Working for a company where we are starting to have many small apps, each with their own log in screen.
So that means whenever someone's password changes, they'll have to re enter their password for every app
Can be cumbersome to the user, especially when our policy is to have user's passwords change every 3 months and there are 6 or more apps to enter the password on
Has anyone come up with a work around for this problem where the user would only have to enter their password once? I'm thinking I could have one dedicated app solely for authenticating and then do some kind of interprocess communication if that's even possible
Again, doing this for iOS. I know on Android it wouldn't be an issue because developers can add accounts in the settings screen. However, iOS is a different beast
*Note these are enterprise, in house only apps. Not public facing on the app store
You need to store the username/pwd on keychain and share them between apps as mentioned here
https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps
Related
I have a client who wants to deliver the app to 50k specific users, at start. Then he wants to go public with the app after some time. However, this could not be seen by users as beta testing, since it's just an "exclusive" earlier possibility to access the app, not tests.
We know these users since they are a part of other service users group. We will probably create accounts for them and distribute login/one-time-passwords by invitation or give them the possibility to log in with credentials from the other service.
I've been searching for the solution (e.g. https://www.knowband.com/blog/mobile-app/share-ios-app-without-publishing-on-apple-app-store/) but still, I'm not sure which way to go. We're still in the middle of development so we can provide a possible solution and even make changes in the onboarding/login process. But we have to have a decision on this matter.
From possible solutions:
AppStore - we would not give the possibility to register in the app and just people with credentials could log in. But is it even possible with an iOS app and not be rejected by Apple? I know that many apps don't have registration within the app (e.g. banking apps) - how do they do that? They just say that registration is available only on some www/in person at the bank and you receive credentials to your account somewhere else?
Enterprise distribution - this is probably not possible since users won't be employees of my client. These are regular people.
VPP - I've heard about it recently and never tried it but isn't it just a "simpler" Enterprise solution and shouldn't users be also employees of my client? Can VPP apps be changed to regular AppStore apps afterwards?
I think right now option 1 seem the most possible one since the app will be distributed to all the users after some time (we will add registration then). Any ideas on the matter? How can we not be rejected using solution 1 during a review?
Solution 1 is possible, you provide apple with certs in App Store connect when you submit to the store. Specifically the field 'Sign-in required'
I would do that, it's got very little time overhead as compared to the other two.
I recently updated an app for a client and it's now ready for submission to the App Store. But after a talk with my client they told me that the previous version (not developed or submitted by me) had a kind of "password protection" on the App Store. They explained it as anyone could find the app on App Store but when you click "download" the user would need to enter a password (not the Apple ID password, more of a predefined password specifically for this app) to continue the download process.
I am used to submitting apps to the App Store, both paid and free, but I have never done this and don't honestly know how. My closest guess is that we need to upgrade the plan to an enterprise account, but from my understanding (and please correct me if I'm wrong) this will remove the app from the App Store search and only allow download from a link or file?
What way would you guys recommend?
Thanks in advance!
There's no recommendation.
What you think and whatever is running in your mind is completely correct. There's no way to set custom download passwords. The only way to download using appstore is to use the apple id.
Point your client to the apple guidelines and documentation's. Hopefully they should understand.
Very nice concern from security point of view but unfortunately Apple has not provided any such feature yet...
An alternate solution to your query:
You can't block user from downloading your app but you can block user from using you app with the help of AppLock feature (One time password authentication - when user uses your app for first time).
Set a Passcode/Pattern protected lock screen as a first/main screen of your application (immediately after Splash Scree) and only users can unlock your app, to whom you've shared passcode. (Note: Integrate passcode verification using web service/server, so you can reset passcode any time from server)
I hope this may be helpful to you...
Update
Here is more option, if you want to allow/restrict your app usage for specific region/country (listed on Store).
Distribute iOS app for specific region/territory
I recently submitted a multiplayer trivia app to the app store. There are 2 versions of the app but they are essentially the same thing just for different trivia.
One app was accepted but the other rejected
Here is the rejected reason
17.2 Details
We noticed that your app requires users to register to access non account-based features. Apps cannot require user registration prior to allowing access to app content and features that are not associated specifically to the user.
My app has followed the process that is similar to other major apps like trivia crack and words with friends.
