Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
For security and privacy reasons of our app, we enforce two factor authentication. After the user logs in for the first time, we ask them set up two factor authentication. App shows them a QR code which can be scanned on any free/paid Authenticator App (e.g. Google Authenticator).
Do you think this should cause trouble for getting app reviewed/approved in App Store Review process.
Replying a little bit late as the solution we actively use doesn't appear to be listed.
We have had similar issues with this topic (although our Multi-Factor Authentication System was SMS based).
As we didn't want to bypass our production security mechanisms or re-develop a demonstration mode, we have used a platform allowing to assign temporary virtual phone numbers to users in our apps. The platform is called GetMyMFA.io and it allows us to review and approve our app within 24 hours.
To use it we simply created a user in our production application with a virtual phone number attached which we can enable and disable in real time for the App Store review process. That way Apple simply needs to log in to the platform (with a specific and private username/password) and the SMS MFA login code is displayed in the website.
The objectives of building this platform have been:
Avoid spending time in a security "bypass" (and all the security issues that often come with it)
Avoid building a "demonstration" mode exclusively for Apple
Avoid using public websites with public phone numbers accessible to anyone.
Our App gets approved within 24h with this system and the user can be easily and safely disabled.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
I need to develop an App in which the user can pick files from their Dropbox account and initiate a transfer a Public / Crowd sourced server.
This is not a migration of cloud storage, but manually selecting files and transferring them to a server. I have seen apps which help in migration of cloud storage through an automated script. As this is not a migration, the user may not understand what he is actually doing, or the implications of it.
My question is:
Will Apple reject the app when uploaded to the App Store for such an operation?
Will this be violating User privacy, as the user might unintentionally transfer sensitive information to a public cloud / server?
Diagrammatic representation of the operation:
As per Apple's guidelines
17.1 Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to
information about how and where the data will be used
So basically, to answer your question
You should provide proper message to the user of what exactly your app intends to do. Lets say in the form of a cancellable alert.
Without this apple will surely reject your app.
Secondly, this
should not be the necessary condition for your app to work. Meaning
that your app should work even if the user denies to share his
images and stuff from dropbox.
Prior to sharing / uploading user should get a view of what is being shared. Without this the application will be rejected. (This is even applicable even in the simple facebook share)
You always have a quick look on the Apple's privacy policies here
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am developing the monetization model for my iOS app and need some help on related technical questions.
Current application workflow is the following: users do some actions which require heavy use of the cloud resources (for which I am paying). These resources are quite expensive so I don't want my users to load them for free. I can imagine two possible options in such situation:
The app in AppStore is free and provides very limited functionality, users must buy in-app (auto-renewable subscription in fact) to get access to cloud resources.
The app is not free and when users buy the application they get free subscription for the first e.g. 30 days - after that they must pay monthly.
I know how to implement the 1st solution, but there are problems with the second one.
How do I know that the user JUST bought my application (not re-installed it)? Is there a way to do this?
One approach to your 2nd option could be for the app to register the current device with your service upon first launch. If (and when) that device had been registered previously, deny access to cloud functionality. UIDevices identifierForVendor will be sufficient for the task.
This would still allow the user to use the free month a second time on another device he owns though, or if he switches to a new device.
As an alternative, you could require the user to set up an account with your service, but of course there would be no way to prevent a user from creating multiple accounts.
A combination of both approaches may be able to reduce missuse, but it is unlikely you'd be able to completely suppress such attempts.
If you need to rule missuse out as far as possible, you probably need to stick to your first approach. For your second option you might want to try to factor potential losses from fake accounts / secondary devices into your pricing scheme.
The bottom line answer to your question however is: You can't know for certain if a user has reinstalled your app on a device other than the one he fist installed your app on.
Edit:
Turns out I missed the fact that the value returned by identifierforVendor won't persist. Unfortunately, that means you'll either need to stick to your first approach or rely on an account system to which the user needs to register. On second thought that may be the better approach - depending on the kind of content the user will be able to store in he cloud, the user might be reluctant to use several accounts anyway since the data in the cloud is tied to the account. Thus, multiple accounts may actually be a non-issue (just like it is impractical to keep multiple dropbox accounts).
