Skip to main content
Didit Raises $2M and Joins Y Combinator (W26)
Didit
Back to blog
Blog · March 13, 2026

Building a Compliant iOS Identity SDK with Swift and Privacy Manifests

Building a secure and compliant iOS identity verification SDK requires careful attention to Apple's privacy mandates, including Privacy Manifests and required reason APIs.

By DiditUpdated
building-a-compliant-ios-identity-sdk-with-swift-and-privacy-manifests.png

Apple's Privacy MandatesUnderstanding and implementing Apple's Privacy Manifests and required reason APIs is crucial for any iOS SDK handling sensitive user data, ensuring app store approval and user trust.

Secure Data HandlingImplementing robust data encryption, secure storage practices, and minimizing data collection are fundamental to protecting user identity information within your iOS applications.

Advanced Verification FeaturesIntegrating features like NFC verification, liveness detection, and 1:1 face matching enhances security and user experience, but necessitates strict compliance with privacy regulations.

Didit's AdvantageDidit provides a comprehensive, AI-native iOS SDK with built-in compliance for Apple's privacy requirements, offering plug-and-play identity verification, liveness, and NFC capabilities, all backed by a modular architecture and free Core KYC.

The Evolving Landscape of iOS Privacy: Privacy Manifests and Beyond

Apple has consistently reinforced its commitment to user privacy, making it a cornerstone of the iOS ecosystem. With recent updates, especially the introduction of Privacy Manifests and the enforcement of required reason APIs, developers building SDKs that handle sensitive user data face new obligations. For identity verification SDKs, which inherently deal with highly personal information, compliance is not just good practice—it's mandatory for App Store approval and maintaining user trust. A Privacy Manifest (PrivacyInfo.xcprivacy) declares the data your SDK collects, how it's used, and the third-party SDKs it links to. This transparency is vital for users to understand how their data is handled. Furthermore, specific APIs that access sensitive data (like UserDefaults for tracking or certain system information) now require developers to provide a clear, valid reason for their usage. Failing to adhere to these guidelines can lead to app rejections and erode user confidence.

Building a robust iOS identity SDK in Swift means more than just implementing functionality; it means embedding privacy by design. This includes careful consideration of data minimization—collecting only what is absolutely necessary—and ensuring all collected data is handled securely, both in transit and at rest. Developers must also be prepared to regularly review and update their privacy declarations as Apple's policies evolve, a continuous process to ensure ongoing compliance.

Core Components of a Compliant iOS Identity SDK

A modern iOS identity verification SDK needs to offer a suite of features while strictly adhering to privacy standards. Key components often include:

  • ID Verification (OCR, MRZ, Barcodes): Capturing and extracting data from government-issued documents. This process must be secure, ensuring images and extracted data are encrypted and processed in a compliant manner.
  • Passive & Active Liveness: Detecting whether a user is a real, present person and not a deepfake or a presentation attack. This involves analyzing facial movements, often requiring camera access and potentially microphone access for video-based liveness.
  • 1:1 Face Match: Comparing a selfie to the photo on an ID document to confirm identity. Biometric data, once captured, must be handled with extreme care, often processed on-device or with robust encryption to protect against breaches.
  • NFC Verification (ePassport/eID): Reading data directly from the chip of an ePassport or eID for enhanced security and data accuracy. This requires specific NFC permissions and careful handling of sensitive chip data.

Each of these features involves accessing sensitive user data or device capabilities. For instance, camera access for ID verification and liveness checks, microphone access for active liveness, and NFC access for ePassport reading. Each of these must be declared in the Info.plist with appropriate usage descriptions (e.g., NSCameraUsageDescription, NSMicrophoneUsageDescription, NFCReaderUsageDescription), and meticulously detailed in the Privacy Manifest. Developers should also implement robust error handling and user feedback mechanisms to guide users through the verification process transparently, explaining why certain permissions are needed.

