Security

    How to check if my app uses 'restricted' APIs

    A 2026 view of a compiled iOS binary being scanned for restricted APIs, separating banned private symbols from required reason APIs that need a privacy manifest declaration

    "Restricted API" covers two different things that both cause problems at submission, and knowing which one you mean changes how you check. There are private, non-public APIs, which are outright banned and get you a 2.5.1 rejection, and there are required reason APIs, which are allowed but must be declared in your privacy manifest. Both often come from a dependency you did not write, so checking your own code is not enough. Here is how to find each kind in your app before Apple does.

    Short answer

    To check whether your app uses restricted APIs, you need to inspect the compiled binary and your dependencies, because the two kinds of restriction differ. Private, non-public APIs are prohibited and trigger a Guideline 2.5.1 rejection, while required reason APIs, like UserDefaults and file timestamps, are allowed but must be declared in your privacy manifest. Apple's automated checks flag both at upload, with emails about missing privacy manifest entries and rejections for private API references. The reliable way to find them yourself is to scan the binary for the symbols and audit each SDK, since a dependency commonly introduces a restricted API without your knowledge.

    What you should know

    • Two kinds of restriction: private APIs are banned; required reason APIs need declaring.
    • Private APIs fail 2.5.1: referencing non-public symbols is a rejection.
    • Required reason APIs need a manifest: declare an approved reason for each.
    • Dependencies are the usual source: an SDK can pull in either kind.
    • Scan the binary to find them: source review alone misses what SDKs add.

    What counts as a "restricted" API?

    Two categories, with different rules. The table separates them.

    KindExamplesRule
    Private, non-public APIsUndocumented selectors and symbolsBanned; causes a 2.5.1 rejection
    Required reason APIsUserDefaults, file timestamp, boot time, disk space, keyboardAllowed, but must be declared in the privacy manifest
    Entitlement-gated APIsCapabilities needing a specific entitlementAllowed only with the entitlement granted

    Private APIs are the strict no: Apple's automated analysis scans your binary for symbols matching non-public selectors and rejects the app under 2.5.1. Required reason APIs are different, since they are legitimate to use, but Apple requires you to declare an approved reason for each in your PrivacyInfo.xcprivacy file, and missing declarations draw warnings or rejection. So "restricted" might mean either, and the fix depends on which.

    How do you check your app for them?

    Inspect the binary and the dependencies, and heed Apple's automated signals. Start with the upload feedback: when you upload a build, Apple's automated checks email you about required reason APIs used without a manifest entry and reject builds that reference private APIs, so those messages name the problem area. To find issues before that, scan the compiled binary for the symbols rather than trusting a source review, because a dependency can introduce a restricted API your own code never calls. Audit each third-party SDK, checking whether it declares a privacy manifest and whether it is known to use private APIs, and update or replace any that do. The goal is to know what symbols and APIs are actually present in the build you submit.

    What do you do when you find one?

    It depends on the kind. For a private API reference, you must remove it, which usually means finding the SDK that introduced the symbol and updating it to a version that no longer uses the private call, or replacing the dependency entirely, since you cannot ship the private reference. For a required reason API, you do not remove it; instead you add the approved reason to your privacy manifest, and if a dependency uses it, gather that library's required reasons into your app's manifest. For an entitlement-gated API, confirm you have the entitlement and that your usage matches it. In every case, the move is to identify the exact symbol and the code that brought it in, then act at the source.

    What to watch out for

    The first trap is assuming your own code is clean and stopping there, when restricted APIs most often arrive through a third-party SDK. The second is treating a required reason API like a private API and trying to remove it, when it just needs a manifest declaration. The third is ignoring Apple's automated upload emails, which point straight at the problem. A pre-submission scan such as PTKD.com (https://ptkd.com) reads the compiled IPA against OWASP MASVS and surfaces the SDKs, symbols, and API usage in your build, so you can see which restricted APIs are present and which dependency introduced them before review flags it. That turns a guessing game into a targeted fix.

    What to take away

    • "Restricted API" usually means either a banned private API, which causes a 2.5.1 rejection, or a required reason API, which is allowed but must be declared in your privacy manifest.
    • Both commonly come from a third-party SDK, so checking only your own code misses them.
    • Use Apple's automated upload feedback, audit your SDKs, and scan the binary for the actual symbols present.
    • For a private API, remove or replace the SDK; for a required reason API, declare it; and use a pre-submission scan such as PTKD.com to find which are in your build.
    • #restricted-api
    • #private-api
    • #required-reason-api
    • #guideline-2-5-1
    • #privacy-manifest
    • #binary-analysis
    • #ios

    Frequently asked questions

    What does 'restricted API' mean for iOS apps?
    It usually means one of two things. Private, non-public APIs are undocumented symbols Apple bans, and referencing them causes a Guideline 2.5.1 rejection. Required reason APIs, such as UserDefaults, file timestamps, boot time, disk space, and the keyboard, are allowed but must be declared with an approved reason in your privacy manifest. So 'restricted' can mean banned or merely must-be-declared, and the fix depends on which kind you are dealing with.
    How do I find private APIs in my app?
    Scan the compiled binary for symbols matching non-public selectors, rather than trusting a source review, because a dependency can introduce a private API your own code never calls. Apple's automated analysis also scans for these at upload and rejects builds that reference them under 2.5.1, so the rejection feedback points at the area. Audit each SDK, since the private reference is usually dragged in by a third-party library rather than written by you.
    How do I find required reason API usage?
    Check your code and dependencies for the APIs in the required reason categories, and watch for Apple's automated emails about a missing privacy manifest entry after upload. Each dependency may use one for you, so inspect whether your libraries declare a privacy manifest and gather their required reasons into yours. Scanning the binary helps confirm which of these APIs are actually present so your manifest declares an approved reason for each.
    What do I do if my app uses a restricted API?
    It depends on the kind. For a private API, remove it, usually by updating the SDK that introduced the symbol to a version that no longer uses it, or replacing the dependency, since you cannot ship the private reference. For a required reason API, do not remove it; add the approved reason to your privacy manifest and include any reasons your dependencies require. For an entitlement-gated API, confirm you have the entitlement and your usage matches.
    How can a scan help find restricted APIs?
    A pre-submission scan such as PTKD.com reads the compiled IPA against OWASP MASVS and surfaces the SDKs, symbols, and API usage present in your build, so you can see which restricted APIs are there and which dependency introduced each one before review flags it. That lets you make a targeted fix, removing a private API at its source or declaring a required reason API, instead of guessing after a rejection.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free