As per Apple's App Store review guidelines, if the app I'm making requires sign-in, then I must provide Apple testers with credentials.
My app exclusively uses Google Accounts, and since I am working for an organization, I am required to only allow accounts that are registered in the database as "students". Keep in mind when I say organization, I mean one that is exempt from using "Sign in with Apple".
I created a dummy Google Account to allow sign-in, and provided credentials to Apple. However, they got prompted to enter in a phone number, since their device was not recognized. What can I provide them with so that they will have unconditional access to my account, whether they are on a legitimate device, or a simulator behind a hundred proxies?
2FA is not enabled, nor are any recovery methods specified, so to be fully transparent I am not really sure which phone number Google seems to want. Here is the prompt Apple has got.
I have already enabled the "less secure access" feature in the Google Account dashboard, but seeing as the Apple review process can be quite lengthy, I want to make sure I got this right before submitting.
Related
Apple just rejected my app due to I don't offer Sign in with Apple in my app as my app allow login with Google and Linkedin, and these(sign in with Google and Linkedin) are configurable like if some user don't want this it'll be disable by Admin.
So Can I go with another try to remove this option for that user which we give to Apple for Review and also tell them its configurable and not mandatory. So will Apple accept my app ?
Thanks
Personally I do not recommend using different configurations only for the App Store review process, because you can get rejected from App Store completely for cheating on the process. Read more at:
https://developer.apple.com/app-store/review/guidelines/#introduction
If you attempt to cheat the system (for example, by trying to trick
the review process, steal user data, copy another developer’s work,
manipulate ratings or App Store discovery) your apps will be removed
from the store and you will be expelled from the Apple Developer
Program.
About Apple Sign, here is Apple guidelines regarding this feature:
4.8 Sign in with Apple
Apps that exclusively use a third-party or social login service (such
as Facebook Login, Google Sign-In, Sign in with Twitter, Sign In with
LinkedIn, Login with Amazon, or WeChat Login) to set up or
authenticate the user’s primary account with the app must also offer
Sign in with Apple as an equivalent option. A user’s primary account
is the account they establish with your app for the purposes of
identifying themselves, signing in, and accessing your features and
associated services.
Sign in with Apple is not required if:
Your app exclusively uses your company’s own account setup and
sign-in systems.
Your app is an education, enterprise, or business
app that requires the user to sign in with an existing education or
enterprise account.
Your app uses a government or industry-backed
citizen identification system or electronic ID to authenticate users.
Your app is a client for a specific third-party service and users are
required to sign in to their mail, social media, or other third-party
account directly to access their content.
Read more:
https://developer.apple.com/app-store/review/guidelines/#sign-in-with-apple
In Apple's guidelines about Offering account deletion in your app, it states the following:
If people need to visit a website to finish deleting their account,
include a link directly to the page on your website where they can
complete the process.
However, in the FAQ section of the same page, it states:
If my app links out to the default web browser for account creation,
does it still need to offer account deletion within the app?
Yes. Additionally, note that linking out to the default web browser to
sign in or register an account provides a poor user experience and is
not appropriate, per App Store Review Guideline 4.
Given the above information, would having a button in the app that says "request account deletion" that opens a website to complete account deletion requests be compliant with Apple's guidelines? In other words, is it ok to just have a website for the account deletion request process (link to this website will be available from the app), or is it required that the account deletion request process be completed on the app itself?
Everything needs to happen within the app, either natively or via an embedded browser for both user sign-ups and user account deletion.
From my experience, Apple doesn't like "Request" or "Deactivate" as a default modus operandi and prefers only "DELETE" and "IMMEDIATELY"
See https://developer.apple.com/design/human-interface-guidelines/patterns/managing-accounts/
If you help people create an account within your app or game, you must
also help them delete it, not just deactivate it. In addition to
following the guidelines below, be sure to understand and comply with
your region’s legal requirements related to account deletion and the
right to be forgotten.
Also see https://developer.apple.com/support/offering-account-deletion-in-your-app/
If my app links out to the default web browser for account creation, does it still need to offer account deletion within the app?
Yes. Additionally, note that linking out to the default web browser to
sign in or register an account provides a poor user experience and is
not appropriate, per App Store Review Guideline 4.
See the responses below from Apple on both issues.
