Prior to iOS 11, developers could leverage SFSafariViewController to interact with Safari in app view a remote view controller for authentication. However, because this is a view controller, it can be hidden from the user. As a result, malicious actors abused this API to track end users without their consent. Apple’s strategy to combat this was to limit the data sharing capabilities of this API to only the app (i.e. creating a sandbox)....
As communicated at WWDC, Apple has published the list of APIs it now deems sensitive and frameworks/apps must include a justification for using them. The APIs are divided into five categories: file timestamp access, system boot time access, disk space access, active keyboard access, and user defaults. As with some other recent attempts by Apple to prevent fingerprinting and tracking, legitimate use cases get caught in the crossfire. Take for example the file timestamp access APIs (both metadata and stat/fstat) and needing to reconcile data on device and a server....