RORK LABJP
TOOLING — Rork's developer repos keep moving: rork-xcode was updated on July 16, rork-device on July 15, and rork-plist on July 13OPUS46 — Claude Opus 4.6 is live in Rork, and Rork Max is built to assemble apps on top of Claude CodeSIM — A cloud iOS simulator runs in the browser, with one click to install on a device and two clicks to publish to the App StoreMAX — Rork Max emits pure Swift rather than React Native, reaching iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and even iMessageNATIVE — That opens up HealthKit, ARKit and LiDAR, NFC, Dynamic Island, Live Activities, 3D through Metal, and on-device inference with Core MLSEED — Rork raised a $15M seed led by Left Lane Capital, with Peak XV and a16z Speedrun joining the roundTOOLING — Rork's developer repos keep moving: rork-xcode was updated on July 16, rork-device on July 15, and rork-plist on July 13OPUS46 — Claude Opus 4.6 is live in Rork, and Rork Max is built to assemble apps on top of Claude CodeSIM — A cloud iOS simulator runs in the browser, with one click to install on a device and two clicks to publish to the App StoreMAX — Rork Max emits pure Swift rather than React Native, reaching iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and even iMessageNATIVE — That opens up HealthKit, ARKit and LiDAR, NFC, Dynamic Island, Live Activities, 3D through Metal, and on-device inference with Core MLSEED — Rork raised a $15M seed led by Left Lane Capital, with Peak XV and a16z Speedrun joining the round
Articles/Dev Tools
Dev Tools/2026-05-23Advanced

Auditing Privacy Manifests for Rork-Generated Expo Apps — A One-Day Pre-Submission Workflow for Indie Developers

A pre-submission workflow for indie developers shipping Rork-generated Expo apps. Walks through how to enumerate every dependency, detect missing PrivacyInfo.xcprivacy files, and ship without ITMS-91053 rejections — based on twelve years of personal app development.

Privacy Manifest5SDK auditRequired Reason API4Rork515Expo149App Store Review8ITMS-910532indie developer37

Premium Article

When you are shipping iOS apps on your own, getting back "ITMS-91053: Missing API declarations" from App Store Connect on release day tends to eat the entire day. I have been running wallpaper and mindfulness apps as an indie developer since 2014, with a combined fifty million downloads across the catalog, and after Privacy Manifests became mandatory in 2024, the rate of last-minute rejections rose noticeably.

The hardest part was that the rejections almost never came from code I had written. A native library deep inside the Rork-generated Expo project was calling UserDefaults, and one missing declaration was enough to halt the whole submission. Apple's automated checks are stricter than human reviewers, and the reason text can take hours to surface. If you only react after the fact, your monthly release plan starts to slip.

This guide lays out how to move from "post-rejection mode" to "pre-submission audit mode" for Rork-generated Expo and React Native apps. The goal is to walk you through a half-day to one-day workflow that exhaustively reviews the SDK chain, so that you can leave with a working npm ls + find-based audit script in your repo by the end of reading.

Why "react after rejection" is too slow

Reacting after rejection is heavier than it looks. The shortest realistic loop after a single rejection looks like this. Two to six hours for the rejection email to arrive after upload. One to three hours to pinpoint which SDK is causing it. Thirty minutes to two hours to edit PrivacyInfo.xcprivacy and rebuild via EAS Build. Another hour for re-upload and processing. Even on a good day you are losing half a day, and on a bad day a day and a half.

In spring 2024 I went through this loop three times in a row on a new wallpaper app. Builds that passed before AdMob was added started failing with UserDefaults-related Required Reason violations after adding AdMob. Adding RevenueCat then surfaced an NSPrivacyAccessedAPICategoryDiskSpace requirement. Every SDK addition cost one rejection, and the release date slipped a full week.

Switching to a pre-submission audit eliminated almost all ITMS-91053 rejections from my release flow. The audit shifted the work from "gambling on review luck" to a process I can reproduce.

Understanding the structure of the SDK chain

Privacy Manifests are hierarchical. It is rare for a single root PrivacyInfo.xcprivacy to cover everything; each native module needs its own. Apple's automated review runs against the built .ipa as a whole, so a single missing manifest anywhere in the dependency tree fails the entire submission.

A typical Rork-generated Expo app has three layers of dependencies.

  • The app itself (iOS project generated from app/ and app.json)
  • The Expo SDK family (expo-* modules, roughly 20–40 packages)
  • Third-party React Native libraries (ads, billing, analytics, storage, notifications — five to fifteen packages)

You only need to author the manifest for the first layer yourself. The other two depend on whether the SDK author has shipped one. As of May 2026, Expo SDK 53 and 54 cover essentially every module, but third-party libraries are still uneven.

A particularly tricky case is Expo Config Plugins that inject native code dynamically. Because Plugin-driven files are generated at EAS Build time, grepping the local ios/ folder will miss them. I once spent a full day discovering that the output of expo-notifications' plugin did not include PrivacyInfo.xcprivacy. Once you know that vector exists, the fix is mechanical, but if you do not know to look there, it can vaporize a release window.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
A reproducible 30-minute script that lists every native dependency in a Rork-generated app and flags which ones lack PrivacyInfo.xcprivacy
A May 2026 cheat sheet for AdMob, Firebase, RevenueCat, MMKV, Sentry, and other SDKs that personal developers actually ship
A pre-submission workflow that turns post-rejection scramble into a calm, repeatable process — backed by real ITMS-91053 case studies
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Rork Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Dev Tools2026-06-14
When Your Rork App Gets ITMS-91053 — A Practical Guide to Privacy Manifests and Required Reason APIs
Submitting a Rork-generated Expo app to the App Store can trigger Privacy Manifest warnings even when you never wrote the offending code. Here is how to clear both Required Reason API and SDK manifest issues before you submit.
Dev Tools2026-06-26
Keep Your Rork App's Review From Stalling on a Privacy Manifest Gap
Handle PrivacyInfo.xcprivacy and Required Reason APIs in a Rork Expo app — a common cause of App Store review stalls — with the app.config.ts setup and a step-by-step check of third-party SDKs.
Dev Tools2026-06-19
Make ITMS-91053 Stop Catching Your Rork Max App — A Release-Proof Privacy Manifest Workflow
Fixing ITMS-91053 once doesn't keep it away — every new dependency can bring it back. Here's a field-tested workflow to audit your dependency tree, generate declarations, and catch the rejection locally before you upload.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →