App Store Compliance

ITMS-91061: Missing privacy manifest for a third-party SDK — the fix

App Store Connect flagged ITMS-91061 for a third-party SDK. What the error means, how to find which dependency is missing its privacy manifest, and the two ways to resolve it.

By · · 7 min read

Your build uploaded, then App Store Connect emailed you something like:

ITMS-91061: Missing privacy manifest — Your app includes the
"SomeSDK" SDK, which is a designated data-collection SDK or a
commonly-used third-party SDK. Include a privacy manifest file in
"SomeSDK". For more details about privacy manifest files, visit:
https://developer.apple.com/documentation/bundleresources/privacy-manifest-files

ITMS-91061 is different from ITMS-91053. ITMS-91053 is about your code missing Required Reason API declarations. ITMS-91061 is about a third-party SDK you bundle that didn’t ship its own privacy manifest — and the fix is mostly out of your hands.

This walks through what triggers it, how to identify the offending SDK, and the two real resolution paths.

For where this fits in the bigger submission picture, see every URL and file Apple requires for an iOS App Store submission.

What ITMS-91061 means

Since May 1, 2024, Apple maintains a list of “commonly used” third-party SDKs that are required to include a privacy manifest (PrivacyInfo.xcprivacy) and a valid code signature inside the SDK itself. If your app bundles a version of one of these SDKs that predates its privacy-manifest support, App Store Connect flags ITMS-91061.

The list includes the SDKs you’d expect: major analytics, ad networks, crash reporters, A/B testing, push providers, and a long tail of utility libraries. Apple updates the list periodically.

The Apple reference for what the SDK is supposed to contain: Adding a privacy manifest to your app or third-party SDK.

Important: as of the 2024 enforcement, ITMS-91061 is usually a warning (the build still processes) — but Apple has been progressively converting these to hard rejections. Treat it as a blocker; don’t ship on top of it.

Step 1: Identify the offending SDK

The email names the SDK. If it’s vague or you have transitive dependencies, find the actual binary:

# List frameworks bundled in your archive's .app
ls -1 "YourApp.xcarchive/Products/Applications/YourApp.app/Frameworks"

# Check whether a given framework contains a privacy manifest
unzip -l SomeSDK.xcframework.zip | grep -i "PrivacyInfo.xcprivacy"

# For a .framework already in your project:
find SomeSDK.framework -name "PrivacyInfo.xcprivacy"

No PrivacyInfo.xcprivacy inside the framework bundle = that SDK is the cause.

Step 2: Update the SDK (the correct fix)

The right resolution is almost always: update the SDK to a version that ships its own privacy manifest. Every SDK on Apple’s required list has, by now, released a privacy-manifest-bearing version.

# CocoaPods
pod update SomeSDK
pod outdated   # see which pods have newer versions

# Swift Package Manager
# In Xcode: File → Packages → Update to Latest Package Versions
# Or bump the version requirement in Package.swift and resolve

# Carthage
carthage update SomeSDK --use-xcframeworks

After updating, verify the manifest is now present:

find . -path "*SomeSDK*" -name "PrivacyInfo.xcprivacy" -print

Re-archive (clean build folder first), re-upload. The warning clears once the bundled SDK contains its manifest.

Step 3: If the SDK has no updated version

Some abandoned or niche SDKs never shipped a privacy manifest. Your options, in order of preference:

  1. Replace the SDK. If it’s an analytics or utility library with a maintained alternative, switch. This is the only fully clean path.
  2. Vendor a privacy manifest into the SDK. If you have the SDK as source (not a binary .xcframework), you can add a PrivacyInfo.xcprivacy to its bundle declaring the data it collects and the Required Reason APIs it uses. This is legitimate — Apple’s docs explicitly describe third-party SDK manifests — but you’re now responsible for accurately declaring someone else’s data practices, which means reading their code.
  3. Remove the SDK. If it’s not load-bearing, the fastest unblock is deleting it.

You generally cannot satisfy ITMS-91061 by adding declarations to your app’s PrivacyInfo.xcprivacy — Apple wants the manifest inside the SDK bundle specifically, because the SDK’s data practices are the SDK’s to declare.

Step 4: Sanity-check your own app’s manifest while you’re here

ITMS-91061 (SDK manifest missing) and ITMS-91053 (your Required Reason API declarations missing) often arrive together because both are part of the 2024 privacy-manifest enforcement wave. While you’re updating SDKs, confirm your own PrivacyInfo.xcprivacy is complete:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>NSPrivacyTracking</key>
  <false/>
  <key>NSPrivacyTrackingDomains</key>
  <array/>
  <key>NSPrivacyCollectedDataTypes</key>
  <array/>
  <key>NSPrivacyAccessedAPITypes</key>
  <array>
    <dict>
      <key>NSPrivacyAccessedAPIType</key>
      <string>NSPrivacyAccessedAPICategoryUserDefaults</string>
      <key>NSPrivacyAccessedAPITypeReasons</key>
      <array><string>CA92.1</string></array>
    </dict>
  </array>
</dict>
</plist>

See the ITMS-91053 guide for the full Required Reason API code reference, or our privacy manifest generator which derives the right codes from a wizard.