So the answer to your question is actually: You can't tell if the user is re-installing your app.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I need to develop an application for a Client who later wish to install this app, customize iPad wallpaper and some other stuff to suit to business needs and send it to his Customers.
The tricky part is I can not suggest him to distribute this application via Adhoc Distribution (Using Normal 100 device limitation account) as He says apple itself is one of their potential customers.
Enterprise Distribution isn't required for reasons that His company does not entitles for this developer program.
Now my question is If I go for B2B distribution model - The end user are essentially not the one who will download the application rather my client himself will do that and give them preinstalled application on iPad.
What options do I have here ? Any help suggestion will be appreciated. I have already gone through the various volume Purchase programs documentation but I could not figure out if B2B distribution exactly matches my requirement or not.
So, let's see if I'm understanding this:
You are making an app for someone else. We'll call you the 'developer'.
Your customer is paying you to build that app. We'll call them the 'publisher'.
The publisher will not be selling to the public, they will instead be installing the app on devices, configuring them and then selling the entire solution (i.e. device and pre-installed app) to their customers (we'll call them 'end users').
Yes? And since one of the publisher's potential end users is Apple, you have a heightened sense of compliance with the rules (which you should be doing anyway).
So in this case, the publisher distributes the app via the B2B model and makes themselves the party it is allowed to be sold to, restricting the availability to those devices. This will require the publisher to create an Apple ID to manage their VPP participation.
Now, that's assuming the end users aren't going to be using these iPads for other functions. If they are, then you'd need to allow those users direct access and perhaps re-figure the business model a bit. That would also allow the end-users to re-install the app if they needed to, etc...
This PDF described the process in more detail: http://images.apple.com/business/docs/vpp_business_guide_en_20130413.pdf
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I work for a company that creates a mobile banking application for iOS. We are now looking for beta testers in the US with Bank of America accounts or AMEX credit cards as beta tester; we are aware that this is a sensitive subject. Our companies core belief is that sensitive data belongs on the users device in an encrypted fashion only, and must only be used between the users device and the bank. Thus we strongly disagree with the idea of using a proxy server as broker between the users device and the bank. We are now looking for beta tester of our app. This brings me to this question: where should we ask for beta testers for our mobile banking app?
I was in a similar situation some months ago. The solution was: the bank's own employees tested the app. We had some testing accounts, from the bank as well, so we could test ourself (us devs, plus a tester). Only three accounts were allowed for testing. In this sensitive environments, I would stick with people that are part of the project and can in fact work in real conditions (project manager, product owners, or project's stockholders , from the bank side).
If possible, mock the API first and test against mocked API first, not with real data.
If possible, get a copy of the production environment and test on it before testing on production.
Make sure you have somebody testing the application for security. If very sensitive data is stored on the device, make sure nobody can get the information from a stolen device (jailbreak attack, data is encrypted, encryption keys/password not floating in memory etc, man-in-the-middle attacks between the app and the server, no sensitive data in logs, etc.)
Beta-testers, by definition, should be real users. You can pick them anywhere. However, make sure you have done everything you could before giving the application to them. Especially, make sure the users can't see/modify data of another users. Make sure you, as the developer company, can't see their data. Make sure you can block their access to the app anytime.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I developed an app for the company who sells professional e-books by their website. In order to keep the content in sync with web data, app enforce login/registration and without that doesn't provide any functionality.
This is the reason why it has been rejected for Review Guidelines 17.2 Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected
My question is: is there a way to convince Apple to accept an app?
It is directed to the very specific proffessionals.
In the future the company want to add the possibility to sync books available on their website.
Also the books bought by in app purchase would be available on their website for the user account.
Isn't that enough reasons for Apple to accept this app? My client strongly want to have an account based app, the whole system was designed for that.
There is possibility to track user by udid but still it is not good solution because it is deprecated and Apple rejects apps using UDID for tracking reasons.
Does anyone have similar situation recently?
You say:
"app enforces login/registration and without that doesn't provide any
functionality."
Apple says:
"Apps that require users to share personal information in order to
function will be rejected"
So the answer is kinda obvious.
The app should provide (at least) some basic functionality without sharing personal data.
Maybe some book previews? 1 or 2 free books? App info? Why not apple's-bookstore? Does the website (before seeing anything) force you to signup too? Otherwise just make a web-app.