MASTG-TECH-0136: Retrieving PrivacyInfo.xcprivacy Files

iOS apps can include privacy manifest files that provide information about the app's privacy practices and its components (e.g., Frameworks, Plugins, etc.). These files are typically named PrivacyInfo.xcprivacy and are used to declare the app's data collection practices, including any third-party libraries or frameworks that may collect user data.

To retrieve these files, you can use the following command in your terminal:

find . -name "PrivacyInfo.xcprivacy"

For example, assuming you have an iOS social media app named SocialApp.ipa, and you've extracted it using Obtaining and Extracting Apps, you can run the following commands from the Payload/ folder to find all PrivacyInfo.xcprivacy files within the app bundle (truncated and reordered for readability):

find . -name "PrivacyInfo.xcprivacy"

./SocialApp.app/PrivacyInfo.xcprivacy
./SocialApp.app/FirebaseCore_Privacy.bundle/PrivacyInfo.xcprivacy
./SocialApp.app/LetterPrivacyInfo.bundle/PrivacyInfo.xcprivacy
./SocialApp.app/CoreMain.bundle/PrivacyInfo.xcprivacy
...
./SocialApp.app/PlugIns/WidgetExtension.appex/PrivacyInfo.xcprivacy
./SocialApp.app/PlugIns/WidgetExtension.appex/Deep_Privacy.bundle/PrivacyInfo.xcprivacy
...
./SocialApp.app/Extensions/SocialAppAssetExtension.appex/PrivacyInfo.xcprivacy
...
./SocialApp.app/Frameworks/OXSDK_1.framework/PrivacyInfo.xcprivacy
./SocialApp.app/Frameworks/SpotifyLogin.framework/PrivacyInfo.xcprivacy
...

This output shows how SocialApp has multiple PrivacyInfo.xcprivacy files, including one for the main app (./SocialApp.app/PrivacyInfo.xcprivacy) and several others for its .bundles, PlugIns, Extensions, and Frameworks (and any other nested .bundles).

Let's take a look at the main privacy manifest, ./SocialApp.app/PrivacyInfo.xcprivacy (truncated for readability):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>NSPrivacyAccessedAPITypes</key>
        <array>
                <dict>
                        <key>NSPrivacyAccessedAPIType</key>
                        <string>NSPrivacyAccessedAPICategoryUserDefaults</string>
                        <key>NSPrivacyAccessedAPITypeReasons</key>
                        <array>
                                <string>CA92.1</string>
                                <string>1C8F.1</string>
                                ...
        </array>
        <key>NSPrivacyCollectedDataTypes</key>
        <array>
                <dict>
                        <key>NSPrivacyCollectedDataType</key>
                        <string>NSPrivacyCollectedDataTypeName</string>
                        <key>NSPrivacyCollectedDataTypeLinked</key>
                        <true/>
                        <key>NSPrivacyCollectedDataTypePurposes</key>
                        <array>
                                <string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
                                <string>NSPrivacyCollectedDataTypePurposeOther</string>
                        </array>
                        <key>NSPrivacyCollectedDataTypeTracking</key>
                        <false/>
                </dict>
                ...
        </array>
        <key>NSPrivacyTracking</key>
        <true/>
        <key>NSPrivacyTrackingDomains</key>
        <array>
                <string>trk-v2.socialapp.com</string>
                <string>trk-v2.socialapp.us</string>
                ...
        </array>
</dict>
</plist>

See Convert Plist Files to JSON for converting this file to JSON and Analyzing PrivacyInfo.xcprivacy Files for more information on analyzing the contents of PrivacyInfo.xcprivacy files.

Tests

MASTG-TEST-0281: Undeclared Known Tracking Domains