False NSPrivacyAccessedAPICategoryFileTimestamp API usage detection? (Privacy Manifest)

[shagedorn]

Question

We currently get the following warning when submitting our app to App Store Connect:

ITMS-91053: Missing API declaration - Your app’s code in the “{app name}” file references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. […]

We have audited our own code (no usage) and other SDKs (no usage or declared usage), and could not find the source. Using this tool (binary-based scanner), we get this output:

Found potentially required reason API usage '.creationDate' in ' …/checkouts/dd-sdk-ios/DatadogCore/Sources/Core/Storage/FilesOrchestrator.swift'
Line numbers: 156 157 158 168 197 198 218 226

I reviewed the FilesOrchestrator.swift code and it seems the restricted API isn't actually used, but .creationDate sounds/looks like one of those APIs, so the linked tool flags a false positive. Unfortunately, Apple does not point out the source, but from reading through the related issue #1749, it sounds like Apple might do the same, falsely flagging restricted API usage.

Is anyone else experiencing the same? Would it be an option to rename the creationDate property/tuple field to work around it?

[ncreated]

Hey @shagedorn 👋. Thanks for pointing this out. I confirm, we don't use creationDate() API and what you get from Apple is a false-positive similar to systemUptime() discussed in #1749. We will rename things accordingly on our side to make sure SDK is not flagged by Apple.

[tdraper-dev]

Thanks for your efforts! Any updates on when this will be cut for release?

[NeilCossorFrollo]

Again, thanks for your efforts.
Noting that we are still getting App Store Connect issues email on TestFlight builds.. and the "cutoff" from warning to potential rejections by Apple is 1st May.. is this release imminent ?

[ganeshnj]

Thanks for patience everyone. We are planning a release this week.

[ncreated]

👋 2.10.0 is out and it contains the fix to this issue.

[joseewu]

hi @ncreated We updated the datadog to 2.10.0 and submitted our app but still got the same warnings.

ITMS-91053: Missing API declaration - xxxxxxxxx, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

ITMS-91053: Missing API declaration - Yxxxxxx including the following API categories: NSPrivacyAccessedAPICategorySystemBootTime. While no action is required at this time, starting May 1, 2024, when you upload a new app or app update, you must include a NSPrivacyAccessedAPITypes array in your app’s privacy manifest to provide approved reasons for these APIs used by your app’s code. For more details about this policy, including a list of required reason APIs and approved reasons for usage, visit: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api.

Should we also declare those two apis in the privacy manifest file? because we don't use them directly in the project.

thanks for the fix and help!

[ncreated]

@joseewu Our SDK does not use any of Required Reason APIs. The warnings that we fixed in 2.10.0 (#1774) were false-positives.

Is it possible that in this warning is caused by some other library, not Datadog SDK? You may want to scan your codebase, for example using the approach described by @shagedorn:

We have audited our own code (no usage) and other SDKs (no usage or declared usage), and could not find the source. Using this tool (binary-based scanner), we get this output:

Found potentially required reason API usage '.creationDate' in ' …/checkouts/dd-sdk-ios/DatadogCore/Sources/Core/Storage/FilesOrchestrator.swift'
Line numbers: 156 157 158 168 197 198 218 226

The fix we did in #1774 includes a linter phase that validates our code against Required Reason APIs using a regex that should include all RR APIs. It is the same list of RR APIs as the one used by @shagedorn.