy manifest." Welcome to the club.
This caught a lot of us off guard. Apple quietly introduced this requirement, and suddenly apps that had been approved for years started getting bounced. Let me walk you through exactly what's happening and how to fix it.
The Short Version
Starting in spring 2024, Apple requires a PrivacyInfo.xcprivacy file if your app (or any SDK you use) accesses certain "sensitive" APIs. These include things you'd never think twice about—like checking a file's modification date or reading from UserDefaults. No manifest = automatic rejection.
What Even Is a Privacy Manifest?
A privacy manifest is a property list file (PrivacyInfo.xcprivacy) that declares why your app accesses certain APIs that could potentially be used for fingerprinting users across apps.
Here's the thing that frustrated me when I first encountered this: these aren't shady tracking APIs. We're talking about stuff like:
APIs That Now Require Reasons
- •
UserDefaults- yes, really - • File timestamp APIs (creation date, etc.)
- • System boot time
- • Disk space APIs
- • Active keyboard info
- • User defaults access
Why Apple Did This
These APIs can be combined to create a "fingerprint" that identifies users across apps—even without any explicit tracking. Shady SDKs were doing this silently. Apple's solution: make everyone declare their usage.
The Catch That Gets Everyone
You're responsible for privacy manifests in every SDK and framework you include—even if you didn't write them. That Firebase pod you added? Better make sure it has an updated manifest. That analytics library from 2022? Probably doesn't.
Why Your App Got Rejected
The rejection email probably looked something like this:
ITMS-91053: Missing API declaration
Your app's code references one or more APIs that require a privacy manifest file. The following APIs require reasons:
NSPrivacyAccessedAPICategoryFileTimestamp
NSPrivacyAccessedAPICategoryUserDefaults
Please update your privacy manifest to include the required NSPrivacyAccessedAPITypes.
There are three main reasons you might see this:
1 Your Own Code Uses Required APIs
You're directly calling APIs like FileManager to check file dates, or using UserDefaults to store settings. Totally normal, everyday stuff—but now you need to declare it.
This is the easiest to fix. You just add your own privacy manifest.
2 A Third-Party SDK Uses Required APIs
Your app doesn't directly use these APIs, but one of your dependencies does. Firebase, Facebook SDK, analytics libraries, crash reporters—they all use these APIs internally.
You need to either update the SDK to a version with a manifest, or add their API usage to your own manifest.
3 Your Manifest Exists But Is Wrong
You added a privacy manifest, but it's missing API categories that Apple detected in your binary. Or you used the wrong "reason" codes. Or the file isn't being bundled correctly.
Double-check your manifest against Apple's actual API categories and verify it's included in your target's "Copy Bundle Resources" phase.
The Required Reason API Categories
Apple groups these APIs into categories. Here's what each one covers and the most common reasons you'd use them:
1 File Timestamp APIs
NSPrivacyAccessedAPICategoryFileTimestamp
What triggers this: Checking when files were created, modified, or accessed. Very common in document apps, backup tools, or anything that syncs.
Common valid reasons:
- •
DDA9.1- Display to user (show "last modified" dates) - •
C617.1- Access inside app's container only - •
3B52.1- User-initiated file operations
2 System Boot Time APIs
NSPrivacyAccessedAPICategorySystemBootTime
What triggers this: Checking how long the device has been running. Used for uptime calculations, diagnostics, or rate limiting.
Common valid reasons:
- •
35F9.1- Measure time elapsed in app (most common) - •
8FFB.1- Calculate absolute timestamps
3 Disk Space APIs
NSPrivacyAccessedAPICategoryDiskSpace
What triggers this: Checking available storage. Common in apps that download content, cache data, or warn users about low space.
Common valid reasons:
- •
E174.1- Check space before writing files - •
85F4.1- Display available space to user
4 User Defaults APIs
NSPrivacyAccessedAPICategoryUserDefaults
What triggers this: Using UserDefaults to store settings or state. Yes, the thing every iOS app uses.
Common valid reasons:
- •
CA92.1- Access your app's own UserDefaults (this is what you want) - •
1C8F.1- App group shared UserDefaults
5 Active Keyboard APIs
NSPrivacyAccessedAPICategoryActiveKeyboards
What triggers this: Checking which keyboard extensions are installed. Used by some localization or accessibility features.
Common valid reasons:
- •
54BD.1- Customize app based on active keyboards
How to Create Your Privacy Manifest
Here's the step-by-step process. I'll show you the Xcode way first, then the manual approach if you need more control.
Step 1: Create the File in Xcode
- 1 File → New → File (or Cmd+N)
- 2 Search for "App Privacy" and select App Privacy file type
-
3
Name it
PrivacyInfo(Xcode adds the .xcprivacy extension) - 4 Make sure it's added to your app target
Step 2: Add Your API Declarations
The file is XML under the hood. Here's what a typical manifest looks like for an app that uses UserDefaults and checks file timestamps:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSPrivacyAccessedAPITypes</key>
<array>
<!-- UserDefaults -->
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>CA92.1</string>
</array>
</dict>
<!-- File Timestamps -->
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>C617.1</string>
</array>
</dict>
</array>
</dict>
</plist>
Step 3: Verify It's Bundled
This trips up a lot of people. The file exists, but it's not actually included in the app bundle.
- 1. Select your target → Build Phases
- 2. Expand "Copy Bundle Resources"
- 3. Make sure
PrivacyInfo.xcprivacyis listed - 4. If not, click + and add it
SDK Audit Checklist
Here's the painful part: you need to check every dependency. I've compiled a list of common SDKs and their manifest status as of early 2025:
| SDK | Has Manifest | Min Version | Notes |
|---|---|---|---|
| Firebase | Yes | 10.22.0+ | Update all Firebase pods |
| Facebook SDK | Yes | 16.0.0+ | Includes FBSDKCoreKit |
| Google Analytics | Yes | 10.22.0+ | Part of Firebase update |
| Crashlytics | Yes | 10.22.0+ | Part of Firebase update |
| Amplitude | Yes | 8.16.0+ | Check their docs |
| Sentry | Yes | 8.20.0+ | Both Cocoa and React Native |
| RevenueCat | Yes | 4.32.0+ | Update Purchases SDK |
| Older/Custom SDKs | Maybe | Check docs | May need to add to your manifest |
For SDKs Without Manifests
If an SDK doesn't have its own privacy manifest, you have two options: (1) Update to a newer version that includes one, or (2) Include their API usage in your own manifest. Contact the SDK vendor if you're unsure what APIs they use.
Common Errors and How to Fix Them
ITMS-91053
Missing API declaration - your binary uses APIs but no manifest declares them.
Fix: Add the missing API categories to your PrivacyInfo.xcprivacy file.
ITMS-91061
Missing privacy manifest for third-party SDK.
Fix: Update the SDK, or if that's not possible, include their API usage in your manifest.
"Invalid reason code"
You used a reason code that Apple doesn't recognize or that doesn't apply to the API category.
Fix: Check Apple's documentation for valid reason codes for each API category. They're picky about this.
Manifest exists but still rejected
The file is there, but it's not making it into the app bundle.
Fix: Verify it's in "Copy Bundle Resources" in your build phases. Also check that the file isn't excluded in your .gitignore or build settings.
Testing Your Privacy Manifest
Before you submit, here's how to verify everything is working:
1. Generate a Privacy Report in Xcode
Xcode 15+ can generate a privacy report that shows what APIs your app uses:
Product → Archive → Right-click archive → Generate Privacy Report
This shows you exactly what Apple will scan for. Compare it against your manifest.
2. Check the App Bundle
Build your app and inspect the .app package:
find /path/to/YourApp.app -name "PrivacyInfo.xcprivacy"
If this returns nothing, your manifest isn't being bundled.
3. Validate with App Store Connect
Upload a build to TestFlight. If there are privacy manifest issues, you'll get an email within a few minutes—much faster than waiting for full review.
Frequently Asked Questions
Do I need a privacy manifest if my app doesn't collect user data?
Yes, if your app uses any of the Required Reason APIs—even for completely innocent purposes. UserDefaults alone is enough to require a manifest.
What if a third-party SDK I use doesn't have a privacy manifest?
You can either: (1) Update to a newer version, (2) Contact the vendor, or (3) Add their API usage to your own manifest. Option 3 is a valid workaround, but you're essentially taking responsibility for their API usage.
Can I just add all the API categories to be safe?
Don't do this. Apple may reject apps that declare APIs they don't actually use. Only declare what you actually need. If you're not sure what your app uses, run the privacy report in Xcode first.
Does this affect Mac Catalyst or watchOS apps?
Yes. Privacy manifest requirements apply to all Apple platforms: iOS, iPadOS, macOS, watchOS, and tvOS.
My app was approved before—why is it being rejected now?
Apple phases in enforcement over time. Your previous binary was approved before strict enforcement began. Any new submission (including updates) must now include proper privacy manifests.
Want AI to Audit Your Privacy Manifest?
Our AI Review Toolkit includes prompts that scan your Xcode project and identify missing privacy declarations before Apple does.
Get the AI Toolkit