Update on privacy in Apple's ecosystem 2023

Every year, I dive into the WWDC sessions on privacy, fascinated by how Apple continues to prioritise user data protection. This year, I watched four sessions totalling 1 hour and 15 minutes, and I’m excited to share a summary to save you the time. Here’s what’s new in Apple’s privacy landscape for 2023, built around their four core privacy pillars.

Apple’s Four Privacy Pillars

Apple’s approach to privacy rests on four key principles:

1. Data Minimisation
   Use only the data essential for a feature. This applies across your app’s architecture, from the data accessed for features to what’s shared with servers or external parties.

2. On-Device Processing
   Process data locally on the user’s device to avoid sending it to external servers, keeping it secure and private.

3. Transparency and Control
   Ensure users understand what data is accessed, why, when, and where. Provide clear controls upfront and let users adjust preferences later.

4. Security Protections
   Use strong technical measures, like end-to-end encryption, to enforce these principles and protect user data.

What’s New in 2023?

Photo Picker Enhancements

The Photos picker now offers better control for users. They can share specific photos or videos without granting access to their entire library. This integrates smoothly into apps, eliminating the need for complex permission requests or custom photo-picking flows. Developers can customise the picker’s look to match their app, making it a simple, privacy-focused way to access photos.

Screen Capture Picker (macOS)

The new ScreenCaptureKit API for macOS, introduced with macOS Sonoma, lets users share specific windows or screens instead of granting full screen recording permissions. The SCContentSharingPicker API allows users to select content, which is shared instantly. A menu bar item reminds users when screen recording is active, with options to preview, modify, or stop the session. Developers can tailor the picker to their app’s needs, enhancing both privacy and user experience.

Calendar Access Improvements

Apple introduced two key changes for Calendar integration:

1. EventKitUI: Apps that only create new events can use EventKitUI to render view controllers outside the app without needing explicit permissions, maintaining full functionality.

2. Add-Only Permission: For apps with custom event creation interfaces, a new add-only permission lets you add events without accessing existing ones. If full access is needed later, apps can request an upgrade with user consent, but clear explanations are crucial to avoid rejections.

Apps upgrading to iOS 17 or macOS Sonoma default to write-only Calendar access. If linked against older EventKit versions, apps requesting access will prompt for write-only permission, with an automatic prompt for full access if fetching events is attempted.

Oblivious HTTP API

The Oblivious HTTP (OHTTP) API is a game-changer for privacy. It hides client IP addresses from app servers and conceals app usage patterns from network operators. OHTTP uses a third-party relay to proxy encrypted messages, ensuring no single entity sees both the user’s IP and the request’s content. This is ideal for anonymous features like analytics, as seen in iCloud Private Relay, which also protects DNS queries. OHTTP offers fast, secure interactions with strong privacy guarantees.

Sensitive Content Analysis Framework

The new Sensitive Content Analysis framework, paired with Communication Safety, protects children by detecting nudity in photos or videos shared via Messages, AirDrop, FaceTime, or the Photos picker. The framework uses on-device machine learning, requiring no server sharing and minimal code. Developers can integrate it by creating an SCSensitivityAnalyzer instance, checking the analysisPolicy, and using analyzeImage or videoAnalysis to detect sensitive content, then applying interventions like blurring.

Privacy Manifests

Privacy manifests are a big step forward for transparency. Third-party SDKs must now include a “PrivacyInfo.xcprivacy” file in Xcode, detailing data collection, usage, and tracking practices. Developers can review these manifests to ensure alignment with SDK functionality. Xcode 15 generates a PDF privacy report summarising all manifests, matching the App Store’s Privacy Nutrition Labels.

Starting in Fall 2023, App Store checks will require privacy-impacting SDKs to have signatures and manifests. By Spring 2024, this will be part of App Review. Tracking domains must also be declared to block unapproved connections, and Required Reason APIs must specify approved access reasons to prevent fingerprinting. Apple will soon publish lists of privacy-impacting SDKs, required reason APIs, and a feedback form for developers.

Dependency Signature Verification

Third-party SDKs simplify development but carry risks. Xcode 15’s dependency signature verification uses Apple’s code signing to link binaries and metadata (like privacy manifests) to the developer’s identity. The “Signature” view in Xcode shows whether an XCFramework is signed by an Apple Developer Program identity, a self-signed certificate, or unsigned. Xcode validates signatures, alerting developers to issues like tampering or expired certificates. This boosts supply chain security, ensuring safer apps.

App Data Protections (macOS)

macOS Sonoma strengthens app data privacy. System-managed permissions control access to folders like Desktop, Documents, and Downloads. Apps storing data elsewhere, like messaging or notes apps, benefit from App Sandbox, which extends protections automatically. Accessing another app’s data container requires user permission, prompted with a clear purpose string. Developers can use NSOpenPanel for seamless file access or specify restrictive policies via NSDataAccessSecurityPolicy.

Advanced Data Protection

Introduced in 2022, Advanced Data Protection now supports CloudKit for end-to-end encryption of app data in iCloud. Developers need only use encrypted data types in CloudKit schemas and the encryptedValues API for storage and retrieval. No key management is required, making it easy to enhance user privacy when Advanced Data Protection is enabled.

Safari Private Browsing

Safari 17’s Private Browsing mode adds advanced protections against tracking and fingerprinting. It blocks known tracking resources and removes tracking parameters from URLs during navigation or link copying. Private Click Measurement supports privacy-preserving ad attribution without storing data on disk. Website developers should test login flows and browser APIs in Private Browsing to ensure compatibility, using Web Inspector to identify blocked trackers.

My Thoughts

Apple’s privacy updates for 2023 are impressive. Privacy manifests bring much-needed transparency to third-party SDKs, which often feel like black boxes sucking up data without developer control. The requirement for manifests and signatures is a strong move toward accountability. I’m also excited about Advanced Data Protection for CloudKit, which will give me peace of mind in my next project. The Oblivious HTTP API is intriguing, and I can’t wait to experiment with it. These changes show Apple’s commitment to putting users first, and I’m eager to see how developers adopt them.

Sources

• What’s New in Privacy
• Get Started with Privacy Manifests
• Verify App Dependencies with Digital Signatures
• Ready, Set, Relay: Protect App Traffic with Network Relays
• What’s New in Privacy on the App Store