Implementing Privacy Manifests and Required Reason APIs

Integrating Privacy Manifests into your iOS SDK involves creating a PrivacyInfo.xcprivacy file and declaring the data categories your SDK collects and the API categories it uses that require reasons. For an identity verification SDK, this typically includes:

  • Data Collection:
    • User ID (e.g., if you associate verification sessions with a unique user identifier provided by the integrating app).
    • Sensitive Data (e.g., ID document images, biometric data from face scans).
    • Precise Location (if used for fraud prevention, though often optional).
    • Photos or Videos (for document capture and liveness).
  • Required Reason APIs:
    • NSPrivacyAccessedAPICategoryDiskWriting: For securely storing temporary images or verification data on disk.
    • NSPrivacyAccessedAPICategoryUserDefaults: If your SDK uses UserDefaults for any configuration or state management that could be linked to a user.
    • NSPrivacyAccessedAPICategorySystemBootTime: If your SDK accesses device boot time for any anti-fraud measures.

Each declaration must be accompanied by a valid reason provided by Apple. For instance, for camera access, the reason would be to capture images of identity documents or perform liveness checks. It's important to be as specific as possible and avoid broad declarations. Furthermore, ensure that your SDK's dependencies also provide their own Privacy Manifests, or that you declare their data usage on their behalf, to avoid compliance gaps. Regularly auditing your SDK's code for API usage and data collection, and updating the Privacy Manifest accordingly, is a non-negotiable part of maintaining compliance.

Best Practices for Secure Swift Development

Beyond compliance documents, the code itself must be secure. Here are some Swift development best practices:

  • Data Encryption: Encrypt all sensitive data both in transit (using TLS 1.2 or higher) and at rest (using iOS's built-in data protection mechanisms).
  • Secure Storage: Avoid storing sensitive data directly in UserDefaults or unencrypted files. Use the Keychain for small pieces of highly sensitive data (e.g., API keys) and secure file storage with appropriate data protection classes for larger datasets.
  • Input Validation: Rigorously validate all inputs to prevent injection attacks and ensure data integrity.
  • Error Handling: Implement comprehensive error handling to gracefully manage failures and prevent information leakage.
  • Code Obfuscation and Tamper Detection: While not foolproof, these measures can deter reverse engineering and unauthorized modification of your SDK.
  • Regular Security Audits: Conduct frequent security reviews and penetration testing of your SDK to identify and address vulnerabilities.
  • Minimal Dependencies: Reduce your SDK's attack surface by minimizing external dependencies. If dependencies are necessary, ensure they are reputable and regularly updated.

These practices, combined with a deep understanding of Apple's Human Interface Guidelines for privacy, will help create an SDK that is not only functional but also trustworthy and compliant.

How Didit Helps

Didit is at the forefront of providing an AI-native, developer-first identity platform, designed with compliance and security as core tenets. Our iOS SDK is built using Swift, offering seamless integration for identity verification, liveness detection, and NFC verification. We handle the complexities of Apple's privacy mandates, ensuring our SDK is compliant with Privacy Manifests and required reason APIs, saving your development team significant time and effort.

Didit's modular architecture allows you to plug-and-play the exact identity checks you need, from robust ID Verification (OCR, MRZ, barcodes) to advanced Passive & Active Liveness and NFC Verification (ePassport/eID). Our solutions are AI-native, meaning they are constantly learning and adapting to new fraud vectors, providing superior accuracy and security. We offer Free Core KYC, allowing you to get started without upfront costs, and our pay-per-successful-check model, with no setup fees, makes enterprise-grade identity verification accessible to businesses of all sizes.

By leveraging Didit's iOS SDK, you benefit from a globally compliant solution that simplifies the integration of sophisticated identity verification workflows, allowing you to focus on your core product while ensuring a secure and privacy-respecting user experience.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.

Infrastructure for identity and fraud.

One API for KYC, KYB, Transaction Monitoring, and Wallet Screening. Integrate in 5 minutes.

Start freeTalk to us
Ask an AI to summarise this page