unique identifier on iOS that user can reset - ios

In my iOS app, I am looking for a unique identifier to use to be able distinguish between users but for the users to be completely anonymous to us who are providing the app.
Scenario: I am building "make comments" function in the app which will be sent to a moderator before being published in the discussion area in the app. The user's identity should be anonymous to me and to anyone who may hack into my system storage that contains discussion content (think GDPR).
The best iOS library option seems to be identifierForVendor, but the user has no easy control over resetting that identifier.
I like the IDFA library more, as the user can be completely anonymous and at their discretion set their identifier to all zeroes using built-in Apple settings. BUT I am not serving advertising. Is Apple still rejecting apps that use IDFA but have no ads?
Other ideas?
Thanks.

Related

Do I need to use User Tracking if I use Admob?

I added the App Tracking Transparency dialog in my code to ask users if they allow tracking.
My app was rejected in the App Store Connect -
Your app contains NSUserTrackingUsageDescription, indicating that you will request permission to track users.
But now I'm not sure if I really need to use tracking?
I simply use Admob to show ads, and have only one app, so I don't need to collect data?
I have no idea what type of ads Admob shows the users (personalized/not personalized)
I assumed that everyone who uses Admob should show that User Tracking permission for ios14+, but do I really? Why do I need to collect data?
no you don't need NSUserTrackingUsageDescription if you use Admob.
you can use this permission like if you want to get advertising id of the device.
and remember to delete NSUserTrackingUsageDescription from info.plist if you don't use it so your app don't get rejected.
also if you used this permission remember to change the privacy of the app on apple store,
go to app privacy and in data types section click edit and select Identifiers (Device ID) and set this one as used for tracking purposes. and make sure that this is the only one selected as used for tracking.

App rejected because asking user registration (Guideline 5.1.1)

My app is a catalog of ebook-like content. Some of which are free to read, and some other are paid. I need to ask for user email / password to be able to retain the information of which content was successfuly completed, or until which chapter it was completed so the user can have his information synced accross all platforms.
However I got this rejection message :
Apps cannot require user registration prior to allowing access to app
content and features that are not associated specifically to the user.
Next Steps
User registration that requires the sharing of personal information
must be optional or tied to account-specific functionality.
To resolve this issue, please make it clear to the user that
registering will enable them to access the content from any of their
iOS devices and provide them a way to register at any time, if they
wish to later extend access to additional iOS devices.
Please note that although guideline 3.1.2 of the App Store Review
Guidelines requires an app to make subscription content available to
all the iOS devices owned by a single user, it is not appropriate to
force user registration to meet this requirement; such user
registration must be made optional.
Please resolve 5.1.1 issue and resubmit your revised binary to iTunes
Connect.
I am very surprised as I know apps such as Feedly which do not allow you to subscribe to RSS feed unless you create an account.
How should I get this problem solved ?
I have faced the similar rejection. As per the guide lines app is not supposed to force registration. So I ended up adding a skip button on the registration page. You need to add some content that users can view without registration. For example a user can preview a FREE book (maybe first page only) but can't read the full book without registration.
You can keep asking user for registration later when user is browsing the content.
There are some apps with forced registration and are available in AppStore like WhatsApp. But you need very strong arguments to convince Apple review team to consider and it's only possible if your app is really can't work without registration. In your case I don't think that's true.
For registration and login, your app must Serve contents/data user wise. e.g. Specific user settings, profile or follow topics etc. If your app does such things then Apple wont have any problems for your login or registration.
This is because of some apps have Registrations just to collect the email addresses of users.
If i will add "Guide" screen, then this issue will be resolved or not!

How to identify iOS device across multiple apps?

As you have understood from the question's title, I would like to know, how to identify iOS device across multiple apps. Advertising identifier and identifier for vendor is not an option for me, as apps may not have AdSupport framework included, and they may not have similar vendors. MAC address of the device is also deprecated. Any working solution on this? Thanks in advance!
This functionality is explicitly disallowed by Apple. Any workaround you come up with will violate Apple's stated goal of preventing it (so you would obviously risk appstore rejection even if it "works"). You are not allowed to track devices. You are only allowed to track the vendor ID and advertising ID. Apple has steadily removed every other tool because those are the ones they intend you to use (and their limitations are intentional).
What you are allowed to do is track users by issuing them login credentials and having them log into your server. This usually works fine if the user actually wants the functionality you're providing by tracking them (for example, users don't mind logging into Facebook or Twitter). If you are tracking users or devices to achieve a goal the users don't actually want (such as targeted advertising that the user can't control, or attempts at digital rights management tied to devices), you're unlikely to find a supported or permitted solution.