The user gets a screen to sign in with facebook or sign in with email. When they click on sign in with email it brings them to a screen where they enter their email. We then create an account for them in the app.
This is required so that we can keep track of the user in each of the games they are playing and who they are playing against we also keep stats for that user based on how many questions they get wrong and how many right, also how many wins. We are storing all of this on our webserver so that the user can also use his account on a different device so that they can play their games on their iphone, ipad, ipod and so on.
We ask for nothing other than email, and if we dont have them register then we cant maintain all this information for them, especially if moving from device to device. Again, this is how almost ALL other larger multiplayer apps in the store do it. I mimicked them exactly.
I dont get it. Plus, one reviewer accepted one of the apps and another rejected the other app.
Should I appeal?
Yes, you can appeal.
You can explain your position to reviewer, we had similar problem and after we've created appellation application was published.
In an iOS application, When I detect a users improper action (for example posting violent content), I wan't to suspend the user from using my application. The basic idea to implement this feature is to create and save an unique id for each application installs and suspend the usage from server api's.
My question is, how can I implement this feature even if the user re-installs the application, and still pass the Apple's iTunes submission?
I came up with two ways to technically implement this feature, but wondering how Apple would respond.
Store the IDFA (I understand that users can reset the id on their behalf)
Store an app generated udid to the Keychain (which should not be deleted even if the user deletes the app)
I know there are no perfect answers, but would appreciate to discuss this issue with anyone that have tried submitting a similar application, or anyone that is well aware of the Apple's guidelines. Thank you.
Apple will reject apps that inappropriately use the IDFA.
If your app does not use server login (at which point, whatever flags you require could be delivered to the client), keychain storage would be the only real solution.
However, if you don't use server login, you block the device, not the user. Is this your intent?
BTW, without server login, a determined user can still get around keychain storage: Reset keychain on the device
You can block a given account. Most people these days key an account with an email address. Some require a credit card (Facebook fully validates accounts using credit card numbers), others require a bank account (PayPal has to send money somewhere!) and it is growing in popularity to request a phone number (Twitter is getting there). In the end, to really be effective, you have to block something that is difficult to produce.
With email, your users can always create a new account. Check out mailinator.com. Alternatively, all you need is one domain to have as many email addresses as you want -- I use five different email accounts daily, and I use about two dozen more on a monthly basis.
Installation ids are ok but users can always just uninstall/reinstall. And if you do manage to get a device-identifying number (easy to do really, even in the post-UDID era) so that you can block a given device, your users can just get a new device, or hack your app to use some random value, or spoof your API with cURL. I own three iPhones, two iPads, two Samsung tabs, three other Android phones, two Mac Book Pros, a mini, two PCs, and I run three virtual Linux boxes, and one virtual XP box. And what happens when somebody sells a blocked device to a non-abusive user?
So just block the user's account, keep excellent log files, and keep fighting the good fight.
I am implementing the feature of automatically logging in the user in an iOS app. This is easy for a single app as we can persist the username with NSUserDefaults while the password using System Keychain.
Now, I want to do it across multiple apps. In my understanding, we'd need a unique device identifier for this, which we can pass to the server and then use it to activate auto login across multiple apps on the same device. Now since, Apple prohibits the use of UDID now, I am thinking of using the Vendor Identifier which would of course require me to set the Bundle IDs accordingly. Is this the best way possible? Or is there a better standard method that is more effective?
Also, Is it at all possible to have auto login between different devices? Like for e.g. If I login on one iOS device and then open the app in another, I should automatically sign in.
To implement login between multiple iOS apps you can use the same App ID prefix in them. It will work because they will share keychain data. Here you can find more details:
https://developer.apple.com/library/ios/technotes/tn2311/_index.html
And here the related question: Keychain group access to share data between my existing applications
And about automatic sign in between different devices. I used encrypted iCloud Key Value storage to store login & password between devices. And it worked but not too good. Problem is that first time you start app on new device it will take some time to sync data from iCloud to local storage. And this means that first time you trying to Sign In and may need to wait for some undefined time. In may case it was about 20 seconds. To long for Sign In in a good application :) And of course this require user to be logged in iCloud with the same Apple ID.
ASAIK there is no proper way to implement automatic Sign In from multiple devices. And Apple recommend just to ask for Sign In on every new device of user.