The "Missing Privacy Manifest" warning from App Store Connect (ITMS-91053) has shifted from a gentle nudge to a strict release blocker. For apps monetizing via the Meta Audience Network, the implementation of iOS 17’s privacy standards is no longer optional.
If you are using the Meta Audience Network SDK, you are utilizing what Apple defines as a "Commonly Used Third-Party SDK." Failing to properly incorporate the PrivacyInfo.xcprivacy file—introduced effectively in Meta SDK version 6.15.0—will result in App Store rejection.
This guide provides the technical steps to upgrade your dependencies, verify the manifest integration at the binary level, and generate the required Privacy Report for submission.
The Architecture of Privacy Manifests
Before applying the fix, it is critical to understand the mechanical change in how Xcode handles privacy data. Previously, privacy practices were self-reported manually in App Store Connect. This created a disconnect between the actual code behavior and the stated practices.
With iOS 17, Apple introduced Privacy Manifests. These are property lists (PrivacyInfo.xcprivacy) bundled directly within frameworks.
How Xcode Aggregates Data
When you build your application using Xcode 15 or later, the build system performs a "merge" operation. It scans your application target and all linked static and dynamic frameworks for .xcprivacy files. It aggregates these files into a single Privacy Report.
The Meta Audience Network SDK interacts with "Required Reason APIs" (such as file timestamp APIs or user defaults) and collects data types like User ID and Device ID. Without a valid manifest from the SDK, your app cannot explain why it is accessing these APIs, leading to compliance failure.
Step 1: Upgrading the Dependency
Meta officially introduced the PrivacyInfo.xcprivacy file in version 6.15.0. The first step is strictly version control.
Option A: CocoaPods
If you are using CocoaPods, you must explicitly target version 6.15.0 or higher. In your Podfile, update the declaration:
# Podfile
# DO NOT use loose versioning like '~> 6.0' to ensure you don't accidentally
# lock to an older version due to other dependencies.
pod 'FBAudienceNetwork', '6.15.0'
Run the update command in your terminal. We use --repo-update to ensure your local specs are current:
pod install --repo-update
Option B: Swift Package Manager (SPM)
For projects utilizing SPM, update your Package.swift or your Xcode project dependency settings.
// Package.swift
dependencies: [
.package(
url: "https://github.com/facebook/facebook-ios-sdk",
from: "17.0.0" // Meta bundles Audience Network in their primary SDK repo for SPM
)
]
Note: If you are integrating the standalone Audience Network via a binary target, ensure the checksum matches the 6.15.0 release artifacts.
Step 2: Verifying Manifest Presence
Simply updating the version is insufficient for high-stakes release engineering. You must verify that the PrivacyInfo.xcprivacy file is actually present in the compiled artifact before submitting to Apple.
Navigate to your Pods directory or the derived data location for SPM and inspect the framework bundle.
Terminal Verification Command:
# Navigate to your project root
cd Pods/FBAudienceNetwork/FBAudienceNetwork.xcframework/ios-arm64/FBAudienceNetwork.framework
# List files to confirm presence
ls -la | grep PrivacyInfo.xcprivacy
If this command returns nothing, clean your build folder (Cmd + Shift + K) and re-install pods. The file must exist physically in the framework folder.
Step 3: Generating the Privacy Report
Once the SDK is updated, you need to validate that Xcode is correctly reading and aggregating the manifest. You do not need to manually edit Meta's manifest; Xcode handles the reading.
- Open your project in Xcode 15+.
- Select Product > Archive.
- Once the archive is generated, right-click the archive in the Organizer and select Generate Privacy Report.
Xcode will output a PDF. Open this PDF and search for "Meta" or "Facebook". You should see explicit declarations for:
- Data Usage: Advertising Data, Coarse Location, Device ID.
- API Usage: File Timestamp APIs (required for caching mechanisms).
If these sections are missing, Xcode has failed to link the manifest file during the build phase.
Deep Dive: The xcprivacy Structure
Understanding the XML structure helps in debugging "Invalid Binary" errors. Below is a valid snippet of what the Meta SDK brings into your project via its PrivacyInfo.xcprivacy.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSPrivacyCollectedDataTypes</key>
<array>
<dict>
<key>NSPrivacyCollectedDataType</key>
<string>NSPrivacyCollectedDataTypeDeviceID</string>
<key>NSPrivacyCollectedDataTypeLinked</key>
<true/>
<key>NSPrivacyCollectedDataTypeTracking</key>
<true/>
<key>NSPrivacyCollectedDataTypePurposes</key>
<array>
<string>NSPrivacyCollectedDataTypePurposeThirdPartyAdvertising</string>
</array>
</dict>
</array>
<key>NSPrivacyAccessedAPITypes</key>
<array>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>CA92.1</string>
</array>
</dict>
</array>
<key>NSPrivacyTracking</key>
<true/>
<key>NSPrivacyTrackingDomains</key>
<array>
<string>facebook.com</string>
<string>instagram.com</string>
</array>
</dict>
</plist>
Key Analysis
- NSPrivacyTracking: Set to
true. This explicitly tells Apple that this SDK engages in tracking. - NSPrivacyTrackingDomains: Lists domains that, if blocked by the user via App Tracking Transparency (ATT), will fail network requests.
- NSPrivacyAccessedAPITypeReasons: The code
CA92.1corresponds to accessing User Defaults. Meta uses this to store internal identifiers.
Common Pitfalls and Edge Cases
1. The "Static Library" Strip Issue
If you are linking FBAudienceNetwork as a static library (often the case with older Unity builds or custom React Native bridges), the linker might strip non-code resources like .xcprivacy.
Solution: explicitly add the resource bundle in your build phases, or ensure your Podspec uses resource_bundles to force the inclusion of the manifest.
2. Conflicting Manifests
If your app's main PrivacyInfo.xcprivacy contradicts the SDK's manifest, Xcode may flag a warning. For example, if Meta declares it tracks users, but your main app manifest asserts NSPrivacyTracking is false, you create a logical fallacy.
Solution: If you include the Meta SDK, your app is effectively tracking. Your top-level configuration must reflect the aggregate reality of your dependencies.
3. Missing NSUserTrackingUsageDescription
The Privacy Manifest is for the system; the Info.plist is for the user. Even with a perfect manifest, if Meta attempts to request IDFA (which it will), your app will crash or be rejected without the usage description string.
Ensure this exists in your main Info.plist:
<key>NSUserTrackingUsageDescription</key>
<string>We use your data to deliver personalized advertising experiences.</string>
Conclusion
Updating the Meta Audience Network SDK to 6.15.0+ is the primary requirement for iOS 17 compliance, but the job isn't done until you verify the artifact. By treating the xcprivacy file as a critical binary asset—verifying its presence and generating the Xcode Privacy Report—you eliminate the ambiguity that leads to App Store rejections.
Prioritize this update in your next sprint. Apple's enforcement of third-party SDK signatures is automated, strict, and currently active.