Third-party SDK versions meet privacy manifest compliance thresholds
Why it matters
Apple began requiring privacy manifests in third-party SDKs in May 2024. Pods at versions below their compliance threshold ship without a PrivacyInfo.xcprivacy, which means your app's aggregate privacy manifest will be incomplete — Apple flags this during binary validation. This is a supply-chain compliance failure: you inherit the compliance gap from the dependency (CWE-1357, SSDF PW.4), and GDPR Art.28 requires you to ensure your data processors are themselves compliant. An outdated pod version is an audit trail showing you did not exercise due diligence.
Severity rationale
Medium because outdated SDK versions with missing privacy manifests cause Apple to flag submissions, but the violation is fixable with a version bump rather than an architectural change.
Remediation
Update each non-compliant SDK to its minimum compliant version. For React Native:
npm install react-native-google-mobile-ads@latest
cd ios && pod update Google-Mobile-Ads-SDK
For Flutter:
flutter pub upgrade
After upgrading, re-run find ios/ -name PrivacyInfo.xcprivacy to confirm the updated pods include their manifests. Check each SDK's changelog for breaking API changes before upgrading. Reference minimum compliant versions: Google Mobile Ads iOS ≥11.0.0, Firebase iOS ≥10.18.0, Meta Audience Network ≥6.12.0, Adjust ≥4.35.0, AppsFlyer ≥6.10.0.
Detection
- ID:
sdk-version-compliance - Severity:
medium - What to look for: Count all relevant instances and enumerate each. For each ad/analytics SDK detected, check its version against the minimum version that includes a privacy manifest. Check version sources: for React Native, look at
package.jsonversion andios/Podfile.lockfor the native iOS pod version; for Flutter, look atpubspec.lock; for native iOS, look atPodfile.lockorPackage.resolved. Minimum compliant versions (as of 2026): Google Mobile Ads iOS SDK (Google-Mobile-Ads-SDKin Podfile.lock) ≥11.0.0; Google Analytics for Firebase iOS SDK ≥10.18.0; Meta Audience Network iOS (FBAudienceNetwork) ≥6.12.0; Adjust iOS SDK ≥4.35.0; AppsFlyer iOS SDK ≥6.10.0; Amplitude iOS SDK ≥8.0.0; Branch iOS SDK ≥2.1.2 (with privacy manifest). For Android, privacy manifest compliance is handled differently (Data Safety form is manual, not automatic) — focus on iOS pod versions. Flag any SDK whose iOS pod version is below the threshold. - Pass criteria: All ad/analytics SDKs with iOS targets are at or above their minimum privacy-manifest-compliant versions. At least 1 implementation must be verified. No outdated pods found in Podfile.lock.
- Fail criteria: Any SDK's iOS pod version is below the known privacy manifest compliance threshold.
- Skip (N/A) when: No ad or analytics SDKs detected; or app targets Android only.
- Detail on fail:
"Google-Mobile-Ads-SDK pod version 10.14.0 found in ios/Podfile.lock — privacy manifest compliance requires ≥11.0.0"or"FBAudienceNetwork pod version 6.9.0 found — Meta Audience Network requires ≥6.12.0 for privacy manifest compliance" - Remediation: Outdated SDK versions without privacy manifests cause Apple to flag your submission.
- Update the SDK version in your package manager:
# React Native npm install react-native-google-mobile-ads@latest cd ios && pod update Google-Mobile-Ads-SDK # Flutter flutter pub upgrade - After updating, re-run
find ios/ -name PrivacyInfo.xcprivacyto confirm the updated pods include their manifest files - Check each SDK's changelog for any breaking API changes before upgrading
- Update the SDK version in your package manager:
External references
- cwe · CWE-1357 — Reliance on Insufficiently Trustworthy Component
- ssdf:800-218 · PW.4 — Reuse Existing, Well-Secured Software When Feasible
- gdpr · Art.28 — Processor obligations — ensure sub-processors meet compliance requirements
Taxons
History
- 2026-04-18·v1.0.0·Initial import from app-store-privacy-data·automated