Third-party SDK versions meet privacy manifest compliance thresholds

Why it matters

Apple began requiring privacy manifests in third-party SDKs in May 2024. Pods at versions below their compliance threshold ship without a PrivacyInfo.xcprivacy, which means your app's aggregate privacy manifest will be incomplete — Apple flags this during binary validation. This is a supply-chain compliance failure: you inherit the compliance gap from the dependency (CWE-1357, SSDF PW.4), and GDPR Art.28 requires you to ensure your data processors are themselves compliant. An outdated pod version is an audit trail showing you did not exercise due diligence.

Remediation

Update each non-compliant SDK to its minimum compliant version. For React Native:

npm install react-native-google-mobile-ads@latest
cd ios && pod update Google-Mobile-Ads-SDK

For Flutter:

flutter pub upgrade

After upgrading, re-run find ios/ -name PrivacyInfo.xcprivacy to confirm the updated pods include their manifests. Check each SDK's changelog for breaking API changes before upgrading. Reference minimum compliant versions: Google Mobile Ads iOS ≥11.0.0, Firebase iOS ≥10.18.0, Meta Audience Network ≥6.12.0, Adjust ≥4.35.0, AppsFlyer ≥6.10.0.

Detection

ID: app-store-privacy-data.privacy-declarations.sdk-version-compliance
Severity: medium
What to look for: Count all relevant instances and enumerate each. For each ad/analytics SDK detected, check its version against the minimum version that includes a privacy manifest. Check version sources: for React Native, look at package.json version and ios/Podfile.lock for the native iOS pod version; for Flutter, look at pubspec.lock; for native iOS, look at Podfile.lock or Package.resolved. Minimum compliant versions (as of 2026): Google Mobile Ads iOS SDK (Google-Mobile-Ads-SDK in Podfile.lock) ≥11.0.0; Google Analytics for Firebase iOS SDK ≥10.18.0; Meta Audience Network iOS (FBAudienceNetwork) ≥6.12.0; Adjust iOS SDK ≥4.35.0; AppsFlyer iOS SDK ≥6.10.0; Amplitude iOS SDK ≥8.0.0; Branch iOS SDK ≥2.1.2 (with privacy manifest). For Android, privacy manifest compliance is handled differently (Data Safety form is manual, not automatic) — focus on iOS pod versions. Flag any SDK whose iOS pod version is below the threshold.
Pass criteria: All ad/analytics SDKs with iOS targets are at or above their minimum privacy-manifest-compliant versions. At least 1 implementation must be verified. No outdated pods found in Podfile.lock.
Fail criteria: Any SDK's iOS pod version is below the known privacy manifest compliance threshold.
Skip (N/A) when: No ad or analytics SDKs detected; or app targets Android only.
Detail on fail: "Google-Mobile-Ads-SDK pod version 10.14.0 found in ios/Podfile.lock — privacy manifest compliance requires ≥11.0.0" or "FBAudienceNetwork pod version 6.9.0 found — Meta Audience Network requires ≥6.12.0 for privacy manifest compliance"
Remediation: Outdated SDK versions without privacy manifests cause Apple to flag your submission.
1. Update the SDK version in your package manager:
```
# React Native
npm install react-native-google-mobile-ads@latest
cd ios && pod update Google-Mobile-Ads-SDK

# Flutter
flutter pub upgrade
```
2. After updating, re-run find ios/ -name PrivacyInfo.xcprivacy to confirm the updated pods include their manifest files
3. Check each SDK's changelog for any breaking API changes before upgrading

Why it matters

Remediation

Update each non-compliant SDK to its minimum compliant version. For React Native:

npm install react-native-google-mobile-ads@latest
cd ios && pod update Google-Mobile-Ads-SDK

For Flutter:

flutter pub upgrade

Detection

ID: app-store-privacy-data.privacy-declarations.sdk-version-compliance
Severity: medium
What to look for: Count all relevant instances and enumerate each. For each ad/analytics SDK detected, check its version against the minimum version that includes a privacy manifest. Check version sources: for React Native, look at package.json version and ios/Podfile.lock for the native iOS pod version; for Flutter, look at pubspec.lock; for native iOS, look at Podfile.lock or Package.resolved. Minimum compliant versions (as of 2026): Google Mobile Ads iOS SDK (Google-Mobile-Ads-SDK in Podfile.lock) ≥11.0.0; Google Analytics for Firebase iOS SDK ≥10.18.0; Meta Audience Network iOS (FBAudienceNetwork) ≥6.12.0; Adjust iOS SDK ≥4.35.0; AppsFlyer iOS SDK ≥6.10.0; Amplitude iOS SDK ≥8.0.0; Branch iOS SDK ≥2.1.2 (with privacy manifest). For Android, privacy manifest compliance is handled differently (Data Safety form is manual, not automatic) — focus on iOS pod versions. Flag any SDK whose iOS pod version is below the threshold.
Pass criteria: All ad/analytics SDKs with iOS targets are at or above their minimum privacy-manifest-compliant versions. At least 1 implementation must be verified. No outdated pods found in Podfile.lock.
Fail criteria: Any SDK's iOS pod version is below the known privacy manifest compliance threshold.
Skip (N/A) when: No ad or analytics SDKs detected; or app targets Android only.
Detail on fail: "Google-Mobile-Ads-SDK pod version 10.14.0 found in ios/Podfile.lock — privacy manifest compliance requires ≥11.0.0" or "FBAudienceNetwork pod version 6.9.0 found — Meta Audience Network requires ≥6.12.0 for privacy manifest compliance"
Remediation: Outdated SDK versions without privacy manifests cause Apple to flag your submission.
1. Update the SDK version in your package manager:
```
# React Native
npm install react-native-google-mobile-ads@latest
cd ios && pod update Google-Mobile-Ads-SDK

# Flutter
flutter pub upgrade
```
2. After updating, re-run find ios/ -name PrivacyInfo.xcprivacy to confirm the updated pods include their manifest files
3. Check each SDK's changelog for any breaking API changes before upgrading

Third-party SDK versions meet privacy manifest compliance thresholds

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Third-party SDK versions meet privacy manifest compliance thresholds

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History