Guideline 4.0 - Design
We noticed that the user is taken to the default web browser to sign
in or register for an account, which provides a poor user experience.
Next Steps
To resolve this issue, please revise your app to enable users to sign
in or register for an account in the app.
You may also choose to implement the Safari View Controller API to
display web content within your app. The Safari View Controller allows
the display of a URL and inspection of the certificate from an
embedded browser in an app so that customers can verify the webpage
URL and SSL certificate to confirm they are entering their sign in
credentials into a legitimate page.
and
Guideline 5.1.1(v) - Data Collection and Storage
We noticed that your app supports account creation but does not
include an option to initiate account deletion that meets all the
requirements. Specifically:
Your app only offers to deactivate the account. Temporarily deactivating accounts is not sufficient to meet the account deletion
requirement.
The process for initiating account deletion must provide a consistent,
transparent experience for App Store users.
Next Steps
It would be appropriate to revise your app to address the issues
identified above and resubmit your app once the account deletion
option meets all the requirements.
If you believe your current account deletion option meets all the
requirements, either because your app operates in a highly-regulated
industry or for some other reason, reply to this message and provide
additional information or documentation.
Resources
Review frequently asked questions and learn more about the account deletion requirements.
Yes you have to provide account deletion or account deactivate option on website as well.
Apple Review team rejected the Application with the reason
"We noticed that your app uses a third-party login service but does not offer Sign in with Apple.
"
Even Application have normal Signup process as well with Email and Password.
Is it Mandatory to have Apple Signin in iOS 13 apps ?
Update 3 (March 04, 2020)
The App Store Review Guidelines have been updated to cover cases that use both third party and their own sign in services. Those apps are now required to offer Sign in with Apple. Therefore I'll be updating my apps to support Sign in with Apple and I recommend you do the same if you fall into this category.
Original Answer:
So my app just got rejected for the exact same reason. My app offers regular email and password authentication as well as Facebook and Google login. Here are a few interesting things that I found while reading the App Store Review Guidelines.
1. It says:
Apps that exclusively use a third-party or social login service (such as Facebook Login, Google Sign-In, Sign in with Twitter, Sign In with LinkedIn, Login with Amazon, or WeChat Login) to set up or authenticate the user’s primary account with the app must also offer Sign in with Apple as an equivalent option.
But my app does NOT EXCLUSIVELY use a third-part or social login service. It also uses our own email/ password method. In fact the email and password method is on top and thus assumed to be the main method of authentication. So I feel like this rule does not apply to my app.
2. It also says:
Sign in with Apple is not required if:
Your app exclusively uses your company’s own account setup and sign-in systems...
3. The first 2 rules don't cover my app's case.
My app does NOT EXCLUSIVELY use third-party login services and does NOT EXCLUSIVELY use our own method. It uses both. So it's neither required to implement the Sign in with Apple nor exempt from implementing it.
4. I submitted 2 apps for review in the same day with the exact same authentication methods and only one of them got rejected.
Yesterday I submitted 2 apps for review that are part of the same project and have the exact same authentication methods with the exact same auth screen design. They both got in review at the same time. The first one got approved and the second one got rejected for not implementing Sign in with Apple. Funny, right?
So unless they update the Review Guidelines to cover a case where you use both methods of authentication I believe we are not violating any rule. I'm trying to argue with the review team that my rejected app does not violate the App Store Review Guidelines and they should not have rejected it.
I'll update my answer when this get's resolved but till then it might actually help if others who face the same issue point this out to the review team. We'll either win our case and get our apps approved or they'll update their Review Guidelines to cover our case. Either way it'll be helpful for others in the future.
Update 1
Apple kinda understood that this is not right and my app's status changed from Binary Rejected to In Review. Now I'm waiting to see what they decide.
Update 2
After about 40 hours of being "In Review" my app finally got approved and is now "Ready for Sale". I can't believe it, but it finally feels like someone listened and understood the arguments that I made.
If you use any third-party sign-in feature, e.g. Facebook, Twitter, Google etc, you must now provide Apple Sign In as an additional option.
It's important to remember if you use solely a custom login system (i.e. email and password) then you do not need to include Apple Sign In.
