CleanorLabs
Support
Reference

Entitlements (iOS)

Entitlements are key-value capabilities embedded in an iOS app's code signature that grant access to protected system features — such as iCloud, push notifications, App Groups, or HealthKit. They are declared at build time and enforced by the OS at runtime.

Build & packagingiOSiPadOS

Entitlements (iOS)

Also known as: ios entitlements, app entitlements, ios entitlements

Entitlements are key-value capabilities embedded in an iOS app's code signature that grant access to protected system features — such as iCloud, push notifications, App Groups, or HealthKit. They are declared at build time and enforced by the OS at runtime.

  • Entitlements are capability key-value pairs embedded directly in the app's code signature.
  • They must match the capabilities enabled in the app's provisioning profile or signing fails.
  • Photo-library access is a runtime Info.plist usage permission, not a code-signing entitlement.

What entitlements do

An entitlement is a signed key-value pair that authorizes an app to use a restricted capability. They live in an `.entitlements` property-list file at build time and are baked into the app's code signature when it is signed. Common examples include `com.apple.developer.icloud-services`, App Groups (`com.apple.security.application-groups`), push notifications (`aps-environment`), and Keychain access groups.

Entitlements are validated against the app's provisioning profile, which must enable the same capabilities in the Apple Developer portal. If an app requests an entitlement it was not provisioned for, code signing or installation fails. Because they are part of the signature, entitlements cannot be edited after signing without re-signing the app.

Entitlements vs usage-description permissions

Entitlements are often confused with privacy permissions, but they are distinct. Access to the photo library is a runtime permission gated by a usage-description string in the Info.plist (`NSPhotoLibraryUsageDescription`) plus a user prompt via PhotoKit — not a classic entitlement. App Groups, iCloud containers, and shared storage, by contrast, are true entitlements granted at signing time.

For a storage cleaner like Cleanor, the photo-access flow combines a PHAsset authorization prompt (driven by the Info.plist string) with any entitlements needed to share data between an extension and the main app. Once the user grants library access, the app can scan for duplicate photos, similar photos, and large videos to free up space.

Related terms

Keep reading the reference.

Build & packagingInfo.plistInfo.plist is the required property-list manifest in every iOS, iPadOS, and macOS app bundle. It declares core metadata — bundle identifier, version, supported devices — plus the usage-description strings that gate access to the photo library, camera, and other protected data.iOSiPadOSmacOSPrivacy & securityApp permissionsApp permissions are the approvals an app must request before reaching sensitive data or hardware — photos, contacts, location, camera, microphone. You grant or revoke them per app, and reviewing them is one of the easiest privacy wins.iOSAndroidGeneraliOS developmentPhotoKitPhotoKit is Apple's framework for reading and managing a user's Photos library on iOS and iPadOS. It exposes the library through the Photos and PhotosUI modules, letting an app fetch photos and videos, load image data, and request edits or deletions through a permission-gated, change-aware API.iOSiPadOSPrivacy & securityApp sandboxingApp sandboxing isolates each app in its own restricted container so it can only touch its own files and the data you explicitly allow — not other apps or the rest of the system. It is a core reason phone apps are hard to weaponize against each other.iOSAndroidmacOSGeneral

Act on it

Guides and tools for this topic.

Cleanor for iOS