⬡ Dev Tools/2026-06-26Advanced

Keep Your Rork App's Review From Stalling on a Privacy Manifest Gap

Handle PrivacyInfo.xcprivacy and Required Reason APIs in a Rork Expo app — a common cause of App Store review stalls — with the app.config.ts setup and a step-by-step check of third-party SDKs.

Rork⁴⁵⁵ Expo¹⁰⁸ Privacy Manifest⁵ App Store⁷² Required Reason API⁴

✦ Premium Article

You submit the app, and just when you think it cleared, an email arrives from Apple: "your app uses an API without a declared reason" — that warning that starts with ITMS. As an indie developer shipping several apps to the App Store and Google Play, the first time I got that notice I froze, with no idea what to fix.

Rork emits an Expo (React Native) app, and inside it many native APIs and third-party SDKs are running. Since 2024 Apple requires you to declare, in a privacy manifest, the "reason" for using certain APIs. Without the declaration it is a warning email today, but it will be upgraded to a rejection. Here, I work through this for a Rork project from both sides — your own code and the SDKs.

What is actually being asked

Apple requires two broad things.

Shipping a "privacy manifest" (PrivacyInfo.xcprivacy) that declares the kinds of data your app collects and how they are used.
Declaring, with a prescribed code, why you use certain APIs known as "Required Reason APIs."

Required Reason APIs are a set — file timestamps, free disk space, system boot time, UserDefaults — that can be abused for fingerprinting. If you use them for legitimate purposes, you pass simply by declaring the right reason code. The catch is that in most cases you are not calling them directly — a dependency is.

First, learn to read the warning email

The email lists the missing API categories, for example "no reason declared for NSPrivacyAccessedAPICategoryUserDefaults." Not skimming this is the start of the fix.

The first thing I did was copy the category names from the email and, for each, sort out "is this from my code or from an SDK?" Things like UserDefaults that the app itself uses go on my side; things an ad SDK touches internally go on the SDK side. That sorting instantly clarifies where to fix.

✦

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN

✦Understand what the post-submission ITMS-91053 email (undeclared-reason API) means and exactly which file to fix to make it stop

✦Get the procedure for checking not just your own code but the manifests inside third-party SDKs like AdMob

✦Set up your privacy manifest in app.config.ts so it ships automatically on every build

Secure payment via Stripe · Cancel anytime

✦

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

Unlock all articles with Membership →

Write the manifest in app.config.ts

In Expo, rather than editing the native PrivacyInfo.xcprivacy directly, the right path is to write the declaration in the iOS config of app.config.ts (or app.json). Do this and the manifest ships automatically every time you rebuild the Rork project — no manual re-pasting.

// app.config.ts
export default {
  expo: {
    ios: {
      privacyManifests: {
        NSPrivacyAccessedAPITypes: [
          {
            NSPrivacyAccessedAPIType: "NSPrivacyAccessedAPICategoryUserDefaults",
            // CA92.1 = UserDefaults access for the app itself
            NSPrivacyAccessedAPITypeReasons: ["CA92.1"],
          },
          {
            NSPrivacyAccessedAPIType: "NSPrivacyAccessedAPICategoryFileTimestamp",
            // C617.1 = reading timestamps of files inside your own app
            NSPrivacyAccessedAPITypeReasons: ["C617.1"],
          },
          {
            NSPrivacyAccessedAPIType: "NSPrivacyAccessedAPICategorySystemBootTime",
            NSPrivacyAccessedAPITypeReasons: ["35F9.1"],
          },
        ],
      },
    },
  },
};

Pick reason codes from Apple's defined list that match your use. If you use UserDefaults to store the app's own settings, that is CA92.1; if you only read timestamps of files inside your own app, C617.1. Choosing a code that does not match reality is itself a false declaration, so I strongly recommend confirming the use before choosing.

Do not skip the third-party SDK check

This is the most overlooked pitfall. However well you set up your own app.config.ts, if AdMob or an analytics SDK does not carry its own privacy manifest, the warning will not clear.

The procedure looks like this.

Bump the SDK versions. Most major SDKs ship the manifest in their compliant releases. AdMob (the Google Mobile Ads SDK) has shipped it since a certain version too.
If an SDK update alone does not cover it, add the API categories that SDK touches to your own manifest and declare the reason.
Confirm that each SDK's .xcprivacy is included inside the built .app.

In my case, the warning persisted because of a leftover old analytics library. Bumping one SDK cleared two warnings at once, so I find it efficient to start from updating dependencies.

Verify it yourself before submitting

Waiting for the warning after submitting wastes time. After exporting the archive, I confirm the bundled state locally before submitting. I look inside the build artifact to eyeball whether both the app itself and the major SDKs carry a privacy manifest.

# List the manifests inside the exported .app
find MyApp.app -name "*.xcprivacy" -print
# e.g. MyApp.app/PrivacyInfo.xcprivacy
#      MyApp.app/Frameworks/GoogleMobileAds.framework/PrivacyInfo.xcprivacy

If your own app's manifest does not show up here, the app.config.ts declaration did not make it into the build. If an SDK's is missing, that SDK is non-compliant or out of date. After adding this one step, I almost stopped receiving warning emails.

Build it once and operation is light

A privacy manifest takes a lot of looking-up the first time, but once it is written correctly in app.config.ts it keeps shipping automatically on every build. All you need to check before release is whether a new feature trips a new Required Reason API.

Not stalling in review is unglamorous but ties straight to revenue. Lose a few days to a resubmission and that much AdMob impression and paid opportunity slides back. Next time you ship, make a habit of inserting that one verification command before submission. Your release rhythm steadies in proportion to the warning emails that stop arriving.

Thank You for Reading

Rork Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.