4.8 Sign in with Apple
Apps that exclusively use a third-party or social login service (such as Facebook Login, Google Sign-In, Sign in with Twitter, Sign In with LinkedIn, Login with Amazon, or WeChat Login) to set up or authenticate the user’s primary account with the app must also offer Sign in with Apple as an equivalent option. A user’s primary account is the account they establish with your app for the purposes of identifying themselves, signing in, and accessing your features and associated services.
Sign in with Apple is not required if:
Your app exclusively uses your company’s own account setup and sign-in systems.
Your app is an education, enterprise, or business app that requires the user to sign in with an existing education or enterprise account.
Your app uses a government or industry-backed citizen identification system or electronic ID to authenticate users.
Your app is a client for a specific third-party service and users are required to sign in to their mail, social media, or other third-party account directly to access their content.
Further reading can be found here: https://developer.apple.com/app-store/review/guidelines/
Bad news: the word "exclusively" has been removed from the guidelines early March.
Apps that use a third-party or social login service (such as Facebook Login, Google Sign-In, Sign in with Twitter, Sign In with LinkedIn, Login with Amazon, or WeChat Login) to set up or authenticate the user’s primary account with the app must also offer Sign in with Apple as an equivalent option
Basically, yes. New apps that use sign-in must provide sign-in with Apple as an option. Existing apps that use sign-in must provide sign-in with Apple by April 2020.
We’ve updated the App Store Review Guidelines to provide criteria for
when apps are required to use Sign in with Apple. Starting today [Sept
12, 2019], new apps submitted to the App Store must follow these
guidelines.
(Source: https://developer.apple.com/news/?id=09122019b)
App Store Review Guidelines
4.8 Sign in with Apple
Apps that exclusively use a third-party or social login service (such
as Facebook Login, Google Sign-In, Sign in with Twitter, Sign In with
LinkedIn, Login with Amazon, or WeChat Login) to set up or
authenticate the user’s primary account with the app must also offer
Sign in with Apple as an equivalent option. A user’s primary account
is the account they establish with your app for the purposes of
identifying themselves, signing in, and accessing your features and
associated services.
Sign in with Apple is not required if:
· Your app exclusively uses your company’s own account setup and
sign-in systems.
· Your app is an education, enterprise, or business app that requires
the user to sign in with an existing education or enterprise account.
· Your app uses a government or industry-backed citizen identification
system or electronic ID to authenticate users.
· Your app is a client for a specific third-party service and users
are required to sign in to their mail, social media, or other
third-party account directly to access their content.
(Source: https://developer.apple.com/app-store/review/guidelines)
Today morning my app also got rejected because of the same reason but I was not using any third party sign up.
After rejection, I realised that in side menu under login button, I have 5 social media buttons for their respective social media page links so I replied to Resolution Center that I am using regular email based register and login. Also, I shared the screenshot of both screens (Login & Register). After 7-8 hours the status changed to 'In Review' and after next 10 minutes Apple approved and it goes live.
I am creating a google account and an apple ID with a group work account. During registration, it asks for entering a mobile number to be linked to that account where they can send a verification code to it. This account will be used by a group of people and I dont want to put just a personal mobile number and I dont want to buy a new mobile number as it wont be used by anyone and it will expire sooner or later. Is there any other option? I am not sure if Apple or Google have USB keys that can be used for MFA instead of a mobile number?
I don't know about iOS. But Google offers a variety of means, including printed backup codes. They are described here. Yubico also offers hardware keys than can be used.
Our iOS app requires users to login using their Facebook account and we need to provide the AppStore reviewers with a test account(s).
Can we take for granted that Apple have their own Facebook accounts that they use to test out apps that solely rely on Facebook for login?
Do we need to set up a Facebook "test user" via their Test User API?
Grateful for any pointers from someone who did this.
Short answer: assume they have an account.
I think you're in a bit of a catch-22 here. It's probably against Facebooks terms of service to create a test account and hand those details to a third party... but, you're right, Apple may ask you for details.
However, in practice, they seem not to. One of my apps requires a login to a third-party website and I just put "you need an account" in the iTC notes section. I've been rejected once (since 2008) because I didn't specify a specific username/password. I explained why (see first paragraph) and it sailed through on the next attempt.
Having said that, apparently Facebook allows a way of creating test accounts. This is probably what you want to do if they insist.
For any app that requires a login you need to provide Apple with a guest/demo login account to test the app. So yes, give Apple a login/password to use.