According to Apple, its App Review team reviews over 100,000 app submissions every week. The App Review team is responsible for approving or rejecting a developer’s application to have an app published on the App Store.
But the review process is strict, and Apple announced on its Apple Developer website that some requirements will get stricter. Beginning this fall, developers must describe why they use certain application programming interfaces (APIs).
APIs are the building blocks of an application’s software, but some standard and common APIs can be misused to access a user’s sensitive data. However, the App Store will not require developers to explain every API used in their app. Only apps with code that can potentially be misused to “fingerprint” (or identify) devices or users must be justified by the developer — for now, at least.
APIs that can possibly be used to fingerprint users are deemed as “required reason APIs” by Apple. Required reason APIs include file timestamp APIs, system boot time APIs, disk space APIs, active keyboard APIs, and user default APIs.
Fingerprinting occurs when code or a third-party software development kit (SDK) accesses device signals in an attempt to identify a device or the user. SDKs are the framework that developers use to build software for a specific platform or operating system. SDKs typically include at least one API.
Even if a user gives an app permission to track their activity in-app or across other apps, fingerprinting is prohibited by the App Store.
As a result, if an app or third-party SDK includes a required reason API, developers will be notified by Apple to expound on its inclusion in their submitted app. Beginning spring of 2024, any apps that don’t explain their use of a required reason API will be rejected by App Store Connect.
Apple says that developers using required reason APIs must explain one or more acceptable reasons that accurately describe the use of the data collected from the app. Additionally, if approved, developers cannot use the data collected from the app for reasons other than their intended and justified purpose.
Developers seeking to publish an iOS, iPadOS, tvOS, visionOS, or watchOS must be cognizant that their APIs and third-party SDKs comply with the App Store’s required reason API policy. The required reason policy is in place to further protect the privacy of users who download apps from the App Store.
However, some developers told 9to5Mac that user default APIs are commonly used in apps, and including them on the required reason list could increase app rejections from the App Store. User default APIs allow the user to tailor an app’s behavior to their preferences.
Still, developers can appeal an app rejection, and Apple says it will frequently review the required reason API list.