iOS App Privacy Report: what it reveals about your app

Most privacy controls are things you configure; the App Privacy Report is something your users can see. It is a built-in iOS feature that shows people how often each app accessed sensitive data like location, camera, and microphone, and which network domains the app and its SDKs contacted. For a developer, that means your app's data access and network activity are visible to users in plain terms, including any unexpected third-party domains your SDKs reach. It is a transparency tool that rewards apps with clean, minimal behavior and exposes ones that over-access or contact surprising domains. Here is what the App Privacy Report shows and what it means for you.

Short answer

The App Privacy Report is an iOS feature, in Settings under Privacy and Security, that shows users how often each app accessed sensitive permissions, like location, camera, microphone, contacts, and photos, and the network domains each app contacted, including third-party domains. Per Apple's support documentation, it gives users transparency into app data access and network activity. For developers, it means your permission usage and the domains your app and its SDKs reach are visible to users, so an app that over-accesses sensitive data or contacts unexpected third-party domains, often through SDKs, is exposed. There is nothing to configure; the implication is to minimize unnecessary access and audit the domains your app contacts so what users see matches your privacy story.

What you should know

• The App Privacy Report is user-facing: a built-in iOS transparency feature.
• It shows permission access: how often apps used location, camera, mic, and more.
• It shows network domains: which domains each app, and its SDKs, contacted.
• SDK activity is visible: unexpected third-party domains show up.
• There is nothing to configure: the implication is to keep behavior clean.

What is the App Privacy Report?

It is an iOS feature that records and shows users their apps' privacy-relevant activity. When a user turns it on, iOS logs how often each app accessed sensitive resources, location, camera, microphone, contacts, photos, and the like, and the network domains each app contacted, then presents this in a report the user can review. The point is transparency: rather than relying on an app's stated privacy practices, the user can see what apps actually did on their device, both the permissions they used and the servers they talked to. The network section is particularly revealing, since it lists domains contacted not just by the app's own code but by its SDKs, so a user can see if an app reaches many third-party or advertising domains. For developers, the App Privacy Report turns your app's real behavior into something users can inspect.

What does it reveal about your app?

Your actual permission access and network activity, in user-readable form. The table lists what it surfaces.

The two things developers underestimate are how visible over-access is, an app that reads location far more often than its feature warrants stands out, and how revealing the network list is, since a user can see every domain your app and its SDKs contacted, including advertising and analytics endpoints they might not expect. So an app whose behavior does not match its stated purpose or privacy label becomes apparent to a curious user through the report.

What does it mean for developers?

That your real behavior is on display, so it should be clean and match your privacy story. There is nothing to implement for the App Privacy Report itself; the implication is in how your app behaves. Access sensitive permissions only as often as your features genuinely need, since frequent or background access to location, camera, or microphone is visible and invites suspicion. Audit the network domains your app contacts, including those reached by SDKs, and remove or reconfigure any that contact unexpected third-party or advertising endpoints you do not want users seeing, which is also good for performance and privacy. Keep this consistent with your App Privacy label and privacy manifest, since a user who sees the report contacting domains your label does not explain notices the gap. The principle is that the App Privacy Report rewards apps with minimal, justified access and clean network behavior, so build to that rather than to a privacy story that the report would contradict.

What to watch out for

The first trap is over-accessing sensitive permissions, which the report shows users as frequent or background access that does not match your features. The second is unexpected network domains, often from SDKs, that users can see and that may not match your privacy disclosures. The third is a gap between what the report reveals and your stated privacy practices. A pre-submission scan such as PTKD.com (https://ptkd.com) reads the compiled IPA against OWASP MASVS and surfaces the network endpoints and SDKs in your build, which is essentially what the App Privacy Report would show users, so you can clean up unexpected domains and align your behavior before users see it. The behavior itself you adjust in the app.

What to take away

• The App Privacy Report is a built-in iOS feature that shows users how often apps accessed sensitive permissions and which network domains they contacted, including via SDKs.
• It makes your app's real permission usage and network activity visible to users, exposing over-access and unexpected third-party domains.
• There is nothing to configure; minimize unnecessary access, audit the domains your app and SDKs contact, and keep behavior consistent with your privacy label and manifest.
• Use a pre-submission scan such as PTKD.com to see the endpoints and SDKs your app contacts, the same picture the App Privacy Report shows users, and clean it up first.