How to approach auto login across multiple ios apps?

I am implementing the feature of automatically logging in the user in an iOS app. This is easy for a single app as we can persist the username with NSUserDefaults while the password using System Keychain.
Now, I want to do it across multiple apps. In my understanding, we'd need a unique device identifier for this, which we can pass to the server and then use it to activate auto login across multiple apps on the same device. Now since, Apple prohibits the use of UDID now, I am thinking of using the Vendor Identifier which would of course require me to set the Bundle IDs accordingly. Is this the best way possible? Or is there a better standard method that is more effective?
Also, Is it at all possible to have auto login between different devices? Like for e.g. If I login on one iOS device and then open the app in another, I should automatically sign in.
To implement login between multiple iOS apps you can use the same App ID prefix in them. It will work because they will share keychain data. Here you can find more details:
https://developer.apple.com/library/ios/technotes/tn2311/_index.html
And here the related question: Keychain group access to share data between my existing applications
And about automatic sign in between different devices. I used encrypted iCloud Key Value storage to store login & password between devices. And it worked but not too good. Problem is that first time you start app on new device it will take some time to sync data from iCloud to local storage. And this means that first time you trying to Sign In and may need to wait for some undefined time. In may case it was about 20 seconds. To long for Sign In in a good application :) And of course this require user to be logged in iCloud with the same Apple ID.
ASAIK there is no proper way to implement automatic Sign In from multiple devices. And Apple recommend just to ask for Sign In on every new device of user.

Access iOS contact list without permission or asking - Privacy matters

I do know how to ask permission for contact's list accessing, is a very simple implementation, also I know Apple checks all this in case of going live to the App Store.
I'm about to receive a AdHoc bundle to a third party client, very very picky with privacy issues and I want to be certain that you cannot in any possible way in iOS7 access to the the address book, without previous and clear authorisation, nor storing some file in local or sending it through a web-service.
If there's other sensitive information than a programmer can access without the operating system firewall please let me know as well.
I read some subroutines can go through...
QUESTION: Can a developer access to the addressbook or personal information, directly or indirectly using a third party API or subroutine to the personal data, without explicit permission? Is an AdHoc bundle as secure as an AppStore reviewed App in that case?
Please do not punish me with negative feedback if you are not interested in privacy issues or think was that obvious, actually Apple's documentation is not clear and is focused on AppStore, mostly.
Thanks!
This answer came up in every search I did trying to find, CNContactPickerViewController, so I figured I should respond for posterity.
In iOS 9 and later you can call CNContactPickerViewController to present a system controlled contact picker that doesn't require permission to access the user's contacts. You can't hoover up all their contacts, which is what the original question implied (and is super creepy), but at least you can prompt the user to select a contact (or multiple contacts), which is sufficient for many legitimate use-cases.
Docs
The Address Book cannot be accessed without permission. No third-party API can get in, because internally, these API's need to go through the same permission checks as you need to. No app can get into a user's address book without the user's permission.
This is because of a security issue that Path, and some other apps, uploaded its users' address books to their own servers to use for whatever reason. To read more about it, look here
After this surfaced, Apple required the user's permission to access the user's contacts. Apple's iOS platform is possibly the most secure operating systems today, and there are few security holes that exist in their API's (minus the goto fail; mess-up).
App Store reviewed apps are more secure for the user than Ad-Hoc apps. The developers at Apple make sure that you do not do anything malicious with the user's contacts. In Ad-Hoc apps, there is no checkup. So, if you wanted to do anything dirty with their contacts in an Ad-Hoc app, you technically could (if the user gives you permission at all). You do not need to state what you will be doing with the permission, and so you are able to take advantage of the user's trust in you.
If you want the company to trust the app, suggest that they look it over with their own reviewers. If they don't think you are doing anything fishy, you are good